Making Home Routers Easier To Use In Future DDoS Attacks

One of the limiting factors in large-scale Internet attacks like the one last week is the time it takes to scan the Internet. But new research suggests there are easier methods, and this bodes poorly for the future.

Posting on IOActive's blog, Ehab Hussein (@__obzy__) and Sofiane Talmat (@_Sud0) walk though the steps necessary to identify large blocks of CPEs (customer premises equipment) "such as routers, modems, and set-top boxes" that are the "weak link behind many major attacks occurring across the web today." In particular they call out unique fetures such as "updateable firmware, default passwords, port forwarding, [and] accessibility over http or telnet."

The other problem is that a simple WHOIS can reveal blocks of network addresses used by carriers, ISPs, and even whole countries. This detail includes whether or not the addresses is used for ADSL, DSL, Wi-Fi, or just plain Internet users. From this, an attacker might infer what type of box is sitting at the other end since cable providers, for instance, tend to generically issue the same hardware across with the same settings across their customer base.

The blog shows how the researchers were able to identify 400,000 CPEs within a limited netblock that might be vulnerable to both telnet and http access to their default password. This vastly simplifies a process of scanning for such devices that might have happened a few years earlier. They then walk through how someone might use commonly available software to reconfigure the firmware on the CPE and create remote access.

So what's the worst that could happen?

The researchers say a remote attacker could create a denial of service attack, manipulate website traffic, damage a companies reputation with false news, make money by redirecting traffic to a pay-per-click site, shut down Radius, LDAP and other ISP services by continually rebooting the hardware, or just steal user credentials from banking and social networking sites.

The researchers do suggest solutions at the end of the blog, including having the ISP check the settings on the CPE and blocking access to those devices whose firmware has been altered.