New Botnet Attack - How To Check My IoT Devices?

Apparently a new botnet appeared out of the blue that has various IoT devices (webcams etc) flooding the net with ddos attacks - ArsTechnica Article. Which is exactly one of the reasons I purchased my new Flint 2, so I could protect myself from things like this with a better firewall router.

As a new GL / Openwrt user, how would I check to see if my home security camera is doing something suspicious? I have my IoT devices configured on the Guest Network and enabled AP isolation for the Guest. So my other devices should be fine, but I'm not certain if that would prevent the camera from spamming someone else.

Thanks!

Hello,

The router has mamy firewall rules, which is one of it is the default: WAN cannot directly access the LAN.

In addition, router has NAT, from external networks, they are not able to access to internal networks and cannot launch attacks on internal network devices.
Even if an attack occurs, it will only reach the router interface WAN. The router does not have vulnerabilities that can be attacked, and these meaningless packets will be dropped/rejected.

BTW:
Please check whether your IoT device has suspicious code implanted and there is suspicious behavior.
Through the tcpdump plugin on GL router, you can capture the network packets and analyze whether there is a suspicious IP.

I knew that I was protected from a botnet attack - but you never really know what's baked into the FW on these cheap IoT cameras and the like, so I could unwittingly be spewing out bad karma to others. The tip to check tcpdump is what I'm looking for - thanks!

And if there's an easier way (gui?) to monitor outbound traffic, that would be helpful as well.

There is currently no GUI to check traffic on router, probably the tcpdump capture traffic which will be clearer and more detailed.

You can export the tcpdump captured file and use wireshark for inspection, which is easy to view.

Like:

tcpdump -i br-lan -w /tmp/iot_check.pcap
cp /tmp/iot_check.pcap /www/

And access router IP+/iot_check.pcap in browser to quickly export, for example:
192.168.8.1/iot_check.pcap

Thanks!

I'm new to the Openwrt world and in addition to all the networking stuff I'm also improving my linux skills lol. I play around with Raspberry Pi's, but my linux knowledge relies on Google copypasta.

A very great indicator is that it is using abnormal traffic as upload, like @bruce said usually a firewall:

goes one way, it always allows local source -> wan, and when this initation happened the other line (the destination) is allowed to respond back.

It will block it if this first initation never happened from your side (the local lan) and the first initiator was the destination as inbound.

This is where portforwarding allows the other side to talk first, and or if you use dmz you allow all ports to this device (you surely don't want that).

so in most situations devices are safe behind the firewall, but it is possible a device was already infected at factory, but you will notice that really quickly.

The only remote vulnerability can be dns poisoning, it is important to know how your devices update and communicate this can be seen via tcpdump, do they visit http or https?, and you can try to encrypt dns with DoH or DoT that is a way to make it a little safer but these things can always be a possibility.

I myself don't trust my isp so i make sure they cannot mitm on recognizable patterns, most of these high level attacks are well automated but encryption makes it alot harder in case of isp compromise, alot of hackers especially the APT ones don't have much interest into the average person, but if you are a developer or administrator or a company employee with possible keys, you are on their radar.

This is what i experienced myself some years ago working with maven projects, and dependencies not set to scope provided, eventually someone sees a recognizable pattern and mitms it and runs a malicious unit script, that is how it happened.

Hackers don't always show their presence, until they observed you long enough to automate a attack.

So you really want devices update via https as minimum.

You can also isolate groups of devices with vlans so that if a breach happens it will not go through all devices, especially if you use windows with questionable suspicion you can isolate it from other networks, and if you use passwords from a password manager most of these local device to local device attacks fail, because they cannot be bruteforced

Yes - I put my IoT gear on the Guest network with AP isolation enabled. As I understand it, that's not technically a vlan, but does prevent clients from communicating with each other and prevents any crosstalk to the primary network.

Down the road I may look into getting a layer 3 switch and create dedicated vlans for the IoT stuff. But for now I only have one camera and this setup seems sufficient.