IoT botnets and DDoS attacks have prominent lawmakers asking government agencies some probing questions about what can be done.
Sen. Mark Warner (D-VA) on Tuesday sent a letter to the Federal Communications Commission—as well as the Federal Trade Commission and Homeland Security—querying among other things whether ISPs have a legal standing to boot insecure connected devices from their networks. Warner wrote:
“Under the Federal Communications Commission’s (FCC’s) Open Internet rules, ISPs cannot prohibit the attachment of “non-harmful devices” to their networks. It seems entirely reasonable to conclude under the present circumstances, however, that devices with certain insecure attributes could be deemed harmful to the “network” – whether the ISP’s own network or the networks to which it is connected. While remaining vigilant to ensure that such prohibitions do not serve as a pretext for anticompetitive or exclusionary behavior, I would encourage regulators to provide greater clarity to internet service providers in this area.”
Last Friday’s DDoS attack against DNS provider Dyn was the final straw after a stretch of similar attacks in which connected things were amassed in giant botnets to flood targets with an overwhelming amount of traffic.
Warner, right, who heads the Senate Cybersecurity Caucus, called out the Mirai malware in particular as weapon of choice used by hackers to gather IP-enabled cameras, DVRs and home networking gear into botnets.
“Mirai’s efficacy depends, in large part, on the unacceptably low level of security inherent in a vast array of network devices,” Warner wrote in his letter to FCC Chairman Tom Wheeler.
Mirai scans the Internet for connected devices and uses a hardcoded array of weak or known default credentials to access the devices, compromise them and force them to communicate with a dynamic command and control infrastructure. Mirai, experts believe, was not the only botnet involved in Friday’s attacks, which impacted Internet service on the East Coast and left sites such as Twitter, Reddit, Netflix and others unreachable during different times during the day.
“The weak security of many of the new connected consumer devices provides an attractive target for attackers, leveraging the bandwidth and processing power of millions of devices, many of them with few privacy or security measures, to swamp internet sites and servers with an overwhelming volume of traffic,” Warner said. “I am interested in a range of expert opinions and meaningful action on new and improved tools to better protect American consumers, manufacturers, retailers, Internet sites and service providers.”
The Mirai malware has made short work of Chinese manufacturer Hangzhou Xiongmai’s gear; many of the bots it has recruited were built with white-label circuit boards from the company that contain a known default credential that was found among the malware’s hardcoded credentials. The company has recalled the equipment and reminded users to change the default credentials and apply an April 2015 firmware update that closed off an open telnet port.
“Because the producers of these insecure IoT devices currently are insulated from any standards requirements, market feedback, or liability concerns, I am deeply concerned that we are witnessing a ‘tragedy of the commons’ threat to the continued functioning of the internet, as the security so vital to all internet users remains the responsibility of none,” Warner wrote. “Further, buyers have little recourse when, despite their best efforts, security failures occur.”
Warner concluded his letter with a list of nine questions he wants answered from Wheeler, as well as the FTC and DHS. The first and most prominent query the chairman made was about network management practices ISPs have available to them to respond to DDoS attacks and whether Mirai qualifies to warrant a response from ISPs and deny them access to the public network.
Yesterday, researchers at Flashpoint said that with “moderate confidence” they believe that script kiddies were behind Friday’s DDoS attack, rather than a politically motivated entity. That conclusion was echoed by Director of National Intelligence James Clapper during testimony Tuesday at the Council on Foreign Relations.
Flashpoint said it believes the attackers are related to the Hackforums community where the Mirai malware’s source code was made public. Further supporting its claim, Flashpoint said the infrastructure used in Friday’s DDoS attack was also used to target a well-known and unnamed video game company.
“While there does not appear to have been any disruption of service, the targeting of a video game company is less indicative of hacktivists, state-actors, or social justice communities, and aligns more with the hackers that frequent online hacking forums,” Flashpoint director of security research Allison Nixon said, adding that the script kiddies likely involved in the attack are less motivated by financial or political gain, and more by notoriety, or to “cause disruption and chaos for sport.”