Internet of Things (IoT) Attacks & the CBL [Oct 25, 2016]

As I assume many of you are aware, over the past six weeks there have been several very high impact distributed denial of service attacks. Several of these did wide-spread damage on the Internet - bank transactions would fail, major web sites became inaccessible, etcetera

We at the CBL had been doing some work in this area already, and given the severity of these DDOS attacks, we'd like to make it available to help out defuse these attacks as quickly as possible. Without waiting for a final polishing.

This page describes a first, trial version, of a series of more IoT-specific offerings from Spamhaus.

Some Background on IoT DDOS
How IoT DDOS works

So what is the CBL and Spamhaus doing?

As of October 22nd, the CBL started developing sensors of our own, and talking with our partners so that we can assist in getting the work done to fix this situation, as well as to help mitigate it before it is fully fixed.

As of end-of-day October 25), the CBL is listing over 2.5 million IP addresses that have demonstrated themselves to be infected with Mirai or something very similiar to Mirai. There are another 10s of thousands of IPs that are infected with something that doesn't look like Mirai.

Secondly the CBL contains approximately 250 IP addresses that the Mirai botnet is using to "command and control" (techie-speak "C2") the Mirai-infected devices.

These IP addresses are now available and will continue to be available through normal DNSBL queries of the CBL & XBL, as well as the specificalized XBL zone file delivery methods our larger customers uses. Full diagnostic information is also available in the "eCBL" product (used for service provider-level remediation efforts).

The above, by itself doesn't do a lot to directly mitigate or remediate on-going IoT DDOS. Even if you instrumented your, say, web server to deny access to any client IP found in the CBL/XBL, these attacks are so big that it collapses your Internet connectivity altogether, and no amount of filtering on the server will solve that. You'd have to do it at the router level, and no router can take an access control list of 2.5 million IPs, let alone the CBL at over 10 million IPs.

Therefore Spamhaus will be developing services/offerings around stand-alone IoT packages that are more directly aimed at preventing/stopping/fixing DDOS attacks. That will be slowed by the inevitable arguments about what to call it by the marketing folks and other similar less-technical issues.

We have the data - let's get it out doing something useful with it while the marketers are arguing!

Trial IoT offering

As mentioned above, unless your router can handle 2.5 million access control entries, which none do, you can't stop an IoT DDOS. But what you can do is take the list of 250 IP addresses the IoT C&C uses to infect and control Mirai-infected computers, and stick them in your routers to block access to or from them. This will prevent your computers from being infected and even if they are infected, it prevents the botnet operator being able to tell them what to do.

In "techie-speak" you want to null-route the C2s, so they can't control your computers/IoTs/ embedded devices.

The IoT botnet C2 list is a list of approximately 200-300 IP addresses used to infect/control Mirai. You should periodicaly download this file and insert it into your perimeter router's DENY lists. More background can be obtained on how to do this from the DROP FAQ. It includes sample scripts that you can use to download and configure several kinds of router setups using plain text DROP downloads, you use the above link for seting the data.

Do not download it more frequently than every couple of hours, and it's really intended for medium to large networks with lots of customers/users. Eg: ISPS.

This is a trial service, and may be withdrawn in a few months. If the transfer stops working, come back here and we'll tell you how to use the new systems.

The lawyers made us say this: this service is offered on a best efforts basis, for free, We reserve the right to withdraw it at any time. We do intend to continue offering this particular service long enough to be worth using and provide a bridge to the future offerings.