DOS attack via IOT - boundaries of internet?

  • Thread starter Thread starter Stephen Tashi
  • Start date Start date
  • Tags Tags
    Dos Internet
AI Thread Summary
The discussion centers around the implications of a recent denial-of-service (DDoS) attack that exploited Internet of Things (IoT) devices, raising questions about the boundaries between the internet and other forms of wireless communication. Participants explore how devices like digital thermometers may not connect to the internet, highlighting the necessity for devices to have specific capabilities, such as a transmitter/receiver, to be considered "connected." There is a consensus on the need for manufacturers to eliminate default or weak passwords to prevent unsecured devices from being exploited. The conversation also touches on the scale of the DDoS attack, with estimates suggesting millions of devices were involved, and the challenges of securing networks against such threats. Additionally, there are discussions about the importance of user education regarding device connectivity and the societal implications of design flaws that allow for such vulnerabilities.
Stephen Tashi
Science Advisor
Homework Helper
Education Advisor
Messages
7,864
Reaction score
1,602
The recent news about a denial-of-service attack (DOS) that came via the internet-of-things (IOT) https://www.cnet.com/how-to/ddos-iot-connected-devices-easily-hacked-internet-outage-webcam-dvr/ brings up the question: How are the boundaries between "the internet" and other forms digital wireless communication implemented? For example, I assume that my (cheap) indoor-outdoor digital thermometer uses some form of wireless digital communication that is not part of "the internet".

We could imagine a science-fiction scenario where thousands of small physical devices are smuggled into a country and used to attack the internet via the IOT thus by-passing efforts to secure the web by securing legitimate consumer products that are on the IOT. Is that scenario based on a misunderstanding of how the boundaries of the "the internet" are implemented?
 
Physics news on Phys.org
Thousands of IOT devices would be a drop in the bucket compared to the millions that are part of the drone network. Manufacturers need to stop allowing any form of default or weak passwords so that people won't be able to put unsecured devices on the internet.
 
I'm not completely clear about the thrust of your question, but in order for a device to attack a website/service on the the internet, the device has to be connected to the internet. So I guess that's the "boundary" (though the word makes no sense to me in this context). Just bringing a bunch of devices into the country doesn't mean they can do anything if they aren't connected to the Internet.
 
russ_watters said:
Just bringing a bunch of devices into the country doesn't mean they can do anything if they aren't connected to the Internet.

My question amounts to: What capability must a device have in order to be "connected to the internet" ?
 
Borg said:
Thousands of IOT devices would be a drop in the bucket compared to the millions that are part of the drone network. Manufacturers need to stop allowing any form of default or weak passwords so that people won't be able to put unsecured devices on the internet.
Yeah, that seems like a pretty easy fix to me. Verizon's router/modem/switches, for example, have a unique/legitimate password pre-coded into the device and printed on a sticker on the side. To sell a router/modem/switch with a default "Admin" and "Password" account is just really stupid/lazy.
 
Stephen Tashi said:
My question amounts to: What capability must a device have in order to be "connected to the internet" ?
A wire or wifi or cell phone transmitter/receiver and something to connect to that is connected to the internet and allows the connection.

I'm maybe a bit confused about your level of knowledge here: what sort of device are you using to make these posts? A computer? A cell phone? Don't you know how they connect to the internet?
 
Borg said:
Thousands of IOT devices would be a drop in the bucket compared to the millions that are part of the drone network.

I agree, but what's an estimate for the number of devices that participated in the recent DOS attack ?
 
Stephen Tashi said:
I agree, but what's an estimate for the number of devices that participated in the recent DOS attack ?
Hard to say but it was definitely in the millions given the amount of requests that were hammering the servers.
 
russ_watters said:
A computer? A cell phone? Don't you know how they connect to the internet?

No, I don't know exactly.

For example, I think there is an agreement among manufacturers of ethernet devices that gives each device a unique MAC address. But I don't know that there is any enforcement in the implementation of the internet that can detect if the MAC address that a device claims to have is one assigned by a legitimate manufacturer.
 
  • #10
Stephen Tashi said:
No, I don't know exactly.
Let's start very basic: What kind of device are you using to make these posts?
 
  • #12
russ_watters said:
Let's start very basic: What kind of device are you using to make these posts?

No, Let's not start that basic !
 
  • #13
Stephen Tashi said:
No, Let's not start that basic !
We're going to have to. Because you are saying things that imply you don't have even a basic understanding of what it means for a device to be connected to the internet.

My parents had a similar problem that they seemed to get over (I'm not totally convinced though): after they stopped using AOL, they were confused by the fact that when they turned on their computer, they didn't have to start a separate program to "log on" to the internet. They didn't understand what happened when they turned on their computer to make it connect, nor the fact that their computer was always connected to the internet when on.
 
  • #15
russ_watters said:
We're going to have to. Because you are saying things that imply you don't have even a basic understanding of what it means for a device to be connected to the internet.

What things have I said about "what it means for a device to be connected to the internet"? I've hardly said anything at all about it.
 
  • #16
Stephen Tashi said:
What things have I said about "what it means for a device to be connected to the internet"? I've hardly said anything at all about it.
Most of what you have said:
-The thing about your wireless thermometer
-The "science fiction scenario"
-Bringing up MAC addresses (putting the cart before the horse and misunderstanding how the cart works).

In my previous post, I mentioned my parents' issues on the subject. I suspect yours are the opposite (judging by the thermometer issue): you are young enough that you don't remember when the internet didn't exist and devices weren't automatically connected to it, so you have never had to deal with the issue of what it means and what the difference is between devices that are and aren't connected. And that's fine.

Look, you started this thread asking for help, and now instead of helping me help you, you are arguing with me about how much help you need. So do you want help or not?
 
  • #17
russ_watters said:
Most of what you have said:
-The thing about your wireless thermometer
What "thing"? I said my cheap wireless thermometer does not communicate with the internet. Are you saying it does?

-The "science fiction scenario"
Are you implying it is infeasible?
-Bringing up MAC addresses (putting the cart before the horse and misunderstanding how the cart works).
What "cart" and what "horse" are you referring to?

Look, you started this thread asking for help, and now instead of helping me help you, you are arguing with me about how much help you need. So do you want help or not?

No, I don't need your help.
 
  • #18
Stephen Tashi said:
No, I don't need your help.
Fair enough. good luck to you!

Jeesh!
 
  • #19
russ_watters said:
Yeah, that seems like a pretty easy fix to me. Verizon's router/modem/switches, for example, have a unique/legitimate password pre-coded into the device and printed on a sticker on the side. To sell a router/modem/switch with a default "Admin" and "Password" account is just really stupid/lazy.
I'm sure the instructions state to change this information. If the user does not, well... I don't think you'll pass the (I hope, and wish there was one) computer literacy test before even buying a computer.

With regards to the DDoS attack, how does one even stop it and get the servers back to working order?
 
  • #20
StevieTNZ said:
I'm sure the instructions state to change this information. If the user does not, well... I don't think you'll pass the (I hope, and wish there was one) computer literacy test before even buying a computer.
While I agree, this isn't just about the stupidity of one (or a million individual) computer users, it's about the societal cost of a design that should be impervious to that stupidity.
 
  • Like
Likes Borg
  • #21
I'm curious to know if any of you had any problem with the allegedly affected sites that day.

According to the news, this attack had spread here to the south west coast later that day, but I'm not aware of anyone who was affected by it.
 

Similar threads

Do Movies Teach Us Realistic Life Skills?
Replies
1
Views
10K
BRS: PKI Cryptosystems for SA/Ms: A Tutorial
Replies
13
Views
3K

Hot Threads

Recent Insights

Back
Top