Block Mirai?



  • I don't know if Firewall is the right section, but let's give this a shot.

    I sort of doubt that I have Mirai, but lets assume that I do… What can pfSense do to block it from reporting back, or tell if I have it? Or any of the other $number of ScriptKiddie B.S. out there?



  • Put rules in place that prevent your IoT devices from talking to anything other than what you allow.  Generic answer, I know, but the question is equally vague.  Botnet C&C servers change with the wind so you can't block based on specific destination.  Things like cameras should not be externally accessible if possible, and instead should be accessed via VPN.  If that is impractical then you place rules so that the cameras only respond to traffic from known sources like your workplace.


  • LAYER 8 Global Moderator

    All my iot devices are in their own vlans.  I then log what what they do, I don't limit where they can talk on the internet.  But they are not accessible via the internet, only via VPN as KOM mentions.

    So like my nest thermostat, my nest protect, my dvr, my harmony hub, etc.  These are all in isolated vlans and I log their outbound traffic.  They just phone home and use dns now and then.  If they were part of a botnet you would see them screaming data outbound to different places, etc.  You could lock down where they can go outbound.  But for example they phone home to stuff being hosted on Amazon so that is HUGE amount of IPs they might talk to, etc.

    If you know what they are suppose to talk to, then sure lock them down to only talking to those public IPs or netblocks.  But if place them in their own vlan than its really easy to keep an eye on them and isolate them from your normal network and just log the outbound rules on those vlans.  Maybe the device doesn't even need outbound access at all?  If so then don't let it out your network.  If nobody can talk to it from outside, and it can not talk to outside on its own - then pretty impossible to be part of a botnet ;)  Problem is they are the IoT, so many of them need to talk to something on the internet to function fully.  You just need to make sure you keep an eye on what they are talking too, etc.

    While the makers of these devices do need to up their game on security aspects of the devices.  They really should not be open to the public internet.. No security is foolproof, exposing them to the public internet is not a good idea.  Users really need to take some responsibility here if you ask me.  Problem is your typical users are just stupid when it comes to how their IT toys actual work and talk to each other..  Oh I want to view my camera while I am on the road.. Here let me forward port 80 to my camera or camera nvr, etc.

    Maybe some documentation on what IPs/netblocks these devices need to talk to and ports.  Warning about open access to the internet to them, etc.  Yeah like users read documentation anyway ;) hehehe



  • Was looking over the link below and just wondering with what happened with Mirai, is there any other special setup requirements that we should consider when setting up pfSense?  e.g. Will the "default" firewall rules, snort, etc… cover these types of attacks?

    https://www.us-cert.gov/sites/default/files/publications/DDoS%20Quick%20Guide.pdf



  • Hi folks, I've been reading up on Mirai. In addition to the 1) blocking devices to talk to other than allowed and 2) VLAN and monitor recommendations. You chould also a) ensure you have UPnP and NAT-PMP disabled in Services and b) you could block and monitor outgoing traffic on TCP/23 and TCP/2323. b) could help identify infected devices on your network.
    What do you think?



  • Will the "default" firewall rules, snort, etc… cover these types of attacks?

    There are no defined NATs with a default install.  In order for Mirai to use an IoT device, it must be able to touch it over the network.  That's why we keep saying to not put these things on the live Internet for anyone to access.  Put them behind a VPN or craft your rules such that they only respond to known IP addresses or subnets like your home, your work, your cottage or summer home, etc.

    What do you think?

    I think the UPnP suggestion is good.  As for telnet, I would never have that publicly accessible in the first place.


  • LAYER 8 Global Moderator

    UPnP is normally off, its off.  It would of had to be turned on by purpose..  Who would do that??

    As to limiting what devices can do outbound.  You can what what ports they use for normal access and then sure lock down to those ports.  They seem to only do dns outbound and 80/443.



  • Who would do that??

    Perhaps someone who just wanted their kid's game console to work so they enable it in the past and forget about it, and didn't think about the brand-new cameras they just got using it as well?  Someone who thought it was required when using a Bittorrent client?  You never know, people do funny things sometimes so it's a good idea to check.



  • I'd read that UPnP was one of the vectors. Included for thoroughness.


Log in to reply