If "Bad bot" traffic now accounts for a quarter of all internet traffic. Increasing by 6.2 percent from the previous year, bad bot traffic now represents no less than a quarter of all internet traffic. At this rate where is the Internet headed? Are we destined to contend with a slowdown in overall network performance as result? (https://www.imperva.com/blog/bad-bot-report-2021-the-pandemi...)
To me it's rather concerning that more and more products are opting towards connecting to the internet for seemingly little reason. The costs of security on that seem somewhat astronomical.
I guess I'm now somewhat jaded with tech (despite being a developer as my day job) but I find I'm going backwards nowadays. I live in totalitarian Scotland for those that are interested.
I just found out that I may be able to sell my 2yo car to a dealer despite still paying it up - something to do with the demand for secondhand cars being so high these days and I can get more than I owe... I digress!
Anyway, I don't really need a car but it's handy so I'm looking at a 20 year old Grand Cherokee (or possibly a Cherokee). The main reason is that it has almost no tech in it. Nothing that can serve me ads. Nothing that can track me. Nothing that can be used against me. Nothing that can be hacked. Nothing that can be remotely accessed by the manufacturer. It only contains things that make it go (and stop)!
My phone will be getting replaced with... probably the most basic thing I can get since I barely use it too.
It's difficult to stop at this point. When your competitors are doing it, you are in a hard spot, even though you know it's absurd. They advertise it as smart, intelligent, new generation - and your device without IoT seems like from the 20th century.
The antidote to this could be a hardware switch, i.e. the option to completely disable wireless connectivity if the customer wishes so - in a way that is tamper-proof. But I haven't seen products that implement this so far.
A switch is not enough to prevent millions of devices from being part of a botnet if the consumers don’t see the advantage of switching it off (“why would I”). There needs to be significant motivation (fines for participating in DoS attacks) or a different default.
this reminds me of the books by daniel suarez daemon and its sequel freedom. the internet is taken over by an AI of sorts and one of the first orders of business is to clear out negative value adds like this:
DEATH TO SPAMMERS
if i was to pick two books to recommend to all HN, it would be those. ive read everything suarez has written and theyre all greaf, but the technopolitical daemon and freedom and superlative.
+1 this recommendation. The tech in the novel is still very futuristic, but it has interesting premises, specially regarding the DAEMON's birth and strategy for global control.
He has a very special way with the - as he calls them - miscreants.
He engages in rather diplomatic chats, like in a fascinated way.
His website is of course target practice for many people, I am sure he is not impressed, he has his own fake swatting protocol with the police, the people had his home swatted many times.
Are routers “IoT devices” now? This looks like a deliberate journalistic buzzword stuffing, given that the author cites the botnet description extensively.
IoT has always been a buzzword, but at least it communicates what it is slightly better than embedded system. The buzzword I currently despise is edge computing.
That seems to nean something though: the trend of hosting not just information but computation more local to its destination like CDNs did for information.
I don't know what IoT means other than shit that shouldn't be networked (let alone computational) is networked.
Still not seeing what a DoS attack on him achieves. What, he loses some kind of sweet profits due to the site being down for a day, if Google can't shield it for some reason?
And the other two obviously aren't going to keel over unless you come up with like five of such botnets. They're pretty much the largest possible targets who are still gonna report that they felt something. Which sounds precisely like advertisement to me.
I wouldn't expect that at all, since the attack doesn't have any security implications other than ‘someone found how to send a lot of requests from routers’, and the target is just one guy with a blog—not a corporation whose job is to serve web requests.
By the way, that's some circular reasoning right there. I asked, what would be the purpose of the DoS attack. You say, it's to hurt the reputation if the site comes down. But why? What is the purpose of taking down the site? Krebs is a security researcher, he's not in the business of running websites, let alone sites that can withstand two million requests a second.
The only security connotation of this is that some guys got a botnet and they flex on Krebs to have him advertise the fact—pretty much like he's supposed to, per his job description.
Not just his work. Krebs regularly engages in self-righteous, unethical behavior against his perceived opponents, including doxxing people who have left bad reviews on his books.
It makes me a little sad each time I see people promoting his site.
Well, this is concerning. I just bought a MicroTik RB4011 to replace my ol faithful Ubiquiti EdgeRouter X because I’m getting fiber installed next week…
I guess I will be doing some research on MicroTik vulnerabilities and try to find out if these are just misconfigured devices that got owned or if I should hold off on the switch!
I don't see how you'd be owned if you're denying all outside traffic, but stranger things have happened.
They don't all come with it configured this way by default, and it's definitely something to be aware of.
The hAP AC^2, for example, has a button that rotates through 3 default configs. One of those configs is NAT home router/firewall, one of them is just router, and one of them is completely empty. At least, that's how I remember it working.
> I don't see how you'd be owned if you're denying all outside traffic, but stranger things have happened.
My thought was the same but yup you never know. From the outside my attack surface is very low, just a couple port forwards to a VPN/SSH server. It’s the non-obvious exploits that worry me (overflow in packet header parsing or borderline magic like that), but perhaps I’ve been watching too many movies :)
I will make sure my config is as solid as I can reasonably make it before connecting it to the world, I guess outside of that there’s not a whole lot I can do anyway.
> Unclear how old your firmware is, but it seems that the vulnerability was patched years ago. Check anyway.
That seems to be countered in the article mentioning that the majority of devices are running firmware that’s relatively recent (one release from the latest).
Thanks, this was very helpful. My first move when I get a device like this is a firmware update, so I’ll do that and then check with the resource you linked.
I installed a Mikrotik hap ac2 router a few months ago to replace a Netgear one. It has been working great impressed with the software, support, and wireless coverage particularly for such a tiny box with such a small price. But a complicated setup if you're not a network engineer and have some customizations to make for firewall and static IPS, forwarding, etc! Not at all as easy as ddwrtt, tomato or even pfsense. And very odd terminal command line not Linux typical. I updated my firmware a few weeks ago (press a button in software, easy) and my router does not have vulnerability per https://radar.qrator.net/. Was likely safe before also as link above states it was patched years ago.
The internet needs to figure out how to make appliance manufacturers liable for security breaches in some way. Otherwise the cost of security is an externality that they dump onto the internet for free.
45 comments
[ 4.0 ms ] story [ 96.7 ms ] thread[0] https://craphound.com/category/unauthorizedbread/
I just found out that I may be able to sell my 2yo car to a dealer despite still paying it up - something to do with the demand for secondhand cars being so high these days and I can get more than I owe... I digress!
Anyway, I don't really need a car but it's handy so I'm looking at a 20 year old Grand Cherokee (or possibly a Cherokee). The main reason is that it has almost no tech in it. Nothing that can serve me ads. Nothing that can track me. Nothing that can be used against me. Nothing that can be hacked. Nothing that can be remotely accessed by the manufacturer. It only contains things that make it go (and stop)!
My phone will be getting replaced with... probably the most basic thing I can get since I barely use it too.
Anyway, just wanted to chuck in my $0.02
The antidote to this could be a hardware switch, i.e. the option to completely disable wireless connectivity if the customer wishes so - in a way that is tamper-proof. But I haven't seen products that implement this so far.
A switch is not enough to prevent millions of devices from being part of a botnet if the consumers don’t see the advantage of switching it off (“why would I”). There needs to be significant motivation (fines for participating in DoS attacks) or a different default.
DEATH TO SPAMMERS
if i was to pick two books to recommend to all HN, it would be those. ive read everything suarez has written and theyre all greaf, but the technopolitical daemon and freedom and superlative.
That seems to nean something though: the trend of hosting not just information but computation more local to its destination like CDNs did for information.
I don't know what IoT means other than shit that shouldn't be networked (let alone computational) is networked.
And the other two obviously aren't going to keel over unless you come up with like five of such botnets. They're pretty much the largest possible targets who are still gonna report that they felt something. Which sounds precisely like advertisement to me.
The only security connotation of this is that some guys got a botnet and they flex on Krebs to have him advertise the fact—pretty much like he's supposed to, per his job description.
It makes me a little sad each time I see people promoting his site.
source?
Heh, that's grand.
I guess I will be doing some research on MicroTik vulnerabilities and try to find out if these are just misconfigured devices that got owned or if I should hold off on the switch!
They don't all come with it configured this way by default, and it's definitely something to be aware of.
The hAP AC^2, for example, has a button that rotates through 3 default configs. One of those configs is NAT home router/firewall, one of them is just router, and one of them is completely empty. At least, that's how I remember it working.
My thought was the same but yup you never know. From the outside my attack surface is very low, just a couple port forwards to a VPN/SSH server. It’s the non-obvious exploits that worry me (overflow in packet header parsing or borderline magic like that), but perhaps I’ve been watching too many movies :)
I will make sure my config is as solid as I can reasonably make it before connecting it to the world, I guess outside of that there’s not a whole lot I can do anyway.
Edit: also this checker, when you get the device online: https://radar.qrator.net/
Unclear how old your firmware is, but it seems that the vulnerability was patched years ago. Check anyway.
That seems to be countered in the article mentioning that the majority of devices are running firmware that’s relatively recent (one release from the latest).
Most recent experience with Netgear Orbi Mesh system and Nest Wifi (or is it Google Wifi v2)
There are nearly no customization, hardening that can be made.
I can appreciate that a presentation is needed for average home user, but there should be a technical tweak away layer available.