Interesting. This set of attacks is coming from real IP addresses. (SYN floods and single-packet UDP-based attacks use a totally bogus source IP address.) The device can be talked to and potentially located. Somebody needs to be finding some of those devices and analyzing them. How are they controlled? IRC? Some set of known domains or IP addresses? A self-healing mesh network? All of those have been used, and most modern botnets have a quite sophisticated control network. This provides both robustness and conceals the actual controller. In modern botnets, everything is encrypted, so it's hard to take over the botnet.[1]
Attacks from real IP addresses are potentially blockable upstream. That's only a temporary fix. The device, if behind a NAT, can request a new IP address and evade the block. It may do so periodically, just to confuse the issue. At least you can block a hostile IP at a firewall, so it can't use server resources. That's what Cloudflare is doing.
On the legal front, it's worth suing makers of vulnerable devices for negligence. Their EULA will not protect them, because the victim isn't their customer and isn't a party to the EULA. A few court orders to recall a product might get the attention of the IoT industry.
On the legal front, it's worth suing makers of vulnerable devices for negligence.
Where does one sue the no-name Chinese manufacturers of these devices? I have a feeling a lawsuit won't get very far in Shenzhen Municipal Court. There's absolutely no consequences to them building these devices and you cannot expect a solution from them.
Nolo Press: "In between the manufacturer and the retailer, there may be any number of wholesalers, suppliers, distributors, or other "middlemen." Each and all are part of the chain of distribution of the defective product, are therefore potentially liable, and should be named as defendants in your defective product lawsuit."
Cloudflare can start by suing a retailer. That's likely to result in the retailer pulling all merchandise from the offending vendor, even before the lawsuit gets very far. (Otherwise, they move to a higher tier of negligence and damages for knowingly allowing the problem to persist.) That will start to get the attention of manufacturers.
Lots of this crap gets shipped straight from China by a distributor on Amazon. Try to sue them and I'm sure they'll just disappear and come back with a different name
To my knowledge most of the C&C protocols are unsophisticated [0].
For now there is little evidence that says the bots are behind NAT's. I'm pretty sure this will come though. In the blog post I stated that there is indication that port 23/telnet is or was in past open.
Blacklisting IP addresses is indeed effective for L7 attacks. It's harder for L3 when the source IP's could be spoofed.
The first few times will be ugly and unfortunate, but if it becomes clear that buying a vulnerable device and installing it in your home is a potentially life-ruining liability, people will quickly stop buying and using the devices. And without a market for insecure IoT gadgets, well, one way or another we won't have insecure IoT gadgets.
How do you decide who to sue? If your device is part of a botnet there may be thousands of owners partially responsible. Most of them are probably in different country.
All you have to do is hit a few people in the US. This is, ironically, one of the few cases where looking up IP address and ISP records works, since the issue here is not "some random person on my wifi pirated a movie", but rather "you owned this device which was part of a botnet".
Once a few Americans have been hit with ruinous lawsuits, the market for insecure devices will collapse, worldwide, overnight.
...Are you seriously advocating to cause financial ruin to many persons for buying a device they didn't know was vulnerable and being attacked by someone?
I don't even know what to say. Aside that you're clearly not targeting the right thing.
I'm saying that if someone seriously wants to end insecure IoT gadgets, there is nowhere else in the chain, other than the end consumer, to usefully target. Manufacturers are typically overseas in jurisdictions where the appropriate regulations won't reach, and retailers can be bypassed by online sales and delivery. So if you want to use the threat of lawsuit to discourage insecure devices, the end user who purchases the device is the only entity in the chain who can be targeted.
And, you have to admit, it'd be effective: the market would instantly collapse if device owners could be held liable for damage caused by their devices.
Attacks from real IP addresses are potentially blockable upstream. That's only a temporary fix. The device, if behind a NAT, can request a new IP address and evade the block. It may do so periodically, just to confuse the issue. At least you can block a hostile IP at a firewall, so it can't use server resources. That's what Cloudflare is doing.
On the legal front, it's worth suing makers of vulnerable devices for negligence. Their EULA will not protect them, because the victim isn't their customer and isn't a party to the EULA. A few court orders to recall a product might get the attention of the IoT industry.
[1] https://www.damballa.com/downloads/r_pubs/WP_Botnet_Communic...