Internet of Things (IoT) Attacks & the CBL [Oct 25, 2016]
As I assume many of you are aware, over the past six weeks there have been several
very high impact distributed denial of service attacks.
Several of these did wide-spread damage on the Internet - bank transactions would
fail, major web sites became inaccessible, etcetera
We at the CBL had been doing some work in this area already, and given the severity
of these DDOS attacks, we'd like to make it available to help out defuse these
attacks as quickly as possible. Without waiting for a final polishing.
This page describes a first, trial version, of a series of more IoT-specific offerings
Some Background on IoT DDOS
How IoT DDOS works
So what is the CBL and Spamhaus doing?
As of October 22nd, the CBL started developing sensors of our own, and talking with our
partners so that we can assist in getting the work done to fix this situation, as well as to help
mitigate it before it is fully fixed.
As of end-of-day October 25), the CBL is listing over 2.5 million IP addresses that have
demonstrated themselves to be infected with Mirai or something very similiar
to Mirai. There are another 10s of thousands
of IPs that are infected with something that doesn't look like Mirai.
Secondly the CBL contains approximately 250 IP addresses that the Mirai botnet is using
to "command and control" (techie-speak "C2") the Mirai-infected devices.
These IP addresses are now available and will continue to be available
through normal DNSBL queries of the CBL & XBL,
as well as the specificalized XBL zone file delivery methods our larger customers uses.
Full diagnostic information is also available in the "eCBL" product (used for service
provider-level remediation efforts).
The above, by itself doesn't do a lot to directly mitigate or remediate on-going IoT DDOS.
Even if you instrumented your, say, web server to deny access to any client IP found
in the CBL/XBL, these attacks are so big that it collapses your Internet connectivity
altogether, and no amount of filtering on the server will solve that. You'd have
to do it at the router level, and no router can take an access control list of 2.5 million
IPs, let alone the CBL at over 10 million IPs.
Therefore Spamhaus will be developing services/offerings around stand-alone IoT packages that
are more directly aimed at preventing/stopping/fixing DDOS attacks. That will be slowed by
the inevitable arguments about what to call it by the marketing folks and other similar
We have the data - let's get it out doing something useful with it while the marketers are arguing!
Trial IoT offering
As mentioned above, unless your router can handle 2.5 million access control entries, which none
do, you can't stop an IoT DDOS.
But what you can do is take the list of 250 IP addresses the IoT C&C uses to infect and control
Mirai-infected computers, and stick them in your routers to block access to or from them.
This will prevent your computers from being infected and even if they are infected, it prevents
the botnet operator being able to tell them what to do.
In "techie-speak" you want to null-route the C2s, so they can't control your computers/IoTs/
The IoT botnet C2 list is a list of approximately
200-300 IP addresses used to infect/control Mirai.
You should periodicaly download this file and insert it into your perimeter router's DENY lists.
More background can be obtained on how to do this from the
DROP FAQ. It includes sample scripts that you can use to download and configure several kinds
of router setups using plain text DROP downloads, you use the above link for seting the data.
Do not download it more frequently than every couple of hours, and it's really intended
for medium to large networks with lots of customers/users.
This is a trial service, and may be withdrawn in a few months. If the transfer stops working,
come back here and we'll tell you how to use the new systems.
The lawyers made us say this: this service is offered on a best efforts basis, for free,
We reserve the right to withdraw it at any time. We do intend to continue offering
this particular service long enough to be worth using and provide a bridge
to the future offerings.
The CBL and abuseat.org web pages are copyright ©
2003-2017, all unauthorized copying is prohibited.
All external pages referenced are copyright by their