[mtgx]

If the 665 Gbps botnet was indeed powered by mainly IoT devices, then this is only the very beginning. We're about to see multi-Tbps botnets soon, all because most IoT companies could care less about security, and because most of them want to connect every IoT device to the Internet by default (rather than through a gateway, which at least could limit infections).

[Gigablah]

It's already happening; OVH was hit by a DDoS nearing 1 Tbps.

https://twitter.com/olesovhcom/status/779297257199964160

[mschuster91]

> and because most of them want to connect every IoT device to the Internet by default

Stuff is going to get even worse when IoT devices begin using IPv6. By design, devices are publically reachable and not hidden behind a NAT router, which makes RCE exploits way, way easier.

I'd take a guess that loads of IoT devices have "backdoors" like open SSH/telnet with insecure default passwords, too - the same shit that hit el-cheapo routers, for example.

[ac29]

> Stuff is going to get even worse when IoT devices begin using IPv6. By design, devices are publically reachable

Is that true? I just setup IPv6 at home yesterday and I don't see the difference from IPv4 in terms of reachability. The default policy on my firewall for incoming traffic for both IPv4 and IPv6 is drop.

Yes, NAT can give you a pseudo-firewall in that LAN devices aren't given publicly routable addresses, but I have no idea why anyone would leave their IPv6 network completely open "by design".

[therealidiot]

Let's hope router manufacturers include sensible firewall defaults. They probably won't in many cases, though.

[mschuster91]

They can't, because IoT.

IoT devices like surveillance cams, VoIP babyphones etc. have two options:

1) depend on third-party servers for operation, so no outside-to-device-initiated communication is needed. Downside: costs money to run the servers, and just imagine the sausagefest when a camera cloud server gets hacked. Upside: you can firewall off your private network as you like, and the device will still work.

2) allow the owner of the device to directly connect to the IoT device via IPv6. Downside: everyone and their dog can access (and exploit) your devices, provided that they know the IP address. IPv6 addresses are long and pretty random, but e.g. if the MAC address is used for assigning the IPv6 address, not so random any more. Upside: no SPOF/centralized node that turns your device into a brick if the operator shuts down.

Basically, the only way to "securely" operate IoT devices is inside a separate VLAN. FritzBox routers can do this, but not many others, e.g. because the router can't independently manage the Ethernet ports, because it's cheaper to put in a GBit switch than to choose a SoC that's beefy enough to drive four GBit ports individually. I put "securely" into quotation marks, as a hacked surveillance cam or babyphone is an open invitation to any hacker.

[JonnieCache]

>sausagefest

Not sure that word means what you think it means.

[roel_v]

"Basically, the only way to "securely" operate IoT devices is inside a separate VLAN."

This is a major pain to configure, and way beyond the capacity of even most IT professionals. One of the problems is that you do want to allow some devices (phones) from the 'normal' network to (selectively) be able to connect to devices in the IoT vlan.

I spend a solid day trying to set this up once (and on a 'real' switch, not a Fritzbox which I have too but only use as modem) and I'm not saying that I'm that good a networking guy (I mean, that I wasn't able to it working means I'm not) but I do know more than the average internet installation guy who would be the only hope for 'regular' users to set up their networks properly.

[tim333]

Most routers nowadays seem to come with a long random password written on a sticker stuck on the bottom. That seems a reasonable compromise between being hard to hack over the internet and reasonably easy for non techie owners.

[mercora]

i would say making secure tunnels a default for home routers would be a better mitigation... there is no need to control my "smart home" or what ever from my neighbors phone...

Some things just do not make much sense without being able to control them remotely. A separate VLAN for devices would only allow them to communicate with another which probably is not what you want. BTW. i could not set up VLANs on a fritz box with FritzOS last time i tried. However nearly all routers with OpenWRT will do without a problem.

[kalleboo]

The only way to get it well-adopted would be if you could get Google, Apple, Microsoft and router manufacturers to agree on some user-friendly and secure way to set up tunnels and connect to them from your phone/devices. Good luck with that...

[mercora]

While a common agreement on how this should be done would be the best solution, it should be enough to have at least some option to setup such tunnels through an API. Router manufactures could develop an App to make that setup easier then.

Although this wont be practical for any device that is not a phone or a (desktop) computer.

[mschuster91]

AVM doesn't call it VLANs, but "guest network". Activating the feature opens up a new SSID with internet-only access (the newest release of FritzOS even can do a captive portal!), and you can assign the LAN4 ethernet port to it, too.

Separating the IoT stuff (at least the stuff that needs connectivity from outside) into its own VLAN at least prevents a hacker from gaining access to the rest of your home network (e.g. NAS devices or your normal computers).

[mercora]

i can see why they would not call this VLAN functionality although it surely makes use of it, it is not configurable individually. So lets just say i misunderstood what you were meaning. Setting up a guest network with internet access would allow the same exploitation in order to participate in a DDoS attack.

While this would as you said protect my other networks to some extend it does not solve the problem. I will not ever trust these devices to get secure enough to expose them directly to the internet.

This is why i am thinking the only way to operate these devices securely is to require some kind of transport protection in form of an IPsec tunnel for example. This would allow me and anyone with the right set of access to control the devices without making them accessible to anyone else.

If home routers would encourage the use of such tunnels it would be a normal thing to have a link back to your home network (or maybe a separate IoT network) which could be properly firewalled...

[gonzo]

PfSense, too

[bitmapbrother]

Why not just temporarily blacklist the IP's and ignore all traffic from them when you detect the DDOS?

[whorleater]

DDOS is exactly that: a Distributed Denial of Service attack. In other words, there's thousands of IP's popping in and out performing a variety of denial of service attacks, so it's not really a one block and done type deal.

[icebraining]

Usually there are many IPs popping in and out, and it's often hard to tell them apart from regular clients.

Also, you still have to receive the traffic even if you then ignore it; if your pipe is smaller than the attacker's, it may be enough to overwhelm you.