[CWN-Summit] FYI: OpenWRT/DDWRT-based botnet causing DDOS attack
Ben West
westbywest at gmail.com
Tue Mar 24 13:53:52 CDT 2009
>From Slashdot:
"The people who bring you the DroneBL DNS Blacklist services, while
investigating an ongoing DDoS incident, have discovered a botnet
composed of exploited DSL modems and routers. OpenWRT/DD-WRT devices
all appear to be vulnerable. What makes this worm impressive is the
sophisticated nature of the bot, and the potential damage it can do
not only to an unknowing end user, but to small businesses using
non-commercial Internet connections, and to the unknowing public
taking advantage of free Wi-Fi services. The botnet is believed to
have infected 100,000 hosts." A followup to the article notes that the
bot's IRC control channel now claims that it has been shut down,
though the ongoing DDoS attack on DroneBL suggests otherwise.
http://it.slashdot.org/article.pl?sid=09/03/23/2257252&art_pos=14
Here is a related post on DDWRT forums.
http://www.dd-wrt.com/phpBB2/viewtopic.php?p=278399
Here is the announcement from DroneBL.
http://www.dronebl.org/blog/8
The dronebl site being attacked is not available, probably because of
DDOS attack itself and slashdot effect, but apparently you can tell if
your router has been compromised if you can no longer SSH in.
Another compelling argument for using long, complex passwords on any
login port you open up to the outside, or at least key-based login.
--
Ben West
westbywest at gmail.com
More information about the CWN-Summit
mailing list