Internet of Shit, No It's Not Sophisticated

Dyn, “media”, everyone, please stop calling what happened on October 21st a “sophisticated attack.” It’s the Internet equivalent of driving a semi truck through a house at 75MPH. That’s how sophisticated it was. Damaging, absolutely, impressive…Yeah probably. Sophisticated? Hardly. It’d be sophisticated to see that same tractor turning donuts. The Hoonigan‘s are sophisticated. These attackers are just shitty drivers.

From the information disclosed thus far the attack was enacted through well known, well published security holes in a number of devices. Telling the device to “do X” as an authenticated user, using either well known trivial “exploits” or well known default username and passwords. Best practices worked out at the ISP and network provider level can’t really cover this sort of attack. The traffic is *technically* legitimately generated by the device, if nefarious. Maybe we should force devices to properly set the evil bit.

And Schneier, ya stop to think maybe this is just one upmanship and bravado among a few (relatively) independent groups? Before spreading “it feels like a large nation state.” fear mongering line. The behavior we’re seeing tracks well with the overall increasing deployment of Internet of Things devices manufactured by the lowest possible bidder with no care for the damage they cause…sounds a lot like US manufacturing during the industrial revolution. I’d say that what we’re seeing is much more in line with that than any large scale deeply technical thought out probing. More like just a series of toxic waste dumps turning into sinkholes. Or collapsed mineshafts.

Attacks starting small and cranking up to see when things finally break is NOTHING NEW. It might be new to whomever you talked to but the attackers usually don’t want to burn every resource they have on one all out attack…and maybe the attackers are a little afraid of the nuclear level weapon they have at their disposal…more likely though they’re just giggling.

So what would a sophisticated attack be? Shutting Dyn down with narely a whimper. Quietly injecting data into Dyn’s responses to redirect traffic elsewhere and capture user data in the process. Those would be sophisticated attacks. Driving a tractor trailer through the concrete bollards into a storefront is not.

I guess maybe when you don’t know how to drive a truck, a 75MPH headlong crash into a house might look sophisticated or talented? Especially so when it’s your house?

Time to start calling these clowns what they are. Shitty drivers slinging incredibly damaging toxic waste. Script kiddies. Simone Giertz The Queen of Shitty Robots is far more sophisticated than these clowns.

So if they’re shitty drivers slinging toxic waste and detonating informational nuclear bombs left by the information revolution, then we’ve got something we can work with, or against, seriously. The shitty driving isn’t too much of a problem on the internet. It’s the toxic waste and nuclear bombs they’re able to detonate while being shitty drivers, that’s the problem. We need more, not less, openness around device vulnerabilities and remediation of the vulnerabilities. Even among network operators there’s silly hand waving about “just scan your network for them” (to be fair though the NANOG mailing list is open to anyone). Without quantifying in any terms what to look for and how, it is impossible for network operators, no matter the size, to even help. Making it better known the technical details of attacks so they can be mitigated in a distributed fashion and *remedied* in a distributed fashion is a necessary step.

We force companies who dump toxic waste into the real environment to clean up all the time. Sometimes we have to get government involved. So why can’t we force them to do the same when they do it to the Internet that nearly every human alive relies on now? Why can’t, or won’t the US government sue device manufacturers that release what amounts to toxic waste onto all of our doorsteps? Mostly there’s no law for it right now.

What we can’t do is push it back out onto end users. They bought these devices in good faith. They’re also not generally going to be sophisticated enough to clean up after it. How many people do their own asbestos removal or abatement? You don’t even expect someone to do it on their own. And then ISPs and NSPs and Corporations often expect end users to do the equivalent? Implementing even basic don’t allow your users to pollute (eg BCP38 and BCP84) can be expensive and difficult for network operators, and that doesn’t help resolve these most recent IoT based attacks.