Internet of Things (IoT) devices responsible for 1.1Tbps Distributed Denial of Service (DDoS) on hosting company.
Around 150,000 hacked CCTV cameras were used as part of a botnet to attack the infrastructure of a French web hosting company. The botnet also comprised other IoT devices.
The attack happened last week against OVH. The combined attacks amounted to 1.1Tbps being dumped on the firm’s networks at one point.
According to OVH chief technology officer Octave Klaba, hackers used an array of hacked CCTV cameras, DVR and other IoT devices, such as unsecured routers to amount the attack.
In a tweet, he said: “This botnet with 145607 cameras/dvr (1-30Mbps per IP) is able to send >1.5Tbps DDoS. Type: tcp/ack, tcp/ack+psh, tcp/syn.”
Klaba also published an image of logs the company kept of the attack. The biggest single attack came in at 799Gbps. To mount the attack, the hackers used a technique called Generic Routing Encapsulation to tunnel into a business network and bypass firewalls.
Compromised IoT devices responsible for DDoS
Paul McEvatt, senior manager, Cyber Threat Intelligence & Analytics at Fujitsu, told Internet of Business that what is different about this attack is the use of compromised IoT devices rather than amplification attacks we have seen in the past.
“This is a new attack vector that will need to be studied by the organizations responsible for DDoS mitigation. There will be lessons learned from the Krebs attack in order to prevent or at least mitigate similar attacks in the future,” he said.
Ken Munro, a partner at Pen Test Partners, told Internet of Business that the industry hasn’t seen the “half of this yet!”
“We’ve speculated about malicious use of IoT devices before, but this appears to be one of the first large DDoS attacks that can be directly attributed to compromised IoT,” he said.
“We find vulnerable IoT devices with huge installed bases every week. Just this week we’ve privately disclosed to the vendor a remote code execution vulnerability on a domestic IoT device with at least 300,000 units installed. That RCE could be used to trigger a large number of requests, leading to DoS. That’s just one device type in just one country.
Munro added that just that one set of devices could be used to trigger a DDoS in excess of that seen in the OVH case. “Hence, we don’t think the limits of IoT-derived DDoS have been seen at all.”