Is this seriously a real implementation of the movieplot plan, where the villain sits there stroking his cat and explaining: "Oh no, Mr. Bond, did you really think I attacked Xbox Live and PSN on Christmas day for some ideological purpose? Or for the 'lulz'? No Mr Bond, that was merely a demonstration of my power. Now I can sell my services to the highest bidder and no-one can stop me! not even you, Mr Bond, since you will be observing the auction from the bottom of my shark tank! Ahahaha! Ahahahahahahahaaa!"
Except without the sharktank, and just with an online store offering various service levels. Maybe this is what Moriarty's 'crime as a service' model looks like in the real world...
Except the good ones know how to properly obfuscate the C&C servers. These morons ran everything through their public IRC server, hosted on the same network as the website advertising the service.
Yup, from http://www.malwaretech.com/2014/12/darkode-ode-to-lizardsqua... "I had noticed that lizardpatrol.com (the official LizardSquad website) was hidden behind cloudflare, so on a hunch I send a HTTP request to the darkode server, with the hostname set to "lizardpatrol.com".... That's right, the darkode server is also hosting the official LizardSquad website, oh dear."
Cloudflare is closer to a router than a host. They just happen to be a router which masks that which they're routing to.
If you file an abuse complaint to them about a specific domain, they won't take any actions themselves. However, they will tell the reporter the server's real hosting provider, and will forward the complaint to the hosting provider with information allowing the provider to determine what server the domain corresponds to.
There are some pros and cons to this approach, but considering their role as a completely neutral "transit station" of traffic, I think it makes the most sense legally and practically. Ethically I have a few qualms with it (if a site is very, very blatantly advertising illegal material, ethically I think they should either disable Cloudflare cloaking for the domain, stop resolving the domain at all, or just cancel the customer's account entirely; legally they don't necessarily need to, though, and I can understand why they don't), but they still make it very easy for a hosting provider to take action when there is an abuse complaint.
Depends what country your from really whether or not that would hold up. Depends if the US is going to user the overreaching arm to sort things like this out.
They cache static content like images and host that, yes, but they do not host any dynamic pages or "websites" themselves.
They have some hosting capabilities but I think that would be better described as a "mirror" rather than a host. Most of their infrastructure is routing and some is mirroring/caching.
They do host a lot more material than for example The Pirate Bay, which only hosted metadata about the files (size, description, checksums).
The reasoning is very similar, "we don't care what our users do, we're infrastructure". I wonder how well that will hold up in court, once tested. I have a nagging suspicion they will have to change their stance, but I'm happy to be proven wrong.
I can see 3 reasons why CloudFlare is protecting the site of LizardSquad, first 2 of which are really bad reasons:
1. Perhaps their logic is, if they protect LS's site, perhaps LS is less likely to attack services behind CloudFlare in fear of taking out their own site in the processes. I am not saying that CloudFlare does this out of fear of LS, perhaps they just think it's a sound business practice.
2. CloudFlare directly and significantly benefits from the illegal activity of LS and other DDoS organizations. DDoSers are the boogyman, and CloudFlare protects people from the boogyman, for money. The more boogyman attacks are there, the more people flee to the protecting arms of CloudFlare.
3. CloudFlare has the attitude that they are simple an ISP, or a router of traffic, and they are not responsible for any of the content on the sites they "distribute." This is a good position legally to take. As my friend, a prosecutor, jokingly points out, "everything is illegal." So, some country or another would be able to find something objectionable about almost every single site on the internet, and CloudFlare want's to be treated like an ISP, not responsible at all for any of that stuff.
But let's say the content in question wasn't a DDoS site, but a child porn site, would CloudFlare be so adamant in their stance, I don't think so. Even ISPs quickly disconnect their customers from the internet when clear and easily verifiable allegation of child porn, piracy, fraud, or bonnet operations are presented to them.
Basically, CloudFlare is not responsible for LS, but they should be a good Net citizen, and drop them voluntarily. That being said, they are not going to for reasons # 1 and 2.
Because it's a customer like everyone else, as a service provider you should maintain a neutral stance even if you don't like the service they provide. Just like ISPs shouldn't handle Netflix's traffic any different than traffic from other companies.
Knowingly providing internet infrastructure so others can attack other internet infrastructure is far from "being neutral." ISPs disconnect customers all the time for abuse, yet somehow Cloudflare gets a free pass?
Funny how the solution to being DDOS'd by their own customers is, "Buy our product." In the sane world we call this racketeering or protection money.
No, they will cut off service entirely if the user's behavior threatens their network (usually legally).
As an example, ISP's don't drop spammers because they morally hate spam, they drop spammers because their mail servers will get blacklisted and make their customers hate them.
They appear to be awful at OPSEC but pretty good at offensive security. Which is a very common theme with groups like these.
As long as their core botnet infrastructure stays afloat, it doesn't really matter to them what's discovered about the stresser or even their real identities in some cases. They're very brazen, to say the least.
I imagine their botnet won't be up for too much longer though.
You're pretty quick to call people morons for someone who doesn't have a clue about what he is talking about. These routers Krebs is talking about (Which have largely been infected since August) were never connected to an IRC network.
And as for the gcloud servers, yeah we connected a few of them to the public IRC... So what? It's not like as if they we're ever going to survive beyond few hours. Also, Krebs seemed to imply that we used the Google bots for DDoS attacks... That's pretty ridiculous considering Google will automatically suspend you if they detect traffic anomalies.
This should provide some fuel to the "Internet of Things hacking will bring the world to its knees" people. The vast majority of these devices have no meaningful patching policy. Default username/password is one thing but there are many other vulnerabilities.
My prediction is "Internet of Things" will begin to transition into "Local Network of Things (Accessible via VPN or Gateway)" for this exact reason. It'll still appear as "Internet of Things" to most end users though.
Something with a higher bar of quality than the typical consumer electronics you pick up in the bargain bin at Newegg/Amazon/Wal-Mart.
I think it's within the realm of possibility for consumers to install routers/gateways that are competently engineered. It's flat out impossible to ensure every IOT device a consumer owns has even the most basic security principles covered.
If a home has a desktop or media PC, it could potentially run a router/gateway VM on platforms like Qubes, Genode, etc. The router VM would be isolated from desktop/media VMs, and would have the benefit of running a BSD/Linux x86 OS that has automated updates. New wifi standards can be supported by upgrading a USB or PCI WiFi adapter, rather than buying a new router.
>consider changing the router’s default DNS servers to those maintained by OpenDNS.
Is openDNS a sponsor for Krebs? This seems like a great way to break CDN geo-ip, get served ads, and get non-standard "typo domain" messages. Ironically, it opens people up to DDOS as a attack against openDNS means Kreb's readers now don't have dns.
Not really. Some (most?) ISPs have servers in their own networks that can speed up the loading of, for example, YouTube videos. By not using your ISP's DNS servers, you will miss them.
This used to be true, especially with Comcast, but I read a blog post about a year ago stating that in most cases using Comcast's DNS servers is actually faster nowadays.
I closely benchmarked it and they turned out to be right, though 8.8.8.8 had only a little bit more latency. And it makes sense; your ISP will always (theoretically) be able to provide lower latency than Google can when they put the effort into it. Unless Google is your ISP. :)
Google has a tool that will find the fastest DNS server for you, and check for censorship (though IIRC I found that part rather ambiguous). In my case my ISP's was faster by about 30%.
Never had an issue. I've run benchmarks against mine and then google's and didn't see any noticeable difference. Google only seems to offer me what I assume are massive privacy violations for using their service.
As an aside on the username/password thing, unless it's going to be visible through your window, you're probably best off keeping them on a sticky label attached to your router. That way, you have them when you need them, they're not available on the internet.
This actually how Quest does it. Imagine my surprise when I was setting up the router and had to call and ask what the router password was and the tech said, "Yeah, just flip it over, under the serial number is a long hexadecimal code, that's your password."
At least the password was somewhat strong. I'm not sure having it printed on the same label as the serial number is a good idea though.
To me it implies that the default password can be determined if you are able to discover the MAC address. Either the manufacturer might have it in a database that could be compromised, or the algorithms generating the MAC addresses and the pseudorandom default passwords might be reverse engineered.
Well, now there's cheap home security cameras which some significant percentage of people neglect to change the default passwords on, and webcams built into almost every device, some of which could be hacked...
I'd still generally agree with your suggestion, it's just funny to see how some of our assumptions no longer hold, over time.
I think "Remote Management" is an option on pretty much all consumer routers. It's pretty unfortunate to have it default to on when there is a non unique default password though.
There are many ways, even if WAN-side Management is disabled, to take over these routers from the WAN side. E.g. [1, 2] There are also vulnerabilities in the auto-provisioning protocols used by the modems that can give the attacker an entry-point. [3]
This is just the tip of the iceberg from 10 minutes of Googling. I also recall there was some technique where an attacker could reflect attack traffic through a browser and back into the router, so if you knew the router IP and user/pass you could compromise it by getting the user to visit a malicious or drive-by-hacked site.... but I couldn't find a link for that one.
ISP's that want to remotely manage their CPE, ie. reboot remotely, adjust routes, etc.
Obviously these should be locked to only respond to designated control IP's that originate from the ISP, and default user/passwords should be changed...far too often I've seen corps use a non-default user/pass but instead switched to something different... but only that every single device they deploy has the same exact user/pass on it.
I have seen smaller ISPs use something similar to admin/c0mcast on every single device while using equipment too cheap to include an access list for remote management.
There has been about handful of ways to coax all common UPnP implementations to give you LAN access, except for the all the obvious ways if you can get the victim to view a web page. Don't rely on it for security.
Except without the sharktank, and just with an online store offering various service levels. Maybe this is what Moriarty's 'crime as a service' model looks like in the real world...