OpenWRT/DDWRT-based botnet causing DDOS attack

[westbywest]

From Slashdot:
"The people who bring you the DroneBL DNS Blacklist services, while investigating an ongoing DDoS incident, have discovered a botnet composed of exploited DSL modems and routers. OpenWRT/DD-WRT devices all appear to be vulnerable. What makes this worm impressive is the sophisticated nature of the bot, and the potential damage it can do not only to an unknowing end user, but to small businesses using non-commercial Internet connections, and to the unknowing public taking advantage of free Wi-Fi services. The botnet is believed to have infected 100,000 hosts." A followup to the article notes that the bot's IRC control channel now claims that it has been shut down, though the ongoing DDoS attack on DroneBL suggests otherwise.
http://it.slashdot.org/article.pl?sid=0 ... art_pos=14

Here is a related post on DDWRT forums.
http://www.dd-wrt.com/phpBB2/viewtopic.php?p=278399

Here is the announcement from DroneBL.
http://www.dronebl.org/blog/8

The dronebl site being attacked is not available, probably because of DDOS attack itself and slashdot effect, but apparently you can tell if your router has been compromised if you can no longer SSH in.

Another compelling argument for using long, complex passwords on any login port you open up to the outside, or at least key-based login.

[westbywest]

Here is a cached copy (via Yahoo) of the DroneBL announcement at http://www.dronebl.org/blog/8

This provides details of how the botnet infects more machines. They estimate *100,000* infected machines!

http://74.6.239.67/search/cache?ei=UTF- ... 1&.intl=us

[Eric]

You're only vulnerable if you've enabled remote access via SSH -- this is disabled by default in Gargoyle, as well as in default OpenWrt and DD-WRT.

Further, you're probably fine if you've set a strong password -- this botnet was constructed by guessing passwords of people with remote ssh active. I currently have remote SSH enabled, but my router has a strong password and it seems fine. Also, it may help to set the remote SSH port to a non-standard port (i.e. not port 22).

As far as I can tell, this isn't something to be too concerned about -- it doesn't look like it was something serious like a security flaw in dropbear.

It sounds like a bunch of people got compromised because they were being idiots. Nothing to see here, move along.

[hotzenpl0tz]

Is there a way to configure the ssh daemon to exponentially increase the time for a login attempt after every failed attempt ? That would make it harder to brute force the attack and still be safer for "idiots" (should have a max time of say 10-20 seconds though, so you can still login even if you are under attack by waiting those 20sec). Most users are idiots

edit: I am pretty sure I have been attacked by one of those brute force attacks trying to guess my password, some weeks ago I had an enormous list of failed login attempts in my log. So big actually that I wonder if that may even have disrupted internet activity for my LAN - kinda lika a ddos attack ?

[westbywest]

I simply use a non-standard port for SSH on the WAN. However, this is little beyond security-thru-obscurity.

Since OpenWRT (and thus Gargoyle) do not run a full sshd, but rather dropbear, and since the machine itself typically has very finite CPU, RAM, and disk resources, mechanisms against dictionary attacks would best be as simple as possible. E.g. ...

- limit number of failed logins per SSH connection, a la OpenSSH config options MaxAuthTries or MaxStartups
- implement port-knocking
- only allow public key auth for SSH on the WAN

[Eric]

Alternatively, you can limit the number of login attempts per minute using iptables, though you have to edit the rules manually. See this thread, only use port 22 instead of 25.