DOS attack via IOT - boundaries of internet?

[Stephen Tashi]

The recent news about a denial-of-service attack (DOS) that came via the internet-of-things (IOT) https://www.cnet.com/how-to/ddos-iot-connected-devices-easily-hacked-internet-outage-webcam-dvr/ brings up the question: How are the boundaries between "the internet" and other forms digital wireless communication implemented? For example, I assume that my (cheap) indoor-outdoor digital thermometer uses some form of wireless digital communication that is not part of "the internet".

We could imagine a science-fiction scenario where thousands of small physical devices are smuggled into a country and used to attack the internet via the IOT thus by-passing efforts to secure the web by securing legitimate consumer products that are on the IOT. Is that scenario based on a misunderstanding of how the boundaries of the "the internet" are implemented?

 

[Borg]

Thousands of IOT devices would be a drop in the bucket compared to the millions that are part of the drone network. Manufacturers need to stop allowing any form of default or weak passwords so that people won't be able to put unsecured devices on the internet.

 

[russ_watters]

I'm not completely clear about the thrust of your question, but in order for a device to attack a website/service on the the internet, the device has to be connected to the internet. So I guess that's the "boundary" (though the word makes no sense to me in this context). Just bringing a bunch of devices into the country doesn't mean they can do anything if they aren't connected to the Internet.

 

[Stephen Tashi]

Just bringing a bunch of devices into the country doesn't mean they can do anything if they aren't connected to the Internet.

My question amounts to: What capability must a device have in order to be "connected to the internet" ?

 

[russ_watters]

Thousands of IOT devices would be a drop in the bucket compared to the millions that are part of the drone network. Manufacturers need to stop allowing any form of default or weak passwords so that people won't be able to put unsecured devices on the internet.

Yeah, that seems like a pretty easy fix to me. Verizon's router/modem/switches, for example, have a unique/legitimate password pre-coded into the device and printed on a sticker on the side. To sell a router/modem/switch with a default "Admin" and "Password" account is just really stupid/lazy.

 

[russ_watters]

My question amounts to: What capability must a device have in order to be "connected to the internet" ?

A wire or wifi or cell phone transmitter/receiver and something to connect to that is connected to the internet and allows the connection.

I'm maybe a bit confused about your level of knowledge here: what sort of device are you using to make these posts? A computer? A cell phone? Don't you know how they connect to the internet?

 

[Stephen Tashi]

Thousands of IOT devices would be a drop in the bucket compared to the millions that are part of the drone network.

I agree, but what's an estimate for the number of devices that participated in the recent DOS attack ?

 

[Borg]

I agree, but what's an estimate for the number of devices that participated in the recent DOS attack ?

Hard to say but it was definitely in the millions given the amount of requests that were hammering the servers.

 

[Stephen Tashi]

A computer? A cell phone? Don't you know how they connect to the internet?

No, I don't know exactly.

For example, I think there is an agreement among manufacturers of ethernet devices that gives each device a unique MAC address. But I don't know that there is any enforcement in the implementation of the internet that can detect if the MAC address that a device claims to have is one assigned by a legitimate manufacturer.

 

[russ_watters]

No, I don't know exactly.

Let's start very basic: What kind of device are you using to make these posts?

 

[Stephen Tashi]

Hard to say but it was definitely in the millions given the amount of requests that were hammering the servers.

The biggest "published" estimate that I've seen is "at least 150,000" - e.g. http://securityaffairs.co/wordpress/51726/cyber-crime/ovh-hit-botnet-iot.html But what's a reliable source ?

 

[Stephen Tashi]

Let's start very basic: What kind of device are you using to make these posts?

No, Let's not start that basic !

 

[russ_watters]

No, Let's not start that basic !

We're going to have to. Because you are saying things that imply you don't have even a basic understanding of what it means for a device to be connected to the internet.

My parents had a similar problem that they seemed to get over (I'm not totally convinced though): after they stopped using AOL, they were confused by the fact that when they turned on their computer, they didn't have to start a separate program to "log on" to the internet. They didn't understand what happened when they turned on their computer to make it connect, nor the fact that their computer was always connected to the internet when on.

 

[Borg]

The biggest "published" estimate that I've seen is "at least 150,000" - e.g. http://securityaffairs.co/wordpress/51726/cyber-crime/ovh-hit-botnet-iot.html But what's a reliable source ?

I didn't have any documented source. That's an order smaller than I would have thought given the request volume.

 

[Stephen Tashi]

We're going to have to. Because you are saying things that imply you don't have even a basic understanding of what it means for a device to be connected to the internet.

What things have I said about "what it means for a device to be connected to the internet"? I've hardly said anything at all about it.

 

[russ_watters]

What things have I said about "what it means for a device to be connected to the internet"? I've hardly said anything at all about it.

Most of what you have said:
-The thing about your wireless thermometer
-The "science fiction scenario"
-Bringing up MAC addresses (putting the cart before the horse and misunderstanding how the cart works).

In my previous post, I mentioned my parents' issues on the subject. I suspect yours are the opposite (judging by the thermometer issue): you are young enough that you don't remember when the internet didn't exist and devices weren't automatically connected to it, so you have never had to deal with the issue of what it means and what the difference is between devices that are and aren't connected. And that's fine.

Look, you started this thread asking for help, and now instead of helping me help you, you are arguing with me about how much help you need. So do you want help or not?

 

[Stephen Tashi]

Most of what you have said:
-The thing about your wireless thermometer

What "thing"? I said my cheap wireless thermometer does not communicate with the internet. Are you saying it does?

-The "science fiction scenario"

Are you implying it is infeasible?

-Bringing up MAC addresses (putting the cart before the horse and misunderstanding how the cart works).

What "cart" and what "horse" are you referring to?

Look, you started this thread asking for help, and now instead of helping me help you, you are arguing with me about how much help you need. So do you want help or not?

No, I don't need your help.

 

[russ_watters]

No, I don't need your help.

Fair enough. good luck to you!

Jeesh!

 

[StevieTNZ]

Yeah, that seems like a pretty easy fix to me. Verizon's router/modem/switches, for example, have a unique/legitimate password pre-coded into the device and printed on a sticker on the side. To sell a router/modem/switch with a default "Admin" and "Password" account is just really stupid/lazy.

I'm sure the instructions state to change this information. If the user does not, well... I don't think you'll pass the (I hope, and wish there was one) computer literacy test before even buying a computer.

With regards to the DDoS attack, how does one even stop it and get the servers back to working order?

 

[russ_watters]

I'm sure the instructions state to change this information. If the user does not, well... I don't think you'll pass the (I hope, and wish there was one) computer literacy test before even buying a computer.

While I agree, this isn't just about the stupidity of one (or a million individual) computer users, it's about the societal cost of a design that should be impervious to that stupidity.

 

[zoobyshoe]

I'm curious to know if any of you had any problem with the allegedly affected sites that day.

According to the news, this attack had spread here to the south west coast later that day, but I'm not aware of anyone who was affected by it.