Botnet Controls “Twitch Installs Arch Linux” (opens in new tab)

(twitter.com)

33 pointsgangwolf10y ago25 comments

25 comments

Yup, this was pretty disappointing to us.

We were keeping it running as long as we felt comfortable to do so, but due to our lack of preparation for an actual attack, we decided to cut it when it was obvious that the majority was voting too perfectly on actions that were turning malicious.

At this point, we are not sure how we are going to be continuing with this project. The time investment required to make this secure is much larger than we initially anticipated and our current setup is not optimal to do so. Along with this, we are both currently students and do not have the time to invest in such an undertaking. However, we are currently talking with a group that is attempting to reboot this idea immediately in a more secure environment. We will be exploring our options on how to best keep this project going.

All of our code is available on github at https://github.com/twitchinstallsarchlinux

XiOmicronSigma10y ago

Well, I'll thank you for having this experiment, short as it was.

noobermin10y ago

I was in the stream and while at least some of the feats accomplished (partitioning the disk, installing the right things, changing the password) seemed to have some authenticity to it, the chat started to try to install nmap, then it tried investigate networking capabilities, tried to ping 8.8.8.8, to start dhcpcd, then tried to ping 8.8.8.8 again...all in rapid succession before anyone really discussed it at all. It certainly seemed fishy.

It's kind of upsetting. It was very exciting in the beginning--the internet installing a bootable arch linux system by voting for a single character at a time in under 3 hours...seemed unimaginable. But after the dhcpcd stuff started, it felt like that victory was taken from us.

EDIT: it WAS a botnet, see the reply from pdaddyo

terda1210y ago

I thought nmap was just chat going along with random stuff, but now that you mention it could be a botnet.

I doubt the `ping 8.8.8.8` was botnet though as its standard to test out your internet to see if you enabled it or not. Chat was trying to pacman -S something. People were encouraging others to type "ping 8.8.8.8"

pdaddyo10y ago

Creator JRWR confirmed botnet in irc channel: https://i.imgur.com/qaWFUEH.jpg

nlurski10y ago

JRWR is not a creator, he is one of the irc members who are looking into rebooting the project for us.

blerud10y ago

What irc client is that? Could you share the config?

anoa10y ago

Latest news from irc:

JRWR: So, the creators of this project have left. they no longer want to be a part of this any more. they have their reasons and I will NOT be disclosing it. The creators have handed over the keys to JRWR and yamamushi

JRWR: This project WILL live on, give us 24/48 hours to make something nice, we have their code and will expand on it.

yamimushi: We are working to get everything back online asap

And yes the reasoning for shutdown was the botnet, not pings or Google complaints.

terda1210y ago

So, is there any way to stop this botnet? Seems to be that the only way to stop bots from abusing the twich IRC api is to ban each of them.

I have programmed twitch spam bots before (repeats what people say, once on each account with eight accounts), it's surprisingly easy to do. Twitch does have some sort of system to detect if you are abusing the API I think, because I noticed that I get timed out pretty quickly.

anoa10y ago

A few ideas were thrown around with a third-party server and captcha necessary to validate your twitch account to send commands.

People working on it say it's being handled, but it definitely isn't a bad idea to brainstorm.

n17r4m10y ago

What about setting up a second site with a form: enter twitch name and answer a turing test question. also ask for person to create a new turing question with answer. Person has ability to request a few new questions before deny.

Submitted questions are approved by admins via rapid fire Y/N buttons, with ability to fix typos, etc.

This authenticates that user for something like 5-15 minutes or however long to participate in voting.

1 more reply

gangwolfOP10y ago

Evidence? https://imgur.com/WLEt2iz

terda1210y ago

I doubt it, I doubt people would just hand over their twitch accounts to some guy on 4chan.

noobermin10y ago

Most likely the OP would have been nypa'd out of there.

fidz10y ago

I doubt that. The thread had only <10 replies and it has been dead.

e1ghtSpace10y ago

I saw this on 4chan. I wonder what he would have done.

thekmap10y ago

Don't restart this thing until you've had a professional harden your network. You are not gonna stop the botnet, so the best you can do is limit the impact of post-exploitation.

tetha10y ago

And this is hardening like a DMZ. I'd probably end up with an arch mirror VM on the same host, tell libvirt to isolate the traffic and tell the host to drop all traffic coming from these machines without looking at it after setting up the arch mirror.

And then cross my fingers that there are no KVM bugs.

nelhage10y ago

Better yet, just run this on a t2.micro on a throwaway EC2 account. Doesn't matter if they own the box, they get literally nothing they couldn't get for free from Amazon anyways.

grogenaut10y ago

it also becomes quite easy to lock the machine down

malka10y ago

yeah. basically, no network access, except to the arch mirrors and just enough to watch the twitch stream. should be hard to abuse.

grogenaut10y ago

put it in an aws vpc on a private subnet. create another subnet with a nat instance. Only allow access to the vpc over ssh or whatever from the secure control server. Lock all other incomming via security groups or network ACLs. Allow egress from this box only to route on ports 80 && 443 out through a route table to the NAT instance to the internet. Further you can allow the nat to only allow access to 80/443 outbound to whitelisted ip addresses, or if you want to get craftier, make the nat a squid box and whitelist / net nanny what it can hit possibly via an admin watching twitch plays stream and saying yea/nea

jarboot10y ago

A good twitch stress test. Hopefully this stuff gets cleaned up in the future!

j / k navigate · click thread line to collapse