Some People Hate it Oldschool

If you follow me on twitter, you saw that I launched a telnet version of Underground Dungeon. UGD is written in JS, so a port to Node + telnet module was pretty simple. My expectations were, as they are for most of my games, that my mom would play it, and that would be about all the attention it would get. In this case I was incorrect, and a large amount of bots seemed to have joined my mother in my fan club.

Telnet

Telnet is an ancient protocol. It’s one of, if not the first networking protocol, developed at BBN when they were creating ARPANet (don’t cite me on that, but it’s somewhere in the vicinity of accurate). What telnet allowed was remote connection between computers. Telnet essentially emulated a terminal on the host machine. Today, telnet is primarily unused, in part because there is no encryption and all network traffic is visible.

My use case for telnet required no security. The goal was just to host my game there so people could play UGD over the telnet protocol. Why? Why not. Since A. there are no passwords or private data being exchanged throughout normal gameplay and B. no actual system access is given to players (the telnet server is directly serving the game) I figured telnet was safe, fun, and retro.

Release the bots!

You know where telnet is not safe, fun or retro? Apparently, many IoT devices. You can read about the details here on ZDNet, but the summary is, a wide variety of IoT devices have open, insecure, telnet services on them and can be accessed from the world at large. Malicious people are aware of this and attempt to take advantage of it.

How much? A lot. Like, in the order of billions. So it’s no shock that my humble telnet server, within HOURS of coming online, became the target of one of such attacks.

These aren’t the servers you’re looking for.

The IoT devices in the aforementioned attack all run a flavor of Linux called BusyBox. Technically, it’s not a distro, but a series of binaries designed to run on embedded systems. I had never heard of BusyBox until I started seeing it in my logs.

I launched the telnet server at around 5PM on Friday. At around 7, I tried to log into it but my connection timed out. I SSH’d into my VPS to see what was up and saw that the telnet server had crashed. Weird, I thought, but not entirely unexpected. The telnet module was pretty janky and I had very low expectations for its performance. I relaunched the server, and again walked away. I came back before bed and saw that it had once again crashed. This time I took a look at the logs. Two attacks were happening simultaneously.

The first attack was trying to write a file that would wget (located in /bin/busybox, so there’s a clue…) a file onto the system. Then it would mark it executable, then it would run it, presumably taking over the system in some nefarious way. This attack seemed to be targeting IoT consumer devices.

The second attack was repeatedly trying different username/password combinations to gain root access to the device. I believe it was this attack. Two reasons these attacks aren’t going to work (at least for now).

1. I’m not running BusyBox. There’s no wget located at /bin/busybox, so they won’t be downloading anything onto my system as it stands.

2. The typical telnet server, the kind these attacks are looking for, offer shell access to the device. When these bots connect they try to run sh which would put them in a unix terminal session. My telnet server is running a game, and that’s all it can do—there is no functionality built in to run any unix or telnet commands. So while they enter their multitude of commands and passwords, they’re being repeatedly asked if they want to start a new game, load, or quit.

The “fix”

I added a single line of code to the server which has stopped the crashing. Whenever someone types “wget” or “busybox” (words which will never come up in gameplay unless you have a very unique play style, but words that the bots constantly enter), they get booted from the server. No fuss, no muss. Going forwards, I’ll start logging the IPs of the bots and prevent them from joining in the first place, but right now I’m content to just sit back and watch bots get the boot.


Learn cool tech stuff! Take a class at Coditum!

Leave a Reply

Your email address will not be published. Required fields are marked *