Massive botnet that appeared overnight is delivering record-size DDoSes

Eleven11bot infects video recorders, with the largest concentration of them in the US.

See full article...

 

[MrTom]

It's amazing how many hits you get when you do a search for TVT-NVMS 9000.
Security issues dating back to 2017 and maybe even older.

 

[sleepyox]

I’m excuse me but US gov cyber security has no data on Russian involvement, and has been informed that means there was none!

Remember: What you don’t know can’t hurt you

trump already said that about Covid. When you don't test means Covid is cured.

 

[zarmanto]

Who is the unmarked 14.2% in that graph? The wording describes the attack as US 24.4%, Taiwan 17.7%, then jumps down to the UK 6.5%.

Based upon the position of that wedge, I'd speculate that it's "Other" which is a combination of all of the countries that are smaller individually than the smallest wedge in the graph. The way it typically works is: starting at the right edge of 12-o-clock is the biggest figure, getting progressively smaller as you go clockwise around the graph.

The fact that we're only working from a screenshot and not from a live graph with mouseovers makes it harder to tell, admittedly... but that's the general convention. Here is one example of what I mean.

 

[SubWoofer2]

I saw video recorder and for a moment wondered how it could be that so many VHS machines were connected to a network.

Damn, I'm old.

I was thinking of pulling my laserdisc player out of storage, until I read the full article.

 

[magao]

The Swiss VPN servers for both my (AFAIK completely independent) VPN providers had terrible throughput for about a day in the last 48 hours (and servers in AU and US were unaffected).

Normal behaviour was restored after I upgraded the endpoints on my end, but I've actually come to the conclusion it was most likely a temporary (but fairly long) issue affecting that part of the world (i.e. the issue ended during the ~2 hours I spent working on my endpoints, rather than the upgrades fixing it).

Now I find out it likely coincided with this DDOS. Causality unproven, but it seems possible it may have been a contributing factor.

 

[stentor]

HiSilicon=Huawei=built-in exploits per order of the PRC. Keeping Huawei out of western telecom, out of the tower shacks, was seen as an overreaction by dumb people (unlike myself) back in 2018.

 

[Sasquatch_]

You would think by now that this is just common sense... and yet, it baffles me just how many people blithely drop their IoT cameras and such onto public IP addresses for all the world to see.

I'm stil looking for my jaw on the floor after reading setup guide for one of open source firewalls suggesting putting iot and CCTV on DMZ interface. Even their gui tells you that DMZ is for IP cameras and IOT !!! When questioned on the forum consensus was "it's separated from LAN therefore it's safe"

 

[TheBaconson]

This is why you

Never shut off the adblocker ... the internet is unviewable without one these days... it feels like not wearing laser safety glasses around a bunch of kids with green laser pointers.

I’m not trying to be a fanboi as such but I’m iPhone my partner is Android and we were both looking at a cooking recipe the other day same one each one our own phones and when I looked at hers the amount of ads on the same page was astounding, she doesn’t run ad blockers and I have no idea how she navigates the web like that.

 

[Sasquatch_]

HiSilicon=Huawei=built-in exploits per order of the PRC. Keeping Huawei out of western telecom, out of the tower shacks, was seen as an overreaction by dumb people (unlike myself) back in 2018.

Unfortunately mobile data is slow AF in most of UK since Huawei replaced crap that is 4x the price with 1/3 bandwidth...sad but true. My local 5g and 4g got de huawei'd 2 years ago and my mobile failover gateway slowed down from 140mbit to 20-40 mbit.

 

[Sasquatch_]

I’m not trying to be a fanboi as such but I’m iPhone my partner is Android and we were both looking at a cooking recipe the other day same one each one our own phones and when I looked at hers the amount of ads on the same page was astounding, she doesn’t run ad blockers and I have no idea how she navigates the web like that

It baffles me when people claiming to be tech savvy complain about YouTube adverts...it's 5 clicks and 5 keystrokes and they're gone without spending a dime. As a side effect web pages load 3x faster with half the scrolling and you don't nee to close 20 ads to see the contents.

 

[raxadian]

Thanks to the "Internet Of Stupid Things For Stupid People" devices botnet attacks have never been easier.

Been trying to buy a wide screen dumb TV, or at least a cheap smart TV with a dumb TV mode but so far it looks like I will just keep watching videos in my laptop and smartphone.

 

[danR2]

Someone suggested Iran.
And ... Iran is missing from the pie-chart country abbreviations (IR). Not even a sliver.

 

[jpgmeyer]

What sorts of amplification, if any, do the DDoS guys achieve these days?

Are we actually talking enough cameras on solid internet connections(that are not under the thumb either of residential ISPs who distrust bandwidth users or corporate and institutional network operators who distrust anomalous behavior) to deliver peak 6 Tb/s of traffic upstream; or are there cute amplification tricks that would suggest something more modest?

In most botnet DDoS, amplification isn't a factor: the bots just directly send the traffic to the targets based on the command-and-control (C2) instructions. There is no reflection needed — it's "direct-path".

Most of these devices are on some kind of business broadband connection (which means stable IP, and decent amount of available upstream bandwidth).

 

[Zeppos]

24.4% for US...I guess that means we win! U-S-A! U-S-A! So this is what winning feels like.

U-S-A! U-S-A! U-S-A! Huhaaa!

Men and their hormones...

 

[TylerH]

Remote administration from outside the Internet should be enabled only when needed

This should probably say "intranet" instead.

 

[adespoton]

One common method is to attempt to log in to device administrator accounts using username/password pairs commonly set as defaults by manufacturers.

Aside from the running of what should be Intranet devices on the Internet,

DOES IT REALLY HAVE TO BE STATED IN 2025 THAT SALES OF EMBEDDED DEVICES WITH DEFAULT ADMIN PASSWORDS SHOULD BE ILLEGAL????

I mean really. Best practices in 2005 were already to have a randomly generated one-time-password unique to each device. With the setup process requiring a secure password be set. By this point, FCC certification should require it.

 

[Golgatha]

Did I miss it or does the article not say who the botnet is targeting?

I really want these security cameras DDoS attacking something like the NSA. The irony would make me smile bigly!

 

[VirtueAvatar]

AU and ES are indistinguishable on that pie chart, lumped next to each other with the same colour.

 

[bamwam]

I don't think this matters. My understanding is that any botnet can be directed as desired by those miscreants that control it.

Did I miss it or does the article not say who the botnet is targeting?

 

[zarmanto]

I'm stil looking for my jaw on the floor after reading setup guide for one of open source firewalls suggesting putting iot and CCTV on DMZ interface. Even their gui tells you that DMZ is for IP cameras and IOT !!! When questioned on the forum consensus was "it's separated from LAN therefore it's safe"

The irony herein is that their advice betrays a focus on "litigation mitigation" instead of actual "risk mitigation." Pretty much the entire point of a DMZ is to house network devices that you've decided not to trust. It's somewhat harder to successfully sue a company when their inherently insecure product is inevitably hacked, if that company has already established a paper trail where they specifically instructed users not to trust their products.

 

[UnTokenizedTuna]

Spent some time a few years ago trying to source/install NVRs and cams. Tracking down trusted sources of hardware was extremely difficult. And even once deemed trusted were sus when you dig into the firmware and/or chips.

I'm sure there are sources, but I finally threw my hands up and sold the customers accounts when I actually called for some support. I had disabled all visible pre-installed user/admin accounts on the devices. Once on the call with support, the CSR dialed right in to the device without any input from me other than serial number.

I have started putting my personal devices behind [open source firewall software], with hard blocks on IPs outside the US for a similar reason as what happened and what just happened is a good example of hackers\BOTs using already compromised devices to reroute their efforts.
I have a few different VPN clients so trying to create an allow list is a nightmare but i think soon even average end users should be required to learn how to protect their home networks and how to configure exit and entry rules for their home networks especially as ad services are becoming more pervasive in the US?