In light of the recent huge DDoS attack against Dyn, which Brian Krebs reports (getting his information from Flashpoint) were apparently carried out using a Mirai-powered botnet, I thought it appropriate to highlight some of the security software and hardware I use to try to ensure that my devices don’t become part of the botnet.
My first layer of defense at home is my router. My current router is in serious need of replacement – its software is buggy and it requires reboots approximately once every month or two (far too frequent for a home router, if you ask me). That said, it’s still useful and here’s why:
- port forwarding: Several of my devices use SSH to automatically synchronize files across my home network. I know SSH is overkill for that kind of thing, but it’s easy to set up. Two of those devices are Raspberry Pis, low-power computers which I run mostly-headless (I can connect a monitor and keyboard if needed) and I use SSH to control them from my laptop or phone. My point is, none of these things need to receive SSH connections over the Internet, so my router doesn’t forward the standard SSH port to any of them. One of the Pis is, on the other hand, used as a BitTorrent seedbox – other BitTorrent peers can connect to it most easily if I make at least one port of my choosing accessible from the Internet.
- An unencrypted Wi-Fi network for guests: Until yesterday I ran two wireless networks from the same router: one with strong encryption for my family’s use, and one with no encryption for the convenience of guests and strangers. This separation of networks was to ensure that friends could access the Internet quickly if all they wanted was to watch cat videos on YouTube but would still have to talk to me if they wanted to network with my computers. The principle of least privilege is a key component of good computer security. Now I have chosen to disable the guest network to ensure that strangers’ devices can’t unintentionally use my Internet connection to join a botnet. There is little point in simply enabling encryption on the guest network because then guests would have to ask me for a password, the avoidance of which is the reason the guest network existed in the first place.
I am about to order a new router, specifically a Turris Omnia. It’s very expensive at $246 + shipping, but I hope it’s worth the price. Here are features I plan to use and which are not offered by the router I have:
- “Advanced network monitoring”: I’ve been experiencing a frustrating problem lately: DNS servers are very slow to respond, sometimes timing out. The problem happens randomly throughout the 24-hour day, not all the time. It lasts for only a few minutes. It only happens at home (no problems when I’m at school, so far). It affects every computer on my home network. It probably isn’t related to the DDoS attack I mentioned earlier because this started at least a week earlier. I can find no way to troubleshoot the problem using my current hardware: my router doesn’t offer any kind of network monitoring/traffic analysis feature, and I can’t insert any of my computers between the router and modem because all of my computers have only one wired ethernet port. If I had a computer with two ethernet ports, then theoretically I could transparently capture and analyze every packet using Wireshark. Michael DeCesare described the problem well: “Moving beyond the acknowledged need to be better at patching devices, we must then ask if devices are protected by a robust perimeter security solution and are continuously monitored for suspicious behavior.”. My router is my perimeter security solution, and the one I have does not monitor for suspicious behavior.
- “Active bandwidth measurement” [source]: Potentially useful for troubleshooting, but mostly I’d just watch the colorful graphs.
- Software updates for the lifetime of the device: “Omnia offers unattended automatic updates to core components of the system for the lifetime of the device.” [source]. Even if the promised automatic updates never happen, this router runs an open source operating system. I could potentially install my own updated copy. I could potentially write my own updates. Imagine that! Being able to fix things yourself rather than waiting for some monolithic corporation to get around to it! Not that I expect to ever actually write my own updates – I’m busy enough with other programming projects – but I like knowing that it’s a possibility. My current router runs a closed-source OS and hasn’t received any updates for a long time. A lack of bug fixes can be a serious security problem, especially for something as central to your network as your router.
- A “distributed adaptive firewall” [source]: I haven’t yet found any other router that advertises a feature like this. Read the source for a description; I’m not going to copy it here. While this sounds like a feature that would be useless for a small network like mine, I’m choosing to assume that it will be useful. One of the biggest mistakes you can make in the field of network security is to assume that just because you’re small/unknown, you must therefore be a low-priority target and you don’t have to worry about anything. It is laziness like that which makes you so valuable to crackers: they can easily crack into your systems, then use those compromised systems to DDoS larger targets.
Now, on to the devices themselves. This is an overview, not a complete list. Specific apps may be discussed in future posts.
- Game consoles: My family has a Nintendo Wii, some DSs, and various other gaming devices. There is no anti-malware software available for these. None at all. We turn these off when not using them, but even that may not be enough: they’re not really off, just in a low-power state that allows them to download software updates. And I don’t think they’ve gotten any updates lately. Which means they are constantly connected to the Internet and running potentially unpatched software.
- PDAs: As I’ve said before, I use the term “personal digital assistant” to refer to smartphones, tablets, and ebook readers. We’ve got a mix of Android, Ios, and Ubuntu devices. None have firewall or antivirus software installed (Can you recommend some security software? Leave a comment!). I tried to install AFWall+ on my Android phone, but couldn’t run it because it needs root.
- “Real” computers: Again, different computers have different software. Raspbian on the Pis, Ubuntu and a few versions of Windows on the other computers. Our Windows computers run Norton Security Suite because it’s provided for free by our ISP. On Ubuntu and Raspbian I use Gufw as a firewall and do daily virus scans with ClamAV.