Hacked cams played a big role in the DoS attack earlier this week?

[PSPCommOp]

Hmmmm looks like a few Dahua were mentioned.

http://www.forbes.com/sites/briansolomon/2016/10/21/hacked-cameras-cyber-attack-hacking-ddos-dyn-twitter-netflix/#a26cf7e7e6ff

Anyone wanna help me make sure I blocked all incoming/outgoing traffic on my router?


Sent from my iPhone using Tapatalk

 

[tangent]

Hmmmm looks like a few Dahua were mentioned.

http://www.forbes.com/sites/briansolomon/2016/10/21/hacked-cameras-cyber-attack-hacking-ddos-dyn-twitter-netflix/#a26cf7e7e6ff

Anyone wanna help me make sure I blocked all incoming/outgoing traffic on my router?


Sent from my iPhone using Tapatalk

https://www.grc.com/x/ne.dll?bh0bkyd2

 

[nayr]

@PSPCommOp, https://www.ipcamtalk.com/showthread.php/13369-Dahua-Enable-Telnet then see if you can reach the internet from em, you should be able to try to ping out of the camera directly to some known external IP's.. if you get a timeout or connection reset then its definitely being blocked

~ # ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
^C
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 packets received, 100% packet loss

you can also try pinging your router's IP too and make sure its whats blocking it.

 

[PSPCommOp]

I have Hikvision cams. I'm just not totally sure I set it up in my router to block them correctly. I think I did but I'm not knowledgeable enough to know how to test them.


Sent from my iPhone using Tapatalk

 

[nayr]

add a phone/tablet or something to your group/rules that you use for blocking traffic and it should have the same effect you can test..

or post up some screen caps of your firewall rules and we can tell you; non-routable IP's are not sensitive information.. I can scan all non-routable IP's on your network in just a few mins.

 

[riceandbeans]

Ping may not be the most reliable measure of ensuring outbound comms are blocked. Also I can confirm that I've got a few cams on a vlan that _constantly_ try to get outbound access and open ports. They'll try to get to IPs in russia, china, etc. I'm sure they'd be on a bot net if they weren't walled off in a vlan.
@nayr - mind if I ask what you're using for an at-home firewall solution? I'm looking at possibly migrating to a VM with pfsense or possibly getting a mikrotik.

 

[PSPCommOp]

add a phone/tablet or something to your group/rules that you use for blocking traffic and it should have the same effect you can test..

or post up some screen caps of your firewall rules and we can tell you; non-routable IP's are not sensitive information.. I can scan all non-routable IP's on your network in just a few mins.

Thanks man I appreciate it.

This is the top of the screen with the instructions that i followed putting them on the blacklist.

And this is the bottom part of that screen. I have all the IP Addresses for my cameras listed and I have Port 80 for the range. It defaulted to TCP so I'm hoping that's correct.

Sent from my iPhone using Tapatalk

 

[nayr]

im using an Ubiquiti Edgerouter PoE, mainly for GigE subnet routing.. I have alot of vlan's and pfsence was not performing without a massive power footprint.

all the cameras, displays and other IoT devices are on there own subnet.. firewall blocks rules to/from all networks except for the NVR is allowed access to the main lan on select ports.. My automation server has internet access and a dedicated IP, it runs timesync, VoIP and mailserver for the IoT lan..

the edgerouter runs a radius server and does x509 auth for the wifi access points and VPN, without a cert you dont get on the main lan where the fileservers, workstations, phones, tablets, printers, etc are on.

 

[jasauders]

Maybe not related, or maybe related: I noticed Wireshark has a ton of entries from two of my six cameras. The two in particular are Hikvision -- the rest EyeSurv, which don't seem to populate any entries at all. This is just when running Wireshark on my laptop.

It's a slew of entries, citing "who has external.ip.address.here? Tell 192.168.1.60".

Maybe it's nothing, but it raised an eyebrow. Anybody see that before?

 

[j4co]

My cams sit on isolated network, intend to hook them up behind pfsense somi can have some ports for access, but i have still issues with igmp proxy and vlans with pfsense (of which they think noone uses it)

 

[copex]

on any device you with to block from the Internet set the default gateway to 127.0.0.1 or a unused IP address on your network this will stop the device connecting to anything outside of the local subnet

 

[jasauders]

Interesting yet simple idea. I'll have to try that. I assume since the cameras have a static ip it won't be an issue. Likewise, I don't suspect it would have issues connecting to my server for recording, or me seeing feeds externally since I'm pulling them from the recording server and not the actual cameras. I'll have to test it and see. Thanks for the suggestion.

 

[FrankOceanXray]

https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/

 

[Q™]

https://www.fastcompany.com/3064904/after-years-of-warnings-internet-of-things-devices-to-blame-for-big-internet-attack

 

[PSPCommOp]

This is how it all started in the Terminator series #SkyNet


Sent from my iPhone using Tapatalk

 

[nayr]

on any device you with to block from the Internet set the default gateway to 127.0.0.1 or a unused IP address on your network this will stop the device connecting to anything outside of the local subnet

normally this is what I would have suggested too.. but it can screw with alot of VPN Setups.. if the router throws VPN clients on a different subnet and routes traffic back and forth to the LAN subnet.. then any devices without gateways setup will be unreachable.

if it wasent a total pita to troubleshoot the issue I might be more for it.. but I think some people give up VPN setups because they dont realize this was why nothing was working.

 

[Q™]

Your baby is killing the Internet.

http://www.sfchronicle.com/business/article/How-your-baby-monitors-are-being-used-to-attack-10152723.php

 

[jasauders]

on any device you with to block from the Internet set the default gateway to 127.0.0.1 or a unused IP address on your network this will stop the device connecting to anything outside of the local subnet

So I got around to trying this tonight. When I put in the loopback as my gateway, the firmware refused to apply the settings, citing an invalid address. For nothing more than kicks, I just put the camera's own IP as the gateway and rebooted them. This made no change.

I set them back to their regular gateway and looked further. DDNS, UPnP, etc was all disabled. Eventually I found a link suggesting Hikvision's DDNS service is on by default. I looked again -- nope, checkbox definitely not ticked. Through the discussion I was reading, it sounded like there was some evidence suggesting Hikvision defaults DDNS on. I didn't see any screenshots of users confirming that it was enabled by default visually, but I ran with it. I ended up enabling DDNS, hit save, disable DDNS, hit save, rebooted. This removed the traffic I was seeing earlier about the external IPs and the Hikvision's having any sort of chatter. Looks good now.

 

[rotorwash]

It looks like you are just blocking inbound port 80 to those cameras. What router/software is it and are you able to specify a port range, or use port 0? Something to think about, are you using NTP on the cameras and what do you have configured for a time server?

You are also listing the cameras as the destination address instead of the source address. You will want to swap them. If you don't have port forwards set up, no need for an inbound rule with your cameras as the destination.

 

[jasauders]

It looks like you are just blocking outbound port 80 from those cameras. What router/software is it and are you able to specify a port range, or use port 0? Something to think about, are you using NTP on the cameras and what do you have configured for a time server?

Yeah I'm using NTP. They're syncing with ntp.ubuntu.com every half hour. I forget the exact model router -- it's a new one. Netgear AC1600 of some sort. The only port forwarded is to my server to connect to the live feeds over SSL. Nothing is forwarded for the cameras themselves.

The requests I was getting before was 3-4 dozen requests within about 2 or 3 full seconds time. It certainly didn't strike me as NTP, but perhaps something else. When I looked more closely at what external IPs were listed (3 unique external IPs in total), they seem to be Amazon AWS instances.

I wish I had saved the link I read regarding Hikvision DDNS, but the discussion suggested it's not really "off" until you, the user, switch it to "off". It was a similar set of circumstances -- a user running Wireshark picked up on the output and questioned it, much like I did in my case.

Either way, seems to be good now. Just seems a bit goofy, since mine was switched off, yet when I toggled it on, then off again, the traffic stopped.