[hysterix]

The reply to your question is already on point. There is a sickening amount of open systems on the net. I know zee used tends of thousands of routers as only some of his ddos tools. I also know of dudes who wrote custom scripts specifically for zee's ddosing, would scan for incoming connections matching whatever signature identified at the time, automatically connect to the router using whatever exploit to get in, change the root pass and restart it.

Zee got his net taken away from him numerous times hitting the wrong people.

But yes in a nutshell, the digital world is mostly unprotected open and unlocked houses, with little pockets of protected castles here and there, and some locked houses too.

[emidln]

I wonder what the payoff is for running a script to secure the CentOS box you just rooted versus leaving it open to additional attacks. On one hand, you have potential loss of your work due to disruption of services leading to someone noticing and re-imaging the box. On the other hand, I don't particularly like sharing with randoms.

It also makes me wonder if optimized command and control networks have been developed. Most of the code I see floating around public drops goes to very little effort to conceal data exfil, if it even makes an effort to identify data to exfil at all. This seems like a real waste given that some large percentage of machines you steal are likely worth more than just their cpu time and bandwidth. Obviously the more code you run, the higher your chances of detection, but it seems like a huge creative space. How do I find interesting files without tripping all the alarms? How do I efficiently take over someone else's LSM hooks?

[meowface]

They're likely just band-aid patching the exact hole they use to get in, rather than securing the whole system.

[meowface]

By incoming connections, do you mean web visitors who fell victim to CSRF/XSS exploits in their router management web panels? Or was he hijacking routers another way?

[hysterix]

I don't know if zee gained any skill over time, but I believe he simply used public exploits.

So for example remote command injection vulns:

http://en.1337day.com/exploit/description/20598

http://en.1337day.com/exploit/description/20602

http://en.1337day.com/exploit/description/20671

Then it is just a matter of figuring out where these routers are, and then writing a few scripts to exploit and command them in mass. I don't think CSRF/XSS would net him the vast numbers he'd need to make a significant ddos.

And to more specifically answer your question, by "incoming connections", I mean like monitoring the ddos via netstat on a box zee was actively attacking.

[meowface]

Well, problem is those vulns require either the attacker to share or control the victim's LAN in some way, or the router's management panel to be exposed to the Internet (which is usually not the default for the vast majority of consumer routers).

For cases where they're remotely exposed, just about anyone can scan the Internet and try to exploit these routers. I'm sure he was doing that, but I'm sure hundreds or thousands of other people were as well.

When combined with something like a CSRF, you can use those exploits against a victim even if their router is locked down (only listening on LAN, strong admin password). All they need to do is visit a site you control, without something like NoScript. If the admin password is not guessable, then they'd need to have an active login session. That can be circumvented if the router has an auth bypass vuln, which has been found in at least a few models.

Also, I believe a lot of routers can be used for DDoSing without exploiting or compromising them at all if they're exposing SSDP (UPnP). SSDP reflection, possibly combined with NTP reflection, is likely how Lizard Squad launched their DDoS attacks.

P.S. I know you and have talked to you (and Zee and some others), briefly, on some IRC networks long ago.

[ryanlol]

If that was a case, people running SSDP (and other UDP service) honeypots would no doubt have noticed the massive increase in traffic.

[meowface]

Of course. I was just speculating based on the comment about using routers to DDoS; I don't know if an uptick was actually observed during the outage. I know SSDP has been the hip new thing for the past few months though.

If that's not the case, mind giving any hints?

[ryanlol]

Majority of our bandwidth does not come from these so called "reflection attacks". But is in fact "real" bandwidth.

We are using actual 0days to compromise the (about 100k-150k) servers we have.

I'm actually rather excited for the eventual technical analysis of our net by someone with actual technical competence. It might end up causing quite a bit of noise.