"There is every indication that this attack was launched with the help of a botnet that has enslaved a large number of hacked so-called “Internet of Things,” (IoT) devices — mainly routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords."
How was the source being compromised IoT ascertained? The only way I could imagine being able to determine that is by looking at the vendor bits on the MAC addresses of the source. But being that IoT devices are generally on a LAN on with some RFC 1918 address you wouldn't have that information. You wouldn't even have the MAC address of the default gateway that routed it.
You can ascertain information pointing towards specific IoT devices from things like HTTP header information. I saw an blogpost a couple months ago detailing how the author ID'd an IoT DDOS botnet, which I can't find now, but here is a similar one: https://blog.sucuri.net/2016/06/large-cctv-botnet-leveraged-...
> The only way I could imagine being able to determine that is by looking at the vendor bits on the MAC addresses of the source. But being that IoT devices are generally on a LAN on with some RFC 1918 address you wouldn't have that information.
Your not going to have that even if the device has a public IP unless it is a public IPv6 address on a device not using privacy extensions.
MAC addresses are link local only and are not transmitted beyond their local layer 2 network.
There is device finger printing that you can do on the peculiarities of individual IP stack implementations, but honestly without solid proof or explanations from Krebs, they way he is holding himself out as a martyr over this leads me to not believing sensational claims he's making over the event.
"There is every indication that this attack was launched with the help of a botnet that has enslaved a large number of hacked so-called “Internet of Things,” (IoT) devices — mainly routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords."
How was the source being compromised IoT ascertained? The only way I could imagine being able to determine that is by looking at the vendor bits on the MAC addresses of the source. But being that IoT devices are generally on a LAN on with some RFC 1918 address you wouldn't have that information. You wouldn't even have the MAC address of the default gateway that routed it.
Can anyone comment on this?