74

It was reported that the recent large scale DDoS attack affecting multiple websites in the US was done by hacking 10s of millions of devices and using them for the attack.

How can one in general know if ones devices were hacked and used in the/an attack?

700 Software
  • 13,807
  • 3
  • 52
  • 82
Thomas
  • 3,841
  • 4
  • 22
  • 26
  • 4
    Add egress filters to your firewall device. If it doesn't NEED to talk to the Internet, it shouldn't be able to. Logging on those rules would later show whether they were activated. – Criggie Oct 27 '16 at 00:01
  • 6
    the 10s of millions claim is quite off the mark. Mirai uses IP spoofing. Dyn itself later corrected to say that "up to 100k" devices were used. – Federico Oct 27 '16 at 07:30
  • 6
    @GeorgeBailey as stated, Dyn itself? http://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/ `We are still working on analyzing the data but the estimate at the time of this report is up to 100,000 malicious endpoints.` – Federico Oct 27 '16 at 16:00

4 Answers4

38

Knowing after the fact can be a bit difficult if you are not actively monitoring your network traffic. But there are some things you can do now to determine if you were at risk of being a participant and to mitigate against future participation.

As has been mentioned in a number of places, if your WAN router/bridge/cablemodem/firewall has uPnP turned on, you've definitely opened up your local network to risk. You should turn this off.

For your various devices, if you've left the default administrator password set, you've left yourself open. Change this.

Make sure the firmware on your devices is up to date and expect further updates to come out in the near future.

If you have devices that don't need to communicate on the Internet to "call home," then block them from doing such things; don't give them a default route, add firewall rules, etc.

By most accounts, CCTV (e.g. web cams) were the primary devices infected and utilized. If you have such a device and a list of know offenders can be found here (https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/), you might consider taking some action.

Shackledtodesk
  • 1,201
  • 10
  • 10
16

Identifying this can be a little difficult, but possible.

  1. Identify the devices in your network

    This might sound trivial, but you might be surprised to see some rogue devices you may have even forgotten after connecting it to the router. Check your router logs, connected devices and even do an nmap sweep on the local network and find all the active devices.

  2. Identify the management interfaces

    Identify the administrative interfaces for all these devices. Since our focus is on IoT devices, do this step for devices including TVs, refrigerators, IP cams, etc.

  3. Verify whether the access to management interface is restricted.

    You might be managing your IP cam using a web application, but it is likely that it may also have an interface which accepts SSH or Telnet connections. Identify these ports and services and make sure that they are not accessible remotely. In other words, make sure that IP forwarding or methods to bypass the NAT are not enabled.

    If the devices are IPv6-enabled, a firewall restriction or an authentication challenge must restrict them from being remotely taken over.

  4. Make sure weak passwords, default user accounts and known backdoors are disabled on all externally accessible interfaces.

    IP cams are infamous for these kind of issues.

    In short, there is no sweet way of identifying whether you were a part of the group which took down a portion of the internet, but there are still ways to stop that from happening again.

Jamal
  • 148
  • 1
  • 8
hax
  • 3,851
  • 1
  • 16
  • 34
  • One of the easiest ways of tracking down all devices on your network is to change your Wifi encryption password (on all your Wifi routers). Those devices that no longer work due to lack of connectivity are now identified. Those that break and you don't care about are not identified but can no longer talk to the internet. Of course, you also have to trace the wiring for any devices connected via CAT5 to your routers, but that's easier than tracing random devices connected via Wifi. – Mark Ripley Nov 04 '16 at 09:30
7

The source code of the malware is public, so you can read it and attempt to manually compromise your device using the same exploit as the malware. If you succeed there's a good chance your device was already taking part in the attacks before.

It's not foolproof of course (the malware may be designed by someone smart enough to plug the hole after he gets control of the device) but it's worth a try.

André Borie
  • 12,706
  • 3
  • 39
  • 76
  • 17
    -1 Even if this were a programming site (it's not), understanding low-level exploits requires a level of programming knowledge far beyond the average programmer. This is not a reasonable method for 99.99% of people. – BlueRaja - Danny Pflughoeft Oct 26 '16 at 22:39
  • 5
    While I agree it's not reasonable for many people, the method is valid anyway and IMO worth mentioning, i.e. I don't agree with the -1. – YoungFrog Oct 27 '16 at 20:10
  • @BlueRaja-DannyPflughoeft are you sure it's a "low-level" exploit? From what I've seen this is nothing but low-level, it's simply logging in with a hardcoded password and executing a binary. I wouldn't even call it a real "exploit". – André Borie Oct 28 '16 at 18:37
5

The answer is so probably NO:

You did not take part in the massive DDoS attack last friday. The compromised devices that were used as part of the botnet were mostly very old and without security measures, for example those cameras on the gas/fuel station near you (cameras probably bought 10-15 years ago).

Read this article, it explains the same i've said, but much better: https://www.wired.com/2016/10/internet-outage-webcam-dvr-botnet/

Some pieces from the article:

The zombie webcam army responsible for Friday’s mayhem instead consists of industrial security cameras, the kind you’d find in a doctor’s office or gas station, and the recording devices attached to them. Also? They’re mostly ancient, by technological standards.

And:

“Most of these were developed in 2004 on down the line,” says Zach Wikholm, a research developer at security firm Flashpoint who’s been tracking the root cause of the attack

KanekiDev
  • 1,039
  • 6
  • 9