[HN Gopher] The teens behind the Mirai botnet ___________________________________________________________________ The teens behind the Mirai botnet Author : rbanffy Score : 137 points Date : 2023-05-24 11:03 UTC (11 hours ago) (HTM) web link (spectrum.ieee.org) (TXT) w3m dump (spectrum.ieee.org) | cdme wrote: | Well now I can't wait to read the book this was drawn from. | lagniappe wrote: | I didn't know ieee had been putting out articles like this, I'll | be bookmarking their feed. Thanks OP! | | If anybody from ieee is reading this, I'd appreciate more of this | type of content, maybe even longer format like you'd find on LRB. | cpascal wrote: | I was a Rutgers student when this was happening. I recall some | final assignments and exams getting canceled when they attacked | the Rutgers network. | | When the news broke about the perpetrators behind Mirai and | specifically the Dyn attack, I was shocked that such a high- | impact attack originated from one of my classmates in the CS | department. | gurchik wrote: | I was a student at the same time, and if memory serves | correctly, the school's authentication server was down for | multiple days at a time. This is a requirement to log into | pretty much anything on campus. I remember being unable to | access Canvas to download assignments and notes or read | professor announcements. | TradingPlaces wrote: | From Yale Law professor and frequent shitposter Scott Shapiro's | new book, Fancy Bear Goes Phishing | https://www.penguin.co.uk/authors/122489/scott-shapiro | kpetermeni wrote: | > and taking down all of Liberia's Internet--to name a few | examples. | | This did not happen [1] as was documented here[2], here and | here[3]. It spices up the story but in truth, one of local telcos | was affected but they accounted for less than a third of | Liberia's Internet traffic. The weekend-like Internet traffic | seen on that day was because of a national holiday. | | Additional source: I lived in Liberia during that time managing | the local IXP. | | [1] https://krebsonsecurity.com/2016/11/did-the-mirai-botnet- | rea... [2] https://thehackernews.com/2016/11/ddos-attack-mirai- | liberia.... [3] | https://twitter.com/DougMadory/status/794592487159529472 | stepupmakeup wrote: | The giant stories Brian Krebs wrote about these guys is | fascinating, there's many more characters tangentially involved | (like the Datawagon guy) that aren't covered in this. | SapporoChris wrote: | "Telnet, an outdated system for logging in remotely." This | comment from the article bothered me. No evidence was given as to | why it is outdated. I did a little digging to find that Telnet is | vulnerable to several different attacks, but all of it can be | mitigated by Transport Layer Security (TLS) security and Simple | Authentication and Security Layer (SASL) authentication. Of | course many devices don't support TLS and SASL. If a device does | support the newer standards I think it's wrong to consider it | outdated. | justsomehnguy wrote: | > but all of it can be mitigated by Transport Layer Security | (TLS) security and Simple Authentication and Security Layer | (SASL) authentication | | At this point anyone sane should question why he would add TLS | and SASL to Telnet (and expect to find _clients_ which would | support those too) instead of slapping SSH. | | It's like asking why anyone would consider a hand-operated | drill outdated, since you can slap an electric motor on it. | tgv wrote: | Possible reason: telnet lets you log in with username/password, | which is much easier to obtain than an ssh key. Encoded traffic | doesn't matter. Paras cs. wouldn't have been able to wiretap | the affected servers. | junon wrote: | Telnet is not used really at all anymore. Most distributions | come without it, or have it disabled by default. Historically | it was the only way to connect remotely, as it imitated how | connections used to work over phone lines. It's definitely | outdated, as SSH is now the defacto. | marcod wrote: | How could anybody claim that the teletype protocol is outdated? | Teletype refers to this: | https://en.wikipedia.org/wiki/Teleprinter | tgv wrote: | It's not really related to teletypes (which I've never heard | being called a teleprinter). They didn't operate over the | internet, but used protocols such as RS-232 or acoustic | modems. | Jtsummers wrote: | For remote login (context of the statement), telnet has been | deprecated for a very long time. | blowski wrote: | It's outdated in the same way my 90s baggy jeans are outdated. | Technically, they still work as clothing, but people find it | unusual if I wear them. | InCityDreams wrote: | Where do you live, though? | vngzs wrote: | "Outdated" is a reasonable moniker for devices that accept | cleartext telnet over the open Internet. That you can retrofit | security onto telnet by running it over a TLS tunnel is not | especially relevant, nor does it make telnet less outdated; | secure devices are better off just using SSH. | | What makes a protocol outdated? I would argue that outdated | protocols "bake in" outdated assumptions. The telnet protocol | has a builtin assumption that the network is secure, while | newer protocols for remote administration lack this assumption | and assume an actively malicious network. | jamesdwilson wrote: | the telnet protocol does not have to be used only on the open | internet, just as HTTP (insecure) does not have to be either. | It can be used internally for whatever reason you want as | well. I don't think that makes it outdated. | nightpool wrote: | And what sort of network do you think the IOT devices from | the article were designed to be used on? This kind of | thought process (well security isn't important if you use | it internally) is exactly the sort of attitude that led to | the botnets in the article becoming as large and as | devastating as they ended up being | koromak wrote: | "The Rutgers IT department is a joke. This is the third time I | have launched DDoS attacks against Rutgers, and every single | time, the Rutgers infrastructure crumpled like a tin can under | the heel of my boot." | | The fact that people think this is impressive is mind boggling to | me | spondylosaurus wrote: | > It might be surprising that DDoS providers could advertise | openly on the Web. After all, DDoSing another website is illegal | everywhere. To get around this, these "booter services" have long | argued they perform a legitimate function: providing those who | set up Web pages a means to stress test websites. | | This reminded me of a Wired article[1] from a few weeks back that | argued that many of the kids using these services to DDoS their | friends/rivals don't realize they're illegal--so federal agencies | are taking out keyword ads to warn potential users: | | > In fact, he and other members of [cybercrime-busting group] Big | Pipes argue that most booter customers seem to believe--or | convince themselves--that merely paying to use one of the | services to knock out an adversary's internet connection isn't | against the law, or at least isn't an enforceable crime. When the | UK's National Crime Agency (NCA) ran a six-month Google | advertising campaign in 2018 to intercept people seeking booter | services and warn them about their illegality, Clayton's research | group found that attack traffic in the UK remained flat for those | six months, while it increased at its usual pace in other | countries. | | > In the years since, law enforcement agencies seem to have | learned from that experiment: The FBI now also buys similar | Google advertisements to warn potential booter customers that | paying for the services is a crime. The UK's NCA, meanwhile, has | not only launched new advertising campaigns but even run its own | fake booter services to identify would-be customers and then send | them warnings--sometimes even with in-person visits--about the | consequences of paying for criminal DDOS attacks. | | [1] https://www.wired.com/story/big-pipes-ddos-for-hire-fbi/ (For | the relevant bits, scroll to the "Honeypots, Google Ads, Knock- | and-Talks" section) | thatguy0900 wrote: | I find it extremely interesting that the fbi buys ads for | illegal stuff, rather than Google Just putting up a warning | when you search for ddos services | spondylosaurus wrote: | I mean, it's not illegal to _search_ for those keywords, so | Google doesn 't have much of an incentive to stop running ads | on them (at least of their own free will). I'm sure "triple | homicide" is a hot keyword for advertising the latest true | crime podcast or whatever. | | Granted, I'm also a little surprised that the FBI didn't just | twist Google's arm about it, but who knows. Maybe Google did | them a solid and doesn't actually charge for the ad space, or | maybe the FBI is just trying to play nice since Google has | plenty of federal contracts. | 2OEH8eoCRo0 wrote: | > I'm also a little surprised that the FBI didn't just | twist Google's arm about it | | _Just_ twist their arm? What does it mean for the FBI to | _twist_ Google 's arm? | HDThoreaun wrote: | Why would google do that for free when they can get paid? | jrochkind1 wrote: | > The UK's NCA, meanwhile, has not only launched new | advertising campaigns but even run its own fake booter services | to identify would-be customers and then send them warnings-- | sometimes even with in-person visits--about the consequences of | paying for criminal DDOS attacks. | | The FBI would be indicting them, not just warning them -- go to | all that trouble of setting up a fake site, and then you just | give up actually indicting them for their crime? What's even | the point of that? That they didn't know it was a fake site is | no defense, the FBI routinely, say, sells people fake bombs and | then indicts them. | aendruk wrote: | > What's even the point | | Education | spondylosaurus wrote: | The NCA too, not just the FBI. But the Wired article goes on | to say: | | > Big Pipes' Allison Nixon says she hopes that softer tactics | like those can intercept would-be booter service operators | early, before they start committing felonies: She's found | that most booter operators start as customers before | launching their own service. But for people who aren't | dissuaded by those interventions, she says, Big Pipes and its | partners at the FBI will still be watching them. | | > "The hope is that this whole show of force will convince | some of them to quit and get a real job," Nixon says. "We | want to send a message that there are people tracking you. | There are people paying attention to you. We have our eyes on | you, we might get you next. And it might not even be on | Christmas." | | So the honeypots sound like a sort of catch-and-release | strategy to scare kids before they start their own DDoS | enterprises. | jrochkind1 wrote: | Right, I was amazed that the NCA seemed to be kinder and | gentler than the FBI, which has no problem entrapping | people and then putting them in prison. | florbo wrote: | There's an extreme difference in severity between trying to | buy a bomb and trying to pay for DDoSaaS. I'd rather people | come out of this sort of thing unscathed but wiser, | especially if they're simply ignorant of the law, which seems | to be the objective of that tactic. | | Besides, if something is illegal and there's a significant | portion of offenders who _are_ truly ignorant of its | illegality, perhaps a new approach to education is needed, | which this tactic also covers. | | Maybe other organizations will take notes... | amelius wrote: | > To get around this, these "booter services" have long argued | they perform a legitimate function: providing those who set up | Web pages a means to stress test websites. | | Don't these botnet services run on compromised computer | systems? | 3np wrote: | This is abstracted away from the customer and there is a | wider and richer grayscale than at least I imagined before | working at a data company and looking at IP providers for | outbound. You have your TV sticks and VPN providers where a | careful squinting at the ToS will tell you that users on the | other end are signing off on the right to have their | bandwidth leased. I don't see how else the supposedly | legitimate providers of residential IPs could possibly offer | the supply, geo-diversity, and pricing they do. | itronitron wrote: | During that time frame, I recall some top players being directy | impacted by targeted DDOS attacks from other players. It wasn't | too common only because people learned to protect their IP | addresses, or change them periodically. | | The Mirai botnet had a very negative impact on game play for | several servers, and I would argue it was the key factor in the | demise of at least one of the servers simply because it | rendered certain games unplayable. | charcircuit wrote: | [flagged] | SkyPuncher wrote: | Computer Fraud and Abuse Act: | https://sgp.fas.org/crs/misc/R46536.pdf | | > Broadly speaking, SS 1030(a)(5)141 prohibits a variety of | acts that result in damage to a computer. Subsection | 1030(a)(5) may be used to prosecute many of the activities | that are commonly associated with hacking, such as the | transmission of viruses or worms and unauthorized access by | intruders who delete files or shut off computers.142 The | provision may also be used to prosecute the perpetrators of | Distributed Denial of Service (DDoS) attacks,143 which occur, | for example, when an attacker overwhelms a server's ability | to process legitimate requests by overloading the server with | a flood of illegitimate traffic.1 | | Kicking your friend offline (via DDOS or other) would prevent | it from processing legitimate requests and count as a breach | of CFAA. | charcircuit wrote: | >would prevent it from processing legitimate requests | | Your friend is not hosting a server and they are not | incurring damages due to having trouble connecting to the | internet. | | The damages from not being able process legitimate requests | is like if you DDoS an ecommerce site which means that they | are unable to receive orders from legitimate customers | which causes them damage. | anoonmoose wrote: | I don't agree with that. If your DDoS prevents me from | using services I paid for, I could rightfully sue you in | small claims for the damages. They'd be small- a | percentage of a monthly Internet bill. It's still | damages. | charcircuit wrote: | It would depend on if being unable to access services you | paid for would be considered damage to a "protected | computer" which is specifically the kind of damage | 1030(a)(5) protects against. | Manuel_D wrote: | > Your friend is not hosting a server and they are not | incurring damages due to having trouble connecting to the | internet. | | But they are, right? Whoever is hosting the multiplayer | match is running a server. And damages come in the form | of being rendered unable to enjoy the video game they | paid money for. "Damages" do not have to come in the form | of lost customers. | anoonmoose wrote: | According to the FBI, 18 U.S.C. SS 1030 proves you wrong, and | I'm going to believe fbi.gov over anonymous HN commenters 99 | times outta 100. Even if you think you're right because you | think some part of the law is unconstitutional, or the way | you worded the question was specifically chosen such that you | think it doesn't fall under this law, or something I am not | aware of idk, I don't believe that the FBI agrees with you, | and they're the ones who would be charging me/my kids. | | https://www.fbi.gov/contact-us/field- | offices/anchorage/fbi-i... | dj_mc_merlin wrote: | It's interesting that a potentially very large amount of people | have the necessary technical skills to set up large botnets. It's | mostly teenagers that do it in the Western world since they're | both stupidly brave and at the right level of technical knowledge | to be able to do the hacking without understanding how much | evidence they're leaving behind. Or perhaps they think themselves | invincible anyway. | ftxbro wrote: | > "Unfortunately for the owner, he was a big fan of Japanese | anime and thus fit the profile of the hacker." | itronitron wrote: | _" That's some first class detective work Agent Johnson"_ | compilator1 wrote: | So, in the end trio landed a job in FBI. Like from on a movie. | anthk wrote: | A botnet called "future'. Meh. ___________________________________________________________________ (page generated 2023-05-24 23:00 UTC)