For a long time, I've wondered what would finally be the Securitypocalypse, the thing that finally caused our industry as a whole to take security seriously. These IoT DDoS attacks are as good a candidate as any I've seen in a long time. They are fundamentally very difficult to fix in light of the non-updateability of many of these devices, and this is only the beginning, because the IoT has hardly begun to develop. And in the short-term, I'm not sure I see any hope, because the forces that make people throw out cheap devices with broken firmwares with no update capability aren't going away.<p>If we could somehow mandate that these devices were supported with firmware updates for the indefinite future, that would simply destroy the entire market. And you can't do that, because even the devices created by an entity that no longer exists and didn't sell its IP to anybody else will eventually be enough to do these DDoSes, if they aren't already.
I am a non-programmer who reads HN and keeps up with tech news in general.<p>And every time I read about the IoT botnet, my immediate response is to look around my apartment at my Internet-connected lights, and wonder if they're part of it.<p>How can I find this out?<p>Is anyone making a tool that a non-technical user can run to squint at their network and look for evidence of Mirai, or anything else trying to take advantage of this niche?<p>There are plenty of tools with a reasonably simple interface that will tell me if my laptop/desktop computer is infected with something. But what can I use to diagnose the health of all of the <i>other</i> computers proliferating around my house?<p>How can a non-technical user easily monitor the overall health of their connected household? Is this a project anyone is building? Because I think it's definitely something that needs to exist now.
Here's a better article from Mr. Krebs:<p><a href="https://krebsonsecurity.com/2016/10/ddos-on-dyn-impacts-twitter-spotify-reddit/" rel="nofollow">https://krebsonsecurity.com/2016/10/ddos-on-dyn-impacts-twit...</a><p>Personally I think his case is pretty convincing.
I know the TTL is set really low for a lot of DNS entries but this recent outage got me wondering if it makes sense for servers further down the chain to hold onto it for longer than the TTL, honor it when they are able to get a new DNS entry within a reasonable amount of time, but fall back to the "expired" version if the authoritative server is not reachable.<p>I'm wondering what would be the negative consequences of this and if they outweigh the benefit of being more resilient to these types of attacks.
No luck with Google DNS for me, but Yandex seems to work:<p><pre><code> 77.88.8.8
77.88.8.1
</code></pre>
<a href="https://dns.yandex.ru" rel="nofollow">https://dns.yandex.ru</a>
bloomberg was down for me.<p>I had disabled adblock at their insistence...<p>i re-enabled adblock and I could get the article. hmmmm. maybe something about the 50 unrelated js calls?? perhaps?
More specifics about Mirai bots and their numbers:<p><a href="https://threatpost.com/mirai-bots-more-than-double-since-source-code-release/121368/" rel="nofollow">https://threatpost.com/mirai-bots-more-than-double-since-sou...</a>
Unfortunately, forced firmware updating is an area our governments should not be mandating. That puts unnecessary strain on small companies and creates a larger gap that companies must cross to become commercially viable
These attacks are possible because the US Congress hasn't extended tort liability to manufacturers of software and network hardware. The full weight of the US products liability bar will quickly and rapidly motivate manufacturers to ship secure devices. The lack of accountability is enabling vulnerability.
The failing here as in many cases such as a number of security breaches was a lack of investment. As someone with an engineering degree that worked as a VLSI design engineer, good engineering requires <i></i>* backup systems <i></i>*. This costs money that people don't want to spend. In some cases such as a startup they might be cash short, but many firms have the money but don't want to spend it ensuring that they have well engineered software that includes backups, up-to-date software and security upgrades, hiring (expensive) highly competent software engineers and consulting firms.<p>The mistake in this case was relying on one vendor for DNS. Amazon Route 53 would be a good alternate vendor for DNS, for example.
I think even basic home routers these days, have enough cpu power to handle egress filtering.<p>If you have an iot device, by its nature it only needs to connect to a few services and hosts.<p>The manufacturer can provide this in their docs, and give an automatic config url that the router uses to load its egress rules.<p>The rules to load are displayed and the user checks they are legit by comparing to the printed version in the manual, then clicks ok. Or something like that.<p>Rate limits in terms of packets per second, total bandwidth both instantaneous and over time, are set also.
Not only East Coast, Twitter can't be resolved in Ireland/UK right now (I assume the mobile app uses some kind of 'dns pinning' as that is working)
I love those comments about IoT and who should be responsible for error-proof products, or ISP monitoring traffic, or ...<p>Internet, in the beginning, was even more insecure. Including the computers and OSes. There were less abuse because few had resources and knowledge. Read some old software and you'll find all bad designs in it. Software didn't become worst, it's just targeted with more knowledge and intensity.
I always thought DNS had enough redundancy built-in that this sort of thing wouldn't really have much effect. But here I am unable to access websites, simply because name resolution isn't working. If my local DNS server were caching things longer there would largely be no issue.
Did any one else find the style of writing in this article really annoying? Things like using prefacing statements with "so-called" or putting terms in quotes to make them seem suspect.<p>e.g.s:<p>a so-called distributed denial-of-service (DDoS) attack<p>York said Dyn was “actively” dealing with a “third wave” of the attack.
If you are unable to connect because of DNS problems, switch your DNS server to 8.8.8.8 (Google).<p>Edit: sorry there, this worked for me but apparently it's not guaranteed.
I'm suggesting this just so someone more knowledgeable can debunk it. Suppose FBI or someone up there had a meeting and said "in three weeks, there could be millions of armed Americans who believe that democracy was just stolen from them by some evil dictator in a massive globalist conspiracy. These people love twitter. Is there a way to make twitter go down without making it look like we're suddenly pulling the plug?"
The answer was yes, we'll do a test run Friday.