[Discuss] The Mirai botnet

[richb at pioneer.ci.net (Rich Braun)]

I haven't seen a discussion here yet about the DDOS attacks of 20-Sep and
21-Oct; it affected me at my work because we're a Dyn customer (and hadn't
ever gotten around to setting up secondary servers; we're finally starting to
talk about putting SPOF-elimination on our roadmap, but you can imagine how
non-glamorous those things are to the higher-ups so who knows how much time
we'll have budgeted).

What's got me curious about all the mainstream-media hype about the Mirai
botnet is--where are those 300,000 devices installed, what brands of products
are they, were they compromised remotely or did they get infected before they
left the (physical) factory, and what can we/the router vendors/the Linux
community do to prevent such attacks from  being successful in the future?

As an example, at home I have two of those Linux-based Chinese webcams
installed at my house, brand name Dahua, never changed the default password.
My network is connected to the Internet with a ho-hum Netgear router.

Default UPnP config of the NetGear: enabled
Default UPnP config of the Dahua units: disabled

I never would've given UPnP much thought if it weren't for this week's breach;
I would've expected that router vendors would leave TCP/IP ports **closed**
unless I explicitly opened them.  Now that I see what UPnP does, it's
horrendous. It seems that NetGear, DLink and Linksys ship routers with UPnP
enabled, and ports wide open to the Internet, just so they don't have to deal
with customer-service headaches caused by people having trouble enabling IoT
devices on their LAN.

This seems like a wake-up call: if usability of IoT devices for cloud services
is that important, they'll need to be designed with a different protocol than
UPnP--that's my initial $0.02 as I try to catch up on this particular DDOS
event. In the meantime, it looks like the router vendors will need to send out
a software updates, and whatever IoT device vendors are exploited will have to
issue a recall notice.

This looks like a world-class mess. What do y'all think? How do we shut down
Mirai and block future botnets from exploiting IoT? (And have you checked your
own devices' UPnP settings? Is there really any good reason to ever use
UPnP--I certainly don't need it...)

-rich