[pmlnr]

For non-technical users, I'd suggest the following:

Turn off the devices you don't want to check; leave only those up you want to investigate.

Visit your router on the web interface and see if there are any graphs are possible to check for things like requests/second or packets/second. If it's really high while you're not actively doing anything, that's a clue.

Visit the UPnP settings on the router. If there are ports listening for incoming internet connections, turn the UPnP off on the router.

If you can SSH to your router, log in and start collecting data with tcpdump[1]. This later can be analyzed with tools like wireshark[2], which can show you per protocol what is going in. Most of the botnets use telnet- or IRC-like interfaces which are, in most cases, plain text commands, so it's possible to spot them.

Apart from this: reset everything to factory and change all the passwords before letting anything on your network.

[1]: https://www.linux.com/blog/tcpdump-tutorial-beginners

[2]: https://www.wireshark.org/docs/wsug_html_chunked/ChapterIntr...

[mcbits]

> For non-technical users, ... routers ... packets ... UPnP ... SSH ... tcpdump ... wireshark ... protocol ... telnet ... IRC ... plain text commands ...

I think you unintentionally helped to cement GP's point. There is a huge opportunity for some kind of little box - vetted/certified or even insured - that non-technical users can plug in, click Next > Next > Finish, and be notified when any device on their home network starts acting suspicious.

[Falkon1313]

Precisely. Users need something as simple as Malwarebytes where they just need to click the big 'Scan' button and after a few minutes it will say "Your living room ceiling fan is running a potentially unwanted program (bitcoinminer), your freezer is infected with a virus, your garage door opener is participating in a botnet, and your fitbit has a rootkit. Click here to quarantine and disinfect everything. Click here to repeat this scan daily and notify you if anything new shows up."

End users would expect that such a thing should be simple. But of course it's not (would need to work with any device running any OS with any interface). First we would need some sort of standard protocol for it. But a standard protocol that lets an external agent determine what software is running on any device could potentially be dangerous...

[jnbiche]

Well, you wouldn't necessarily need to determine what software is running on any device to quarantine it. However, what would be helpful would be some kind of central registry of botnet traffic signatures so that the scanner could use something more than just traffic volume.

[lqdc13]

This is not an easy problem.

You need a lot of data and a lot of current regularly updated information about websites being attacked or current known CnC servers. Also, there is a privacy aspect, so you can't send a lot of the data or even hashes of things to the cloud.

Such solutions might be more appropriate for workplaces in large companies and they already have things like SRX firewalls that have DDoS features.

[ikeboy]

How about a simple list of devices and a way to limit bandwidth per device, with sensible defaults (very few IOT devices will need more than 100k/s, the main exception is video cameras). It can allow "burst" bandwidth but limit, say, the total used per six hours.

Disclaimer: this is off the top of my head, there may be reasons it would fail.

[pmlnr]

I'm so tired of this.We live in a higly technical world and people should learn the basics. One of the reasons we are having this situation is because people don't understand their things.