Thanks for the link.
----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Ray Van Dolson" <rvandol...@esri.com> To: "Mike Hammett" <na...@ics-il.net> Cc: nanog@nanog.org Sent: Saturday, October 22, 2016 5:35:50 PM Subject: Re: Death of the Internet, Film at 11 https://urldefense.proofpoint.com/v2/url?u=http-3A__hub.dyn.com_dyn-2Dblog_dyn-2Dstatement-2Don-2D10-2D21-2D2016-2Dddos-2Dattack&d=DQIBAg&c=n6-cguzQvX_tUIrZOS_4Og&r=5PqhtPogDeswmEQMQZk1IQ&m=6rpDhHbntFiyuuA6uUxOIVfEwHY13H9SH6zBwx93OBE&s=QIsYvf_c8f_VWuMbYe7DbF58d1UqsbxJBEjf8CYotcc&e= On Sat, Oct 22, 2016 at 04:48:01PM -0500, Mike Hammett wrote: > Until Dyn says or someone says Dyn said, everything is assumed. > > ----- Original Message ----- > > From: "Peter Baldridge" <petebaldri...@gmail.com> > To: "Jean-Francois Mezei" <jfmezei_na...@vaxination.ca> > Cc: nanog@nanog.org > Sent: Saturday, October 22, 2016 4:45:13 PM > Subject: Re: Death of the Internet, Film at 11 > > On Sat, Oct 22, 2016 at 1:47 PM, Jean-Francois Mezei > <jfmezei_na...@vaxination.ca> wrote: > > Generic question: > > > > The media seems to have concluded it was an "internet of things" that > > caused this DDoS. > > > > I have not seen any evidence of this. Has this been published by an > > authoritative source or is it just assumed? > > Flashpoint[0], krebs[1], arstechnica[2]. I'm not sure what credible > looks like unless they release a packet but this is probably > consensus. > > > Has the type of device involved been identified? > > routers and cameras with shitty firmware [3] > > > Is it more plausible that those devices were "hacked" in the OEM > > firmware and sold with the "virus" built-in ? That would explain the > > widespread attack. > > The source code has been released. krebs [4], code [5] > > > Also, in cases such as this one, while the target has managed to > > mitigate the attack, how long would such an attack typically continue > > and require blocking ? > This is an actual question that hasn't been answered. > > > Since the attack seemed focused on eastern USA DNS servers, would it be > > fair to assume that the attacks came mostly from the same region (aka: > > devices installed in eastern USA) ? (since anycast would point them to > > that). > > Aren't heat maps just population graphs? > > > BTW, normally, if you change the "web" password on a "device", it would > > also change telnet/SSH/ftp passwords. > > Seems like no one is doing either.
