Takeaway quote: the Internet is “vulnerable to toasters”.
I’ve got to suspect most of these cheap Chinese webcams (i.e. 90% of them) and other devices are only accessible via a public IP address because of UPnP. And apparently they are forwarding not just HTTP and HTTPS through the router but also telnet and SSH. Death to UPnP! We don’t enable it when customers lease routers from us. These cams should be using some sort of proxy in the cloud to relay the video, not port forwarding on the customer’s router. I also suspect a lot of these are outside the US. At the risk of opening up the dreaded “NAT is not a firewall” and “IPv6 is great/terrible” debates, how does IPv6 not increase the IoT threat? What is the typical setup for an IPv6 enabled customer with toasters and webcams that get public IPs? Does the router from the ISP or supplied by the customer still implement a stateful firewall so that inbound traffic is blocked unless a connection has been established by outbound traffic or a port forwarding rule? Or are there IPv6 toasters with web and CLI access wide open? Does UPnP still exist with IPv6? Maybe it’s no more of a problem with IPv6, but then I still wonder, why are so many IoT devices accessible via telnet to exploit the hardcoded default passwords? Maybe it’s not our customers buying cheap webcams at Costco, maybe it’s really businesses putting their security cameras directly on public IP addresses? From: Af [mailto:af-boun...@afmug.com] On Behalf Of Jaime Solorza Sent: Saturday, October 22, 2016 9:57 AM To: Animal Farm <af@afmug.com> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick 'Smart' home devices used as weapons in website attack http://www.bbc.com/news/technology-37738823 On Oct 22, 2016 8:14 AM, "Mike Hammett" <af...@ics-il.net <mailto:af...@ics-il.net> > wrote: Here's a tested config that works with standard IP Firewall. Once I get a chance, I'll make and test a version that uses raw. /ip firewall address-list add address=x.x.x.x/yy comment="My IPs" list=Public_Networks add address=x.x.x.x/yy comment="Upstream /30" list=Public_Networks add address=x.x.x.x/yy comment="Customer ABC's ARIN allocation" list=Public_Networks /ip firewall filter add action=drop chain=forward comment="Block Spoofed Traffic" out-interface=[upstream interface] src-address-list=!Public_Networks ----- Mike Hammett <http://www.ics-il.com/> Intelligent Computing Solutions <https://www.facebook.com/ICSIL> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> <https://www.linkedin.com/company/intelligent-computing-solutions> <https://twitter.com/ICSIL> <http://www.midwest-ix.com/> Midwest Internet Exchange <https://www.facebook.com/mdwestix> <https://www.linkedin.com/company/midwest-internet-exchange> <https://twitter.com/mdwestix> <http://www.thebrotherswisp.com/> The Brothers WISP <https://www.facebook.com/thebrotherswisp> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> _____ From: "Mike Hammett" <af...@ics-il.net <mailto:af...@ics-il.net> > To: af@afmug.com <mailto:af@afmug.com> Sent: Friday, October 21, 2016 12:17:13 PM Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick /ip firewall address-list add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My IPs" add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="Downstream customer X IPs" /ip firewall filter add action=drop chain=forward comment="Drop spoofed traffic" disabled=no out-interface="To-Upstream" dst-address-list=!"Public-IPs" That was largely composed off of the top of my head and typed on my phone, so it may not be completely accurate. You should also do it on customer-facing ports not allowing anything to come in, but that would be best approached once Mikrotik and the per interface setting for unicast reverse path filtering. You would then said customer facing interfaces to strict and all other interfaces to loose. They accepted the feature request, just haven't implemented it yet. ----- Mike Hammett <http://www.ics-il.com/> Intelligent Computing Solutions <https://www.facebook.com/ICSIL> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> <https://www.linkedin.com/company/intelligent-computing-solutions> <https://twitter.com/ICSIL> <http://www.midwest-ix.com/> Midwest Internet Exchange <https://www.facebook.com/mdwestix> <https://www.linkedin.com/company/midwest-internet-exchange> <https://twitter.com/mdwestix> <http://www.thebrotherswisp.com/> The Brothers WISP <https://www.facebook.com/thebrotherswisp> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> _____ From: "Mike Hammett" <af...@ics-il.net <mailto:af...@ics-il.net> > To: af@afmug.com <mailto:af@afmug.com> Sent: Friday, October 21, 2016 11:21:35 AM Subject: [AFMUG] Another large DDoS, Stop Being a Dick There's another large DDoS going on now. Go to this page to see if you can be used for UDP amplification (or other spoofing) attacks: https://www.caida.org/projects/spoofer/ Go to these pages for more longer term bad behavior monitoring: https://www.shadowserver.org/wiki/ https://radar.qrator.net/ Maybe we need to start a database of ASNs WISPs are using and start naming and shaming them when they have bad actors on their network. This is serious, people. Take it seriously. ----- Mike Hammett <http://www.ics-il.com/> Intelligent Computing Solutions <https://www.facebook.com/ICSIL> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> <https://www.linkedin.com/company/intelligent-computing-solutions> <https://twitter.com/ICSIL> <http://www.midwest-ix.com/> Midwest Internet Exchange <https://www.facebook.com/mdwestix> <https://www.linkedin.com/company/midwest-internet-exchange> <https://twitter.com/mdwestix> <http://www.thebrotherswisp.com/> The Brothers WISP <https://www.facebook.com/thebrotherswisp> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg>
