Laszlo Hanyecz wrote:
What does BCP38 have to do with this?
Your're right. That's not specifically related to *this* attack. Nobody
needs to spoof anything when you've got a zillion fire hoses just lying
around where any 13 year old can command them from the TRS 80 in his mom's
basement. (I've seen different estimates today. One said there's about
a half million of these things, but I think I saw where Dyn itself put
the number of unique IPs in the attack at something like ten million.)
I just threw out BCP 38 as an example of something *very* minimal that
the collective Internet, if it had any brains, would have made de rigueur
for everyone ten+ years ago. BCP 38 is something that I personally view
as a "no brainer", that is already widely accepted as being necessary,
and yet is a critical security step that some (many?) are still resisting.
So, it's like "Well, if the Internet-at-large can't even do *this* simple
and relatively non-controversial thing, then we haven't got a prayer in
hell of ever seeing a world-wide determined push to find and neutralize
all of these bloody damn stupid CCTV things. And when the day comes when
somebody figures out how to remotely pop a default config Windoze XP
box... boy oh boy, will *that* be a fun day... NOT! Because we're not
ready. Nobody's ready. Except maybe DoD, and I'm not even taking bets
on that one."
I didn't intend to focus on BCP 38. Everybody knows that's only one
thing, designed to deal with just one part of the overall problem. The
overall problem, in my view, is the whole mindset which says "Oh, we
just connect the wires. Everything else is somebody else's problem."
Ok, so this mailing list is a list of network operators. Swell. Every
network operator who can do so, please raise your hand if you have
*recently* scanned you own network and if you can -honestly- attest
that you have taken all necessary steps to insure that none of the
numerous specific types of CCVT thingies that Krebs and others identified
weeks or months ago as being fundamentally insecure can emit a single
packet out onto the public Internet.
And, cue the crickets...
Recent events, like the Krebs DDoS and the even bigger OVH DDoS, and
today's events make it perfectly clear to even the most blithering of
blithering idiots that network operators, en mass, have to start scanning
their own networks for insecurities. And you'd all better get on that,
not next fiscal year or even next quarter, but right effing now, because
the next major event is right around the corner. And remember, *you*
may not be scanning your networks for easily pop'able boxes, but as we
should all be crystal clear on by now, that *does not* mean that nobody
else is doing so.
Regards,
rfg
P.S. The old saying is that idle hands are the devil's playground. In
the context of the various post-invasion insurgancies, etc., in Iraq, is
is often mentioned that it was a somewhat less than a brilliant move for
the U.S. to have disbanded the Iraq army, thereby leaving large numbers
of trained young men on the streets with no jobs and nothing to do.
To all of the network operators who think that (or argue that) it will
be too expensive to hire professionals to come in an do the work to
scan your networks for known vulnerabilities, I have a simple suggestion.
Go down to your local high school, find the schmuck who teaches the
kids about computers, and ask him for the name of his most clever student.
Then hire that student and put him to work, scanning your network.
As in Iraq, it will be *much* better to have capable young men inside the
tent, pissing out, rather than the other way around.