Intrusion Detection & Prevention – The Basics

In another article a discussion of ‘odd behaviour’ by computers and networks broke out. I’d said:

@Another Ian:

I’ve not seen that issue, however, I have seen evidence for some wide scale “probing” of computers by what I presume are nefarious sorts. As the spouse is on a Mac, and I’m non-PC of many flavors, we rarely have anything succeed at ‘crawling in’… However, last night (when NOT on any WordPress sites) the spouse had the Mac “lock up” on attempted opening of her (remote) email account. In my experience, that’s what a Mac does when under attack by a very smart attack that is aimed mostly at PCs and just doesn’t “get it” about Macs… (i.e. the Apple defenses stop it from succeeding but both end up in a death match…) Later that night, my Tablet had “glitch” issues (things slowing / jerky / active when doing nothing and load shows) but didn’t succumb. (Android has some exploits, but like the Mac Mach Linux base the Android Linux base is immune to the usual PC / Windoz attacks and most of the few Linux ones…) A reboot of both cleared them and they behaved the rest of the night.

FWIW, I’m likely to be “low response” for the next day or two as I build and deploy a home IDS (Intrusion Detection System) and make a posting on it…

My router blinky lights show no activity out of expected at this point, so IMHO whatever it was has now “moved on” to other easier PC targets… ( I really like blinky lights… they give a ‘no doubt about it’ indication of unwanted / unexpected network traffic… I have a ‘hub’ that I carry with me to most contracts that, put between the wall and my assigned workstation, gives me personal blinky lights… ;-)

Given the recent ‘take down’ of the East Cost by a set of bot driven I[di}OT devices, it’s clear that a pre-survey & PWN was run on them; so I’m not at all surprised that post event it looks like they are doing a survey for the next set of boxes to exploit (the assumption being that many of the first batch will now be identified and locked down / taken offline…) FWIW, it looks like about 9 PM PST was the window, so call it about start of work day in Eastern Europe… Just sayin’… you might want to watch the clock for 8 to 5 Romanian / Kiev / Moscow time…

I ought to have the IDS posting ready by this weekend, and it will include things you can do on your workstation, not just those that need a Linux box, (Host IDS), so I’d suggest installing that kind of thing and seeing what it shows.

For those wanting to “run ahead” and ‘assemble it yourself’:

The game is afoot and they are probing actively… time for ‘shields up’ and warp engines on line…

H/t to Another Ian for raising the issue.

I’d started down this path a good while back as it was one of the “things you ought to have” in any network, and I didn’t have one. But I was complacent. All my other general protective behaviours had so far kept things clean and safe. (Not the least of which is rarely to never running Microsoft Windows unless absolutely necessary and typically not using it to browse anywhere – the occasional exception of finding and getting needed software. Most virus writers target Microsoft products, partly due to them being a bit easier and mostly due to them being in very large numbers and generally not professionally managed in homes and small businesses.)

In any case, I’ve been relatively lucky (having made a lot of my own luck). But about 2 weeks ago that changed. An “interior router” of mine had been changed. Not much. But it didn’t have the WiFi interface “up” anymore. I looked it over. Changed the config to what it ought to be and rebooted. Then it was fine.

Now being an “interior router” I’d left the default security in place. It was already protected by the AT&T boundary router ( “internet access” router) and in theory nobody could get to it from outside. I have, sometimes, left an open “guest” access up on WiFi for the neighbors should they need it. Had some “war driver” found this from the street? Had the neighbor kid gotten old enough to not just want to access sites without his parents knowing, but also to start hacking routers? Didn’t know, but OK, time to “lock it down”. I turned on the “known machines only” lockout and changed the password to something more industrial strength, then went on my way.

Then the East Coast DDoS attack happened… it used an IOT Internet Of Things (or I[di]OT of Things…) group of drone machines to pester to death various target sites.

Then a couple of nights ago, the spouse and I both had those ‘odd’ behaviours. Her Mac had the spinning meatball of death hang cursor and my Tablet had some quirky not-quite-right pauses and fails to connect to web pages. Both fixed with a reboot…

OK, further down we had

Larry Ledwick says:
27 October 2016 at 8:38 pm (Edit)
I have also noticed some very slow page loads over the last 24 hours, and semi lockup (ie long delay to do things but eventually succeeding). Things which should have been just a second or less took long enough for me to start grumbling “would you load the friggen page already” sort of muttering.

These are the current security alerts posted by CERT

Power Grab says:
27 October 2016 at 10:08 pm (Edit)
@ Larry Ledwick: I noticed slow page loading right after Obama turned over the Internet to the other side.

I suspect the ‘slow page loads’ is more a matter of ‘slow DNS resolution’ as that can dominate the actual time to load pages (especially those with lots of advertising and links to other pages… each one can take a few seconds for the DNS lookup depending on how your DNS servers are set up and selected).

It can also be the result of the bots (code robots) that are trolling the internet right now looking for things to attack and take over.

I would guess is it less to do with the internet ICAAN handover and more to do with the bots. ICANN just doles out the top level domains, mostly. It’s more a political / negotiation lag thing and less an operational one. The root servers tend to be spread all over the world with distributed operation:

OK, going back to that link given by Larry, that’s where all us Geekly types go to find out “what the f… is going on” as we go looking for “CERT Advisories”:

Alerts provide timely information about current security issues, vulnerabilities, and exploits. Sign up to receive these technical alerts in your inbox or subscribe to our RSS feed.
2016 | 2015 | 2014 | 2013 | 2012 | 2011 | 2010 | 2009 | 2008
View Alerts Feed
TA16-288A : Heightened DDoS Threat Posed by Mirai and Other Botnets
TA16-250A : The Increasing Threat to Network Infrastructure Devices and Recommended Mitigations
TA16-187A : Symantec and Norton Security Products Contain Critical Vulnerabilities

TA16-144A : WPAD Name Collision Vulnerability
TA16-132A : Exploitation of SAP Business Applications
TA16-105A : Apple Ends Support for QuickTime for Windows; New Vulnerabilities Announced
TA16-091A : Ransomware and Recent Variants
TA15-337A : Dorkbot
TA15-314A : Compromised Web Servers and Web Shells – Threat Awareness and Guidance
TA15-286A : Dridex P2P Malware
TA15-240A : Controlling Outbound DNS Access
TA15-213A : Recent Email Phishing Campaigns – Mitigation and Response Recommendations
TA15-195A : Adobe Flash and Microsoft Windows Vulnerabilities
TA15-120A : Securing End-to-End Communications
TA15-119A : Top 30 Targeted High Risk Vulnerabilities
TA15-105A : Simda Botnet
TA15-103A : DNS Zone Transfer AXFR Requests May Leak Domain Information
TA15-098A : AAEH
TA15-051A : Lenovo Superfish Adware Vulnerable to HTTPS Spoofing
TA14-353A : Targeted Destructive Malware

Each of those is a live link at the CERT site. For more info on any one, ‘hit the link’… For now, just notice that Lenovo is called out by name one up from the bottom for a factory installed “Superfish” adware malware that is prone to being taken over. IMHO, just avoid all Lenovo products (really, anything from China if you can). Up at the top, there’s that line about DDoS (Destributed Denial of Service – think being attacked by a million 1st graders all yammering for attention… you get nothing done..) using “Mirai” and botnets (network of roboticly run machines i.e. the stuff in your home used by others to do the attacks). That’s the thing that’s likely causing the slow down in places. Looking inside it:

I’ve bolded a couple of bits. This is a typical alert. Tells you what is wrong, who / where it is coming from if possible, what it does, how to protect against it if known, etc. The date is about right for when the odd things were happening at home.

Alert (TA16-288A)
Heightened DDoS Threat Posed by Mirai and Other Botnets
Original release date: October 14, 2016 | Last revised: October 17, 2016

Systems Affected

Internet of Things (IoT)—an emerging network of devices (e.g., printers, routers, video cameras, smart TVs) that connect to one another via the Internet, often automatically sending and receiving data


Recently, IoT devices have been used to create large-scale botnets—networks of devices infected with self-propagating malware—that can execute crippling distributed denial-of-service (DDoS) attacks. IoT devices are particularly susceptible to malware, so protecting these devices and connected hardware is critical to protect systems and networks.


On September 20, 2016, Brian Krebs’ security blog ( was targeted by a massive DDoS attack, one of the largest on record, exceeding 620 gigabits per second (Gbps).[1 (link is external)] An IoT botnet powered by Mirai malware created the DDoS attack. The Mirai malware continuously scans the Internet for vulnerable IoT devices, which are then infected and used in botnet attacks. The Mirai bot uses a short list of 62 common default usernames and passwords to scan for vulnerable devices. Because many IoT devices are unsecured or weakly secured, this short dictionary allows the bot to access hundreds of thousands of devices.[2 (link is external)] The purported Mirai author claimed that over 380,000 IoT devices were enslaved by the Mirai malware in the attack on Krebs’ website.[3 (link is external)]

In late September, a separate Mirai attack on French webhost OVH broke the record for largest recorded DDoS attack. That DDoS was at least 1.1 terabits per second (Tbps), and may have been as large as 1.5 Tbps.[4 (link is external)]
The IoT devices affected in the latest Mirai incidents were primarily home routers, network-enabled cameras, and digital video recorders.[5 (link is external)] Mirai malware source code was published online at the end of September, opening the door to more widespread use of the code to create other DDoS attacks.

In early October, Krebs on Security reported on a separate malware family responsible for other IoT botnet attacks.[6 (link is external)] This other malware, whose source code is not yet public, is named Bashlite. This malware also infects systems through default usernames and passwords. Level 3 Communications, a security firm, indicated that the Bashlite botnet may have about one million enslaved IoT devices.[7 (link is external)]


With the release of the Mirai source code on the Internet, there are increased risks of more botnets being generated. Both Mirai and Bashlite can exploit the numerous IoT devices that still use default passwords and are easily compromised. Such botnet attacks could severely disrupt an organization’s communications or cause significant financial harm.

Software that is not designed to be secure contains vulnerabilities that can be exploited. Software-connected devices collect data and credentials that could then be sent to an adversary’s collection point in a back-end application.


Cybersecurity professionals should harden networks against the possibility of a DDoS attack. For more information on DDoS attacks, please refer to US-CERT Security Publication DDoS Quick Guide and the US-CERT Alert on UDP-Based Amplification Attacks.


In order to remove the Mirai malware from an infected IoT device, users and administrators should take the following actions:

Disconnect device from the network.

While disconnected from the network and Internet, perform a reboot. Because Mirai malware exists in dynamic memory, rebooting the device clears the malware [8].

Ensure that the password for accessing the device has been changed from the default password to a strong password.
See US-CERT Tip Choosing and Protecting Passwords for more information.

You should reconnect to the network only after rebooting and changing the password. If you reconnect before changing the password, the device could be quickly reinfected with the Mirai malware.

Preventive Steps

In order to prevent a malware infection on an IoT device, users and administrators should take following precautions:
Ensure all default passwords are changed to strong passwords. Default usernames and passwords for most devices can easily be found on the Internet, making devices with default passwords extremely vulnerable.

Update IoT devices with security patches as soon as patches become available.

Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary.[9]

Purchase IoT devices from companies with a reputation for providing secure devices.

Consumers should be aware of the capabilities of the devices and appliances installed in their homes and businesses. If a device comes with a default password or an open Wi-Fi connection, consumers should change the password and only allow it to operate on a home network with a secured Wi-Fi router.

Understand the capabilities of any medical devices intended for at-home use. If the device transmits data or can be operated remotely, it has the potential to be infected.

Monitor Internet Protocol (IP) port 2323/TCP and port 23/TCP for attempts to gain unauthorized control over IoT devices using the network terminal (Telnet) protocol.[10 (link is external)]

Look for suspicious traffic on port 48101. Infected devices often attempt to spread malware by using port 48101 to send results to the threat actor.

Now as you might guess, slugging a Tb/second or so of traffic around, especially if focused on internet service devices, DNS servers, web servers, or just loading up routers with crap, etc. will cause sporadic slowdowns, failure to load, and other quirky behaviour. It can also happen if the botnet is actively probing your gear and trying to take it over.

This is why, when there is an unexplained fault, sloth, lots of ‘blinky lights’ that can’t be explained, etc. I typically down my internet connection (just pull the wire…) and shut down my devices. Then I can do an orderly bring up and asses on them.

Was my interior WiFi router compromised by this code? I don’t think so. Looks more like the neighbor kid learning the limits of hacking… but maybe. In any case, I’d done the right thing in recovering it due to my own habits.

Was the spousal laptop and my Tablet hit by this? Most likely. As a DDos or perhaps as folks pinging the world with Mirai software now that it is public trying to recruit our machines into their own botnet. In either case, my behaviour cleared the machines and after that they worked as expected. (Both powered down for about 20 minutes, then repowered and assessed.)

But the key bit is those last two lines. Where it says things like “Monitor Internet Protocol (IP) port 2323/TCP and port 23/TCP for attempts”… That’s where an Intrusion Detection System comes into play. It’s the thing that does that kind of monitoring. As noted in my first comment on the other page, you can do some ‘light reading’ here:

CNET has soem IDS things you can download or assess on your own:

And of course there’s a formal paper on it all:

Finally, this is the IDS I’ll be installing this weekend:

This posting is the “background” and not the “how to”. I have to do it first, then I can write the ‘how to’ ;-)

FWIW, this article does a great job in a readable format of going through various IDS / IPS choices, explaining what makes them different, doing a sketch of strengths and weaknesses, and chooses their favorite. That just happens to be Suricata…

I doubt I could improve on it much, so just hit the link and read it. Really. Do it now. I’ll wait…

What’s the only reason for not running Snort? If you’re using Suricata instead. Though Suricata’s architecture is different than Snort it behaves the same way as Snort and can use the same signatures. What’s great about Suricata is what else it’s capable of over Snort. It does so much more that it probably deserves a dedicated post of it’s own. Let’s run down a few of them:

Multi-Threaded – Snort runs with a single thread meaning it can only use one CPU(core) at a time. Suricata can run many threads so it can take advantage of all the cpu/cores you have available. There has been much contention on whether this is advantageous, Snort says No and a few benchmarks say Yes.

Built in Hardware Acceleration – Did you know you can use graphic cards to inspect network traffic?

File Extraction – Someone downloading malware? You can capture it right from Suricata and study it.

LuaJIT – It’s a lot of letters yes, but it’s also a scripting engine that can be used with information from the packets inspected by Suricata. This makes complex matching even easier and you can even gain efficiency by combining multiple rules into one script.

Logging more than packets – Suricata can grab and log things like TLS/SSL certs, HTTP requests, DNS requests

So much more…

I’m more familiar with Snort, but this does look superior, so I’ll be getting it set up for myself.

Now maybe you don’t have a dedicated machine to set up to inspect your network traffic, or don’t have a hub handy so that all traffic to your desktop can be duplicated on the interface of your IDS box. You can run Suricata on your desktop directing inspecting the traffic to / from it. This is a little less secure, since the IDS box is more secure if it isn’t actually doing anything else and is so locked down it’s useless as a desktop, but it is still pretty darned good. Especially for a laptop at Starbucks…

The other half of the solution is inspecting inside your computer to make sure things there are not changed. For that, you use a Host IDS.

Host IDS – Host based IDS systems, or HIDS, work by monitoring activity that is occurring internally on a host.
HIDS look for unusual or nefarious activity by examining logs created by the operating system, looking for changes made to key system files, tracking installed software, and sometimes examining the network connections a host makes. The first HIDS systems were rather rudimentary, usually just creating md5 hashes of files on a recurring basis and looking for discrepancies (File Integrity Monitoring). Since then HIDS have grown far more complex and perform a variety of useful security functions. Also if you need to become compliant to one of the many standards (PCI, ISO, etc..) then HIDS is compulsory.


In the realm of full featured Open Source HIDS tools, there is OSSEC and not much else. Go ahead and google away, I’ll wait. The great news is OSSEC is very good at what it does and it is rather extensible. OSSEC will run on almost any major operating system and uses a Client/Server based architecture which is very important in a HIDS system. Since a HIDS could be potentially compromised at the same time the OS is, it’s very important that security and forensic information leave the host and be stored elsewhere as soon as possible to avoid any kind of tampering or obfuscation that would prevent detection.

I’m not that familiar with OSSEC and may try installing it. “In the old days” we ‘rolled our own’ Host IDS. Doing “hash” computation on key files in off hours, comparing file sizes to saved sizes, checking that file system permissions had not changed from the archived set. Now you can get all that pre-made, and more.

While there are lots of other tools and software and very expensive dedicated hardware you can use industrially (I’ve used more of that…) this looks like a good set for the typical home installation. Suricata and OSSEC.

The next posting will be looking at installing and configuring one or both of them to set up a minimal intrusion detection system for home use. I’ll be doing it on a Raspberry Pi, but might give it a try on the laptop just to see how hard / easy it is under Windows.

As a small ‘look ahead’, here’s the basic setup wiki for Suricata:

It doesn’t look all that hard (at least not to an experienced sysadmin…) I note his bit, though:

sudo cp suricata.yaml /etc/suricata

Setting variables
Make sure every variable of the vars, address-groups and port-groups in the yaml file is set correctly for your needs. A full explanation is available in the Rule vars section of the yaml. You need to set the ip-address(es) of your local network at HOME_NET. It is recommended to set EXTERNAL_NET to !$HOME_NET. This way, every ip-address but the one set at HOME_NET will be treated as external. It is also possible to set EXTERNAL_NET to ‘any’, only the recommended setting is more precise and lowers the chance that false positives will be generated. HTTP_SERVERS, SMTP_SERVERS, SQL_SERVERS, DNS_SERVERS and TELNET_SERVERS are by default set to HOME_NET. AIM_SERVERS is by default set at ‘any’. These variables have to be set for servers on your network. All settings have to be set to let it have a more accurate effect.

Next, make sure the following ports are set to your needs: HTTP_PORTS, SHELLCODE_PORTS, ORACLE_PORTS and SSH_PORTS.

Finally, set the host-os-policy to your needs. See Host OS Policy in the yaml for a full explanation.

Yet Another Markup Language… Oh Joy, another “language” to learn… It doesn’t look very hard, and is close to many others, so more like a dialect really. One of those things I’ve avoided. Until now. Oh Well.

YAML (/ˈjæməl/, rhymes with camel) is a human-readable data serialization language that takes concepts from programming languages such as C, Perl, and Python, and ideas from XML and the data format of electronic mail (RFC 2822). […] Originally YAML was said to mean Yet Another Markup Language, referencing its purpose as a markup language with the yet another construct, but it was then repurposed as YAML Ain’t Markup Language, a recursive acronym, to distinguish its purpose as data-oriented, rather than document markup.

Lucky for us Systems Admin types, we usually don’t need to learn the whole thing, just a few key sentences and how to change the nouns in them… or the occasional verb.

OK, with that, you now got to see what an evening the life of a sys admin looks like when something goes ‘bump in the net’ and their phone rings or the router hangs or “the internet is down” ;-)

After I’ve digested all this (and cleaned up the kitchen and…) I’ll make my first install / config tests. But that will be for another posting.

Subscribe to feed


About E.M.Smith

A technical managerial sort interested in things from Stonehenge to computer science. My present "hot buttons' are the mythology of Climate Change and ancient metrology; but things change...
This entry was posted in Tech Bits and tagged , , , , , . Bookmark the permalink.

24 Responses to Intrusion Detection & Prevention – The Basics

  1. Another Ian says:

    A couple of names (more or less) I’ve been able to catch at the bottom of the screen as they flash – and not a clue on them

  2. Gail Combs says:

    I will ask Hubby, the house computer guru to read this over.

    Thanks E.M.

  3. Another Ian says:

    And very slow coming back up one level talking to’

  4. In order to get access to the “free” VOIP telephone (free to most countries outgoing, but somewhat expensive (mobile rates) for someone ringing in on that number) I need to use the router supplied by Orange here in France. The security on this router is somewhat buggered (technical term) since Orange also want to make it a WiFi hotspot for other Orange users, and various protections are thus made unavailable. I also can’t stop it auto-updating and occasionally losing all its data – one such update also reset the password to get into the router. Where the router is supplied as part of the internet package, I suspect that a lot of other ISPs do much the same.

    Though I have a separate VOIP box as well, Orange won’t tell me what the username/password is for their VOIP so that I could use a different router than the one they rent to me.

    I’ve recently got some IP cameras so that I can keep an eye on my mum more easily – she has severe dementia by now and the camera saves time in physically checking where she is. The cameras have default passwords that I can’t change, and even if I could change what it says the password is I wouldn’t be too sure that there wasn’t a back-door password so that their apps could connect to them.

    The point I’m making is that the suppliers seem to deliberately be making back-doors or otherwise buggering the security in order to make it easy to share the data. This runs through the Micro$oft ethos from the start – make it easy to share data but not realising that we might not want to share everything that’s on our boxes or make it possible for someone to remote-control it.

    Whilst writing this I noticed some unexpected disk activity on this box (Lubuntu at the moment) and turned it off. Blinky lights are useful. Not so useful on the main router at the moment since the camera will often be showing activity.

    It seems to me that security is mostly treated as an add-on once the devices are working, and that most systems are not inherently secure. That’s when deliberate back-doors aren’t inserted, of course. Since W10, it seems that the BIOS has become an OS itself that gives a back-door into every machine, so getting the Pi3 set up is getting more urgent as the desktop machine is approaching end of life. I’m getting a bit peeved at the attitude of “we haz all your data” that the big suppliers have.

  5. philjourdan says:

    It is way past time for me to create an IDS. I have an old machine that has been sitting idle for years that I will use for it. Guess I will have to read up on Suricata.

    Fortunately, my IOT are in their own DMZ, so the computers cannot get to them, and they cannot get to the computers. I know that does not mean secure. But just less open than most.

  6. Larry Ledwick says:

    I have often wanted to be able to see exactly what is making the router lights blink so much when I am not doing anything. Looks like another project to make time for.

    As folks have mentioned above so often you are at the mercy of outside vendors regarding what you can do and what access routes are open. Out of all the common consumer class cable routers is there any brand that stands out for being more secure than most and open to user management?

    I replaced my comcast supplied cable router with a linksys and it seems to get the job done although I occasionally need to power cycle it to restore my comcast network connection. Your comments about rebooting devices to clear malware rung a bell in that regard, maybe those random outages are not due to comcast being stupid but the router going stupid because of some attack attempt.

  7. Larry Ledwick says:

    We all know this but reference link with a plain english description of a bot net attack and the internet of things.

  8. E.M.Smith says:

    @Another Ian:

    One of them is an advertizing intermediary:

    The other looks to be a SEO Bot site trying to site scrape and duplicate websites for ads revenue

    So I’d say it isn’t about you, but about SEO and WordPress. I’d also speclate you are maybe seeing the DNS Resolver notices of sites being looked up and not an actual file download.

    This is an example of the kind of stuff I quash with my DNS server. So I’d put an entry in the hosts file of 127.0.0
    botd2.wordpress. com 127.0.0

    And both would point to my local web server and get “It Worked!” (The only page it serves…)

    Most likely those are already in it as I snagged a long list… so I’m shielded from that bandwidth sucking…

    Fighting SEO is an ongoing battle…

    Also looks like your browser has a small jack in it:

    What is Virus? is a lately distributed malicious browser hijacker which takes over the affected web browsers. This unknown program infiltrates the target Windows through hacked sites, suspicious links, and contaminated programs. Once your machine is attacked by malware, you will encounter lots of inconvenience and troubles. For example, the whole system will respond very slowly when given commanders. That is because this pesky browser hijacker nearly takes up full of the system resources. Besides, it will be a long time for you to start the machine, execute applications, and open a web page, and so forth. redirect has the capability to change your original system DNS settings as well as the browser settings furtively and secretly. After then, it controls your IE, Firefox and Google Chrome and any other web browser. Meanwhile, becomes your default home page and search provider without asking for any approval. If you take this unfamiliar website as a helpful search engine, you are totally fooled. It is a fake one in reality and provides mostly sponsored links in the search results. In addition, you will receive lots of pop-ups that are generated by What you should pay much attention to is that this redirect virus can introduce additional risky viruses and collect your private data on the other hand. In such case, your privacy will be put at big risk. Thus, it is highly advised to remove before it causes great damage.

    So looks to me like you need a Windows and browser cleaning….

  9. E.M.Smith says:


    BINGO! You got it in one…

    As of now, things I didn’t ask for are being installed and updated on my Tablet and I can’t find how to turn it off. This is Google “helping” me, not a hack, and started after the attempted DirecTV Ap install. It, too, is a constant battle.

    Part of why I chose this Tablet was an existing Linux install path. I think I’m getting close to that point… The latest is the “Google Community Team” sending me some notice about ‘helping’ me get more out of my Android device (by opening more of my info to them, no doubt) and a nag to “verify my phone number” so I can “more easily connect with friends in Google services” (and have them own my phone info…).

    I suspect the “off” setting is hidden somewhere in Google account settings and not in the tablet…

    As Google makes $ Billions out of owning and sharing “your data”, don’t expect privacy to be a feature they endorse…


    That isolation of subnets can work wonders. I have 3 subnets inside the house alone… not counting the “cold in drawer” non network ;-)


    It isn’t the hardware, it’s the firmware and software….

    FWIW, I don’t replace the Telco router, just add mine on my side of it. That keeps them happy and they do filter some of the crap out. Makes service calls easier too as you can just say Yes to their stupid questions instead of educating them…

  10. PaulID says:

    Question would this work with arduino or would raspberry Pi be the preferred unit to run IDS?

  11. jim2 says:

    There was a good article from one of the Black Hat Hackers conference about web cams. Since firmware updates come in over the internet, there is an admin password burned into the firmware. You can download a firmware update from the internet without owning the camera, then uncompress/decode it and get the admin user name and password. Then you own the camera. You can display whatever image you like to the user.

    I assume IoT devices are also get firmware updates over the internet and would therefore have the same issue.

  12. E.M.Smith says:


    IDS needs ethernet speed that can keep up with the wire. Arduino is a bit slow for that, heck, Pi might be slow for that on other networks from mine…. The Pi is 10/100 so not enough if your network is 10/100/1000 Mb. Now my network has an interior router, one wire, and the exterior router switch. This limits the general speed in that DMZ like area to the WAN speed (internet) that is well less than 1/2 the ethernet speed… (Other than when I am backing up or updating the DMZ macjine from inside, but that’s not an attack and is well known when it happens.)

    So bottom line is just “can Arduino keep up with the packet rate on your wire?”


    Yup. Why I turn off auto update and don’t like locked out systems…

  13. cdquarles says:

    I’ve used Snort in the past. It sure looks like it has competition.

  14. cdquarles says:

    I’m running two routers at the moment (ah the joys of subnets) and am using my own cable modem. It is a consumer grade modem, so …. I’m going to be looking at an IDS too.

  15. Larry Ledwick says:

    Just out of curiosity, is there any characteristic of IOT devices that you could use to just send any packets from them to the bit bucket? For example is there any standard for the IP ranges that they use or something you could pickup from packet inspection to place a firewall deny rule that would just kill any attempt by them to reach your network. If you personally do not have a baby monitor or what ever of that type there is no reason to allow any of that sort of traffic to even reach your trusted network.

  16. Larry Ledwick says:

    Doing some reading on IoT and found this document (53 page PDF)
    Has some good references in the foot notes such as :
    RFC 7452 ” Architectural Considerations in Smart Object Networking” (March 2015),

    Numbers are simply staggering, projections are for IoT devices to number any where from 25 billion to 200 billion devices by 2020

    As the number of Internet-connected devices grows, the amount of traffic they generate is expected to rise significantly. For example, Cisco estimates that Internet traffic generated by non-PC devices will rise from 40% in 2014 to just under 70% in 2019.30 Cisco also forecasts that the number of “Machine to Machine” (“M2M”) connections (including in industrial, home, healthcare, automotive, and other IoT verticals) will rise from 24% of all connected devices in 2014 to 43% in 2019.

    This is going to become a significant part of network traffic load and the potential for misuses of these devices in coordinated attacks made possible by their generally poor security feature sets, will be a serious threat to the web as we know it.

  17. pg sharrow says:

    @Larry; It certainly looks like denying access to bad sites is a losing cause. Access by permission only is the only way forward in dealing with this projected nightmare. Or force the manufactures of the devices to provide locked down servers for their devices as a bottle neck to their traffic. Kind of like the FCC limits EM band use of devices…pg

  18. Larry Ledwick says:

    Given the numbers of these devices anticipated it would be possible to mandate they only use IPv6 and set aside one address range exclusively for these type devices, than let attrition of all IPv4 versions cull them out of the system.

    That would allow a fire wall rule solution.

  19. E.M.Smith says:


    The simplest approach is to just turn on NAT Network Address Translation. This works by ONLY allowing outgoing connection requests to make an entry in a NAT table for IP and port number, thus letting reverse flow of onfo be mapped back to that machine from that port.

    Now IOT devices have a tendency to advertize to the world “Here I am on port number FOO!” as they wait for incoming connections. That is the basis of the scan for ports open and inject exploits.

    So, first off, if possible just don’t buy IOT stuff. IFF forced on you, like Internet Ready Refrigerators or TVs being the only ones sold, don’t connect them to the internet. (If they demend a connect to come up, try an isolated hub to nowhere to see it they just want link, then a dhcp router to nowhere if IP needed, then try internet at install followed by isolation… (My satellite boxes demanded a phone line connect as did DirecTV -in an earlier age- but both just keep grumbling about it in their management window and I keep ignoring them…)

    IFF all else fails, install a separate router and DMZ segment just for them. Traffic to and from them never crosses your private router so never gets a NAT port in it. I presently treat the Telco router ports as DMZ land, and my systems are generally behind a second NATting router from there. I have a 3rd NATing router for really experimental and private things.

    I have seen a proposal to depricate NAT as things are pushed to IPv6 (mostly IMHO to force unique identifiable IP addresses per IOT device and oh btw allow better tracking…). IFF that ever happens, I’ll keep natting on my subnets with IPv4 and block IPv6 from them, quarantining the IPv6 IOT junk and traffic to its own subnet.

    Finally, there are many IOT IP port numbers that are “well known”. You can configure you router to block those ports (or better, only let through ports on your white list in IPtables).

    Oh, and remember the trick of hard coding routing tables so, for example, you can route all IPs in the range assigned to China to a dead end. I never talk to China computers, so they never need a packet back from me… As IOT Things are increasingly IPv6, just downing it (and only opening exceptions as, for example, your bank converts to IPv6,) may work wonders…


    That has been the preferred firewall design basis for a couple of decades. First rule entered is “DENY ALL”. Then and only then open ports and IP ranges as necessary and after push back on the requestor (sometimes up to Executive Level for really dumb risky requests to blow holes in security…) This just needs to be brought to the home….

  20. E.M.Smith says:

    Well, I’ve got VOID Linux running on the oldest HP Laptop (one core, but the fan works..) It is on a fast SD card in the USB port (via adapter)

    So far It’s “OK But”… The Enlightenment Desktop is sucking down about 80% of the CPU, dropping to “only” 54% when the browser is in use. (Total CPU pegged at about 100% just the Enlightenment / Firefox ratio changes) I could not find any of “the usual network commands” to debug why the network was not working, except for Traceroute, and by then the network had automagically gotten itself working. OK… so “everything you know is wrong” coupled with “FM” (er, “Friendly” Magic…) and WTF…

    It is horridly slow in the browser, making the Pi Model 2 look fast.
    (Likely as Enlightenment is sucking down the CPU…)

    OK, guess I’m going to ‘repurpose” this SD card for the DNS server rebuild…

  21. Larry Ledwick says:

    Digging around on the subject of routers, DMZ and all that stumbled on two items from that have some interesting info in them.

    (link below is a follow on discussion which discusses using more than 2 routers to get absolute network security and isolation)
    He explains how dumb routers do not route Ethernet protocol (ARP) but only route IP, and by using multiple routers you can isolate interior devices from a malicious man in the middle attack from an infected device on your own internal networks. He implies he has a diagram somewhere but so far I have not found it, but seems simple enough to visualize what he is talking about. (jump down to page 21 to pick up the meat of the “Three dumb routers” discussion

    (nat router page)

  22. Larry Ledwick says:

    Here is a link to a quick tutorial on setting up an RPi-2 as a firewall with IP tables or as a router using Centos

    Since my company uses Centos on our work environment I might fiddle with this and see how it works.

  23. E.M.Smith says:

    IPTables is prettymuch the same across all Linux types. Learn it anywhere and it’s fine.

    Per 3 routers: Yup, been doing it that way for decades. Boundary router, DMZ router, and interior router. Home gamers have the added problem that the Telco controls the boundary router (where you usually split out the DMZ subnet, so a bit more is needed… Then the Pi only has one ethernet spigot, so that adds a wrinkle…

    Usually the boundary router has at least 3 nics (ethernet connectors). One to the Telco POP (Point Of Presence) gear, one to the DMZ, and one to the interior router. This double isolates inside from DMZ and Internet. Using a switch, all the DMZ gear connects to that router port while a similar switch stack connects the interior gear.

    FWIW, at one company, we had a dozen (competing) partners working on site. Our router stack spit out an “inside” segment for each, isolated from each other and able to all route out to the DMZ or Internet. That router had a lot of nics in it :-) So the design generalizes. At another we had two DMZs to keep them isolated… so boundary router keeps outside outside, while Interior router keeps inside isolated (and can have multiple insides one nic each) while the DMZ router lets some systems connect both outside and inside, but controlled as to when and to what… (for example iptables entry says DMZ eMail server can ONLY connect inbound to interior eMail server, and only via TCP on the eMail port. Any bad guy captures it, he can at most send packets to the interior mail machine on that port… where it only listens for eMail… can’t do much with that.. other than pester the eMail program.)

    I can draw a diagram If you want one.

Comments are closed.