Botnet of 140,000 Cameras, DVRs Behind Biggest DoS Ever

A network of 150,000 IP-enabled devices including cameras and DVRs were involved in a denial of service attack against the French hosting firm OVH, an executive claimed.
A network of 150,000 IP-enabled devices including cameras and DVRs were involved in a denial of service attack against the French hosting firm OVH, an executive claimed.

In-brief: The head of a hosting firm said a botnet of almost 150,000 cameras and digital video recorders was behind a massive denial of service attack. 

The head of the French hosting firm OVH has claimed that his company was the victim of a distributed denial of service attack topping 800 Gigabits per second (Gbps) emanating from close to 150,000 IP enabled cameras and Internet connected digital video recorders (DVRs).

Octave Klava, the founder of OVH, which is based in Roubaix, France, said in a post on Twitter on September 23 that a “botnet with 145607 cameras/dvr” for sending a string of attacks that added up to more than 1.5 Terabits per seconds of bogus connection requests. A single attack alone, on September 20, clocked in a 799 Gbps, making it the largest known.

On Monday, Klava again took to Twitter to note that the denial of service attacks were continuing with 6,857 new cameras enrolled in the botnet.

The news from OVH comes after U.S. based security blogger Brian Krebs was knocked offline by a denial of service attack that weighed in at over 600 Gbps. The sustained attack, apparently from a similar botnet, forced Krebs’ site from Akamai’s content distribution network and effectively shut down his blog for days. On Sunday, Krebs found protection from Google’s Project Shield and was again online. The OVH attack and the attack that knocked Krebsonsecurity.com offline may be linked to the same group, according to Andy Ellis, the Chief Information Security Officer at Akamai.

Akamai could not immediately confirm the size of the botnet that Mr. Klava reported.

Loosely security “things” like cameras, home routers, network storage devices and home DVRs are increasingly being used as part of massive, global botnets to launch such attacks. Researchers at the firm Arbor Networks noted in June that a botnet dubbed LizardStresser, which is based on open source code, has been targeting Internet of Things devices secured with factory default passwords. Different cyber criminal groups then use the cumulative bandwidth of the compromised devices to launch high volume denial of service attacks against select targets. Initially, online gaming sites were targeted, possibly in cyber extortion schemes. But Arbor recorded attacks against Brazilian financial institutions, ISPs like OVH and government institutions, also.

Similarly: in its most recent State of the Internet/Connectivity Report, Akamai said that a variant of Kaiten malware was identified that specifically targets networking devices used in small office and home (SOHO) environments and Internet of Things devices.

The attacks against OVH and Krebs are larger than any denial of service attacks previously observed. However, attacks by non-traditional networked devices are common. In 2015, for example, the firm Incapsula noted a botnet made up of a large number of SOHO (small office and home office) routers, many of them Ubiquiti home routers equipped with ARM processors. Incapsula recorded traffic from more than 40,000 IP addresses associated with 1,600 ISPs worldwide.

Similarly, in June, the firm Sucuri said it had beaten back a denial of service attack directed at small, online merchants. An investigation by the firm confirmed that the attack, which lasted for days and generated up 50,000 web requests per second, emanated from a network of tens of thousands of DVR (digital video recorders) deployed with video surveillance systems globally.

Comments are closed.