On Nov 22, 2016, at 14:39, Markus Stenberg <markus.stenb...@iki.fi> wrote: > > The recent IoT DDoS publicity is a good example; the devices that are the > Mirai botnet are devices that had/have open ports facing the internet.
Not quite, c.f. <https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/ <https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/>> The vast majority of those devices were protected from receiving inbound flows over public Internet routes by the stateful filters of IPv4/NAT gateways. p1. Those ports would not have been open and facing the Internet except they were also configured to use UPnP IGD to punch a hole through their firewall to expose their unsecured services. p2. More importantly, they were also open and facing other compromised hosts on the same network, which were vulnerable not because they had open ports facing the Internet but because they were exposed to malware by legitimate requests to web servers at public Internet destinations. The calls [in both cases p1 and p2] were coming from inside the house. > It is all about reducing the attack surface. What attack surfaces were reduced? None of them were turned on at all. And why? Because, strangely, the industry in which we work engineers so many of the systems, which ordinary people are expected to use, in a way that makes them unusable unless all the security mechanisms that reduce the attack surfaces are disabled or bypassed by default. It’s not about reducing attack surfaces. It’s about making systems that are safe for deployment in close proximity to humans. --james woodyatt <j...@google.com <mailto:j...@google.com>>
_______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet