back to article ZyXEL router attack: HUNDREDS of Brit biz bods knocked offline

Hackers have launched an internet attack which has hobbled the internet connections of at least 100 British businesses. An unknown group or individual thought to be based in the People's Republic used a SYN flood attack to attack the 600 and 660 models of router from Taiwanese firm ZyXEL. Sources at ZyXEL and the ISP MDNX …

COMMENTS

This topic is closed for new posts.
  1. Destroy All Monsters Silver badge
    Holmes

    "We don't know why the attacks are coming."

    Evidently they are coming for the LULZ

    1. tin 2

      The "louise boat" surely?

  2. This post has been deleted by its author

    1. frank ly
      Facepalm

      Re: This is why

      What is "virus code". How will it be defined and who will define it? How would such laws be applied to a foreign government or intelligence agency? What normal jury could be expected to understand what is and what is not 'virus code'?

    2. Terry Barnes

      Re: This is why

      I'm guessing you're, erm, not a lawyer?

    3. Dan 55 Silver badge

      Re: This is why

      All I know is that if you have 'terrorism' and 'virus' in the same sentence it sounds like you're pushing an agenda.

    4. Vic

      Re: This is why

      > We need to change the law to create an offence of "ideologically supporting terrorism"

      How many times are you planning on posting this drivel?

      Vic.

    5. Destroy All Monsters Silver badge
      Thumb Down

      Re: This is why

      > We need to change the law to create an offence of "ideologically supporting terrorism"

      We need to change the law to allow law-and-order commenters that are a bit cuckcoo to be handed over to the tender mercies of LA police officers who can then leisurely taser-torture them and beat them to death on camera.

      Now, wait. It think it is already changed...

  3. Ben Bonsall

    Hiding in those 100 will be the actual target... And they don't yet know what's missing.

  4. Nathanial Wapcaplet
    Happy

    the irony is the fact that because a Chinese source was suspected the The US's NSA could well be the culprit

    1. Vociferous

      No, the "irony" is that since it was a Chinese source, Unit 61398 or some other PLA cyberwarfare unit is likely to be the culprit. Like another poster said: among those 100 affected companies is the target, and I'd guess it's a defense-tech company.

    2. Sanctimonious Prick

      'Ken Oath

      Absolutely!

      IF I had backdoors into most computing/communications devices, I too could make an attack seem to come from anywhere!

  5. Kevin McMurtrie Silver badge
    Flame

    Targeting?

    What makes anyone think that this was a targeted attack? It sounds like normal Chinese traffic and the ZyXEL products are crashing from their lack of robustness.

    I have a weekly task to add more of China to my firewall. They're a non-stop source of vulnerability scans and they make it a habit of providing fake network contact information. I have an American ISP with no throughput to spare for all of that garbage.

    1. Anonymous Coward
      Anonymous Coward

      Re: Targeting?

      Heck, I blocked all of China's ip address blocks 4 years ago (any any other unfortunate APNIC customer in a /16 network that covered any of China.) Of course, I also block Brazil and parts of eastern Europe...

    2. Anonymous Coward
      Anonymous Coward

      Re: Targeting?

      Most of the abuse email addresses of the Chinese ISPs are useless as emails bounce as they are over quota.

      Its odd how we keep being told how the Chinese have limited access to the internet because of the "Great Firewall" but it apparently has been designed to allow outgoing wide scale network attacks.

      Like you I'm continually adding more and more of China to my firewall... I very rarely see any legitimate traffic from China

      1. Vociferous

        Re: Targeting?

        > the "Great Firewall" but it apparently has been designed to allow outgoing wide scale network attacks.

        The Chinese secret service don't care if some Chinese hackers attack your site. If you want the great firewall to block visits to your site, post some Free Tibet propaganda or an account of the Tienanmen Square massacre.

        1. Anonymous Coward
          Anonymous Coward

          Re: Targeting?

          Damn you! Now the Reg will get blocked in China!

          I don't want to need a VPN just to read my daily dose of tech news & read the funny comments!

  6. Anonymous Coward
    Anonymous Coward

    Disabling remote web management on the Zyxels is a work-around. Some ISPs have seen these packets sent from French source addresses too, but it's a syn flood - the attacker doesn't need to see replies - so you can't say with certainty where the packets come from, they could easily be spoofed from any of the many ISPs worldwide who don't do ingress filtering.

  7. Arachnoid

    ts odd how we keep being told how the Chinese have limited access to the internet

    Much like the US they have their own "intelligence corps" and what better way for either side to test adversary's systems for weak spots than to continually probe and cause havoc.This said the Great wall can shut off internet access to the country in a heart beat unlike the Western powers.

  8. Anonymous Coward
    Anonymous Coward

    Businesses affected: cheapskates with old crappy routers on an Internet connection with zero / low service level agreement. What great targets for an attack... This is just an act of mindless vandalism.

    1. vmistery

      They were cost effective feature rich routers, a significant amount of Businesses who just needed basic internet connectivity and VPN features would have them. I might even have a couple lying around!

  9. Anonymous Coward
    Anonymous Coward

    Chink in one's armor.

    I too have blocked large swathes of V4 IP addresses with little or no negative impact, logs are smaller and unusual traffic stands out better now.

    I'm coming to the conclusion a geographic white list would be preferable for most home/small business users.

    Unless you are running a web site that needs to be accessible from location X why generally accept uninvited packets from that place?

    1. Anonymous Coward
      Anonymous Coward

      Re: Chink in one's armor.

      A number of these sites probably don't need incoming connectivity from anywhere - CGNAT, anyone? :)

  10. Humpty McNumpty

    Cheapskates?

    What makes them a cheapskate? Perfectly standard piece of hardware, that as vmistery says had quite a good feature set and IIRC had a reputation for a being fairly solid. What kind of ISP and equipment do you expect the kind of small business that this might relate to, to have?

    Who has an SLA with their ISP for an ADSL service that would prevent this?

    Who can confidently say they own a Router that has no such vulnerability?

    Small business don't run out and replace things for the latest shiny shiny when what they have is perfectly functional.

    1. Anonymous Coward
      Anonymous Coward

      Re: Cheapskates?

      This.

      Lots of little business outfits don't even have any IT support agreements in place, full stop. Their internet connection / setup was likely a 'set and forget' affair by a local / SME installer and just left there.

      That said, I do think a lot of these little setups would be better protected with a bridged ADSL modem + pfsense / Smoothwall / ipcop / whatever to try and mitigate increasing problems like this, that result essentially from abandonware.

  11. Paul Hayes 1

    I swapped out a P660R-D1 we were using on an ADSL at work last week, it was playing up and I assumed it was just the age of the router causing it to die. I guess it must have been this.

    We liked those routers because we could use them more like a modem and the ADSL chipset was robust and got decent sync speeds. This particular one had been in use for six years or so and until now caused no issues what so ever.

  12. Mr Flibble
    Happy

    I have a P660R-D1 and have had no recent problems. However, it's in bridge mode and has no public IP address so it wouldn't be affected by these attacks anyway.

This topic is closed for new posts.

Other stories you might like