World's largest 1 Tbps DDoS Attack launched from 152,000 hacked Smart Devices

[paulbates]

Its a great reason to keep your devices updated and not open to the public and SSH disabled for public facing

 

Paul

 

___________________________________________________________

 

Repost from Hacker News

 

Do you know — Your Smart Devices may have inadvertently participated in a record-breaking largest cyber attack that Internet has just witnessed.

If you own a smart device like Internet-connected televisions, cars, refrigerators or thermostats, you might already be part of a botnet of millions of infected devices that was used to launch the biggest DDoS attack known to date, with peaks of over 1 Tbps of traffic.

France-based hosting provider OVH was the victim to the record-breaking Distributed Denial of Service (DDoS) attacks that reached over one terabit per second (1 Tbps) over the past week.

 

As the Internet of Things (IoT) or connected devices are growing at a great pace, they continue to widen the attack surface at the same time, giving attackers a large number of entry points to affect you some or the other way.1 Tbps DDoS Attack Hits OVH

IoTs are currently being deployed in a large variety of devices throughout your home, businesses, hospitals, and even entire cities (Smart Cities), but they are routinely being hacked and used as weapons in cyber attacks due to lack of stringent security measures and insecure encryption mechanisms.

Also Read: Here's How to Hack IoT Devices.

Octave Klaba, the founder and CTO of OVH, revealed on Twitter last week when his company was hit with two simultaneous DDoS attacks whose combined bandwidth reached almost 1 Tbps.

"Last days, we got [a] lot of huge DDoS. Here, the list of "bigger that 100Gbps" only. You can see the simultaneous DDoS are close to 1 Tbps!," Klaba tweeted.

A screenshot posted by Klaba shows multiple DDoS attacks that exceed 100 Gbps, including one that peaked at 799 Gbps alone, making it the largest DDoS attack ever reported.

According to the OVH founder, the massive DDoS attack was carried out via a network of over 152,000 IoT devices that includes compromised CCTV cameras and personal video recorders.

 

Must Read: How Drones Can Find and Hack Internet-of-Things Devices From the Sky.

IoT-powered DDoS attacks have now reached an unprecedented size, as it is too easy for hackers to gain control of poorly configured, or vulnerable, IoT devices.

Late last year, we reported that lazy manufacturers of the IoTs and home routers are reusing the same set of hard-coded SSH (Secure Shell) cryptographic keys, leaving millions of embedded devices, including home routers, modems, and IP cameras open to Hijacking.

And the worst part:

These insecure IoT or internet-connected devices are no longer in line for security updates, which makes it possible for hackers to hijack these connected devices today or tomorrow.

 

 

 

[cyberk]

VLANS + FIREWALL EVERYTHING! lol

[Teken]

Love it - let it all crash and burn . . .

[MWareman]

This particular attack was cameras mostly, with an old DNS resolver onboard that could be abused to perform such an attack.

 

A pretty old issue really - and one which the ISP is empowered to block. I wish all ISPs would (quickly) implement source filtering (is, only allow traffic from your circuit from the IP address or addresses you have been assigned). All of these attacks rely on being able to send spoofed UDP packets - and it's simple for the consumer ISP to mitigate this issue.

 

Michael.

[Teken]

It doesn't matter the fact the ISP could have reduced the incidence of these attacks. The reality is everyone who makes network attached devices need to place security at the for front and not a after thought. As I stated many times in related *Coffee News* in this forum and others - incidents like these are great, fantastic, and should be more common.

 

Because it will force the mindless fools to wake up and take notice and make a change.

 

Unfortunately, just because a manufacture has made every effort to use and deploy the best technology known to man. It simply will not protect the stupid which this world is completely filled with!

 

Human's be their very nature are lazy and in 2016 and beyond you will come to fully realize how lazy they will be. 

[Teken]

A related news article which mirrors my views and thoughts:

 

 

If you think ordinary people are going to look out for and apply firmware fixes to patch vulnerabilities in the Internet of Things, you're crazy.

 

It's going to be down to manufacturers to secure IoT devices, Intel Security's chief technical strategist says, because consumers will cheerfully give away their security and privacy in the name of convenience.

Scott Montgomery said time and time again non-geeks have shown little interest in the security of their IoT gizmos and were willing to put up with major security failings in things like home alarm systems and door locks in exchange for ease of use.

 

"Internet security and privacy are already tricky and industry hasn't done a great job of making it more accessible and easier – that's on us," he told the Structure Security conference in San Francisco on Wednesday. "But consumers are very, very ready to roll the dice with their privacy every time they buy a gadget."

 

A lot of manufacturers aren't getting the message either, he noted, citing two particularly worrying cases. In Canada, a maker of app-controlled vibrators is being sued after Kiwi hackers revealed that the device was recording a whole host of information about their use, and Mattel faced a huge backlash when its Hello Barbie doll was found to be riddled with security holes.

 

Medical equipment was also singled out for his scorn. There are thousands of health-related devices that are connected to the internet, he said, but there was little reason to do so and the results meant that you can pick up their data online with very little effort.

 

"If you look at any dark web search engine you'll be able to look at live MRIs going on right now," he said. "You can actually watch eyeballs being cut for Lasik surgery online. I don’t want to say that I've done it because that would be bad and probably borderline illegal but if you did watch it it's actually pretty cool."

 

However, industry has got the message on IoT security very clearly, he said, citing Exxon as being a clear leader in the field. The oil giant has been conducting a massive infrastructure overhaul with the intention of adding in IoT sensors from oil wells to refineries.

 

As part of that, Exxon has told its suppliers to take a much firmer look at how these sensors can be locked down. He gave the example of Exxon's production facilities where kerosene and gas are produced by the same equipment and bleed off with IoT-controlled valves.

 

There's no point in making such sensors too smart, he said. Instead they simply need to know whether to open or close and need no root access or extra functionality that could be hijacked by a hacker. Exxon is enforcing these rules with its suppliers to lock down its network.

 

Ultimately, manufacturers and chip suppliers need to formalize this process and make it happen, he opined. But in the meantime, if consumers are taking risks with goods it's up to the manufacturers to stop them. ®

 

[stusviews]

CCTV cameras? Don't they mean IP cameras? CCTV cameras are not connected to the internet. Unless they're wired to a DVR that is internet connected.

[paulbates]

It makes me pause a little. I dutifully marched to a "no open port" model with the iot devices in my house. But what do I really know about some of these fully capable OS devices calling to the internet out of my house? What about the cloud services that they are connected and can essentially RPC back to the iot device?

[Teken]

CCTV cameras? Don't they mean IP cameras? CCTV cameras are not connected to the internet. Unless they're wired to a DVR that is internet connected.

 

Your assuming the person who wrote this article has actually done some research in the same. Everyday I watch videos and read news by so called *Tech Journalists* misuse / mix up information. One only needs to read any so called *Energy* with respect to the development of solar and battery chemistry.

 

Everyday there is at least one new article that states XX discovery will make solar cheaper and more efficient. Its been more than 10 freaking years and not one of them have ever come to market. The famous solar cell printing was hailed as the next great thing since the wheel and sliced bread!

 

Yet more than ten years has passed and not a single company has released this technology to the public for consumption. The one or two that did offered a limited run and it in no way came in to the so called pennies per watts! They are all gone now and not a soul has picked up this so called break through to use as their own to make things more efficient and cheaper.

 

The only reason solar is at a all time low is over supply and capacity . . .

 

With respect to IoT there will be more of this kind of shenanigans for years to come. I say please do and embarrass the hell out of those who have no common sense to take just a few moments to ask a question or to pick up the phone to the tech line.  

[mwester]

It makes me pause a little. I dutifully marched to a "no open port" model with the iot devices in my house. But what do I really know about some of these fully capable OS devices calling to the internet out of my house? What about the cloud services that they are connected and can essentially RPC back to the iot device?

 

I too very recently created a dedicated infrastructure for IoT devices (due to some of the issues with Foscam cameras disclosed recently) - I've blocked everything except NTP at my firewall, and log the blocked attempts.  It really is worrisome that there's so little care and caution in the marketplace about this sort of thing.

[Teken]

Best practice has always been to isolate and place specific hardware on a dedicated network. If that couldn't be done at least place it on a different subnet. For those who are fans of BSG (Battle Star Galactica) the Cylons were able to penetrate easily into the secure network because everything was connected.

 

For those truly serious about security they should consider having devices not connected to the Internet. Some go so far like me air gap specific portions of the network. Whereas other devices run in a closed loop system which has no physical method to connect to the outside world.

 

Calling home seems to be the latest rage and people really need to take a serious look at the TOS for a product. One only needs to read the TOS for the Nest TSAT it will just boggle your mind how little protection and recourse you have.  

[paulbates]

I too very recently created a dedicated infrastructure for IoT devices (due to some of the issues with Foscam cameras disclosed recently) - I've blocked everything except NTP at my firewall, and log the blocked attempts.  It really is worrisome that there's so little care and caution in the marketplace about this sort of thing.

 

Yeh, I too have been trying to figure out how to put IOT thingies on their own VLAN,  without creating a virtual rube goldberg contraption of firewall rules. I think the trick is to protect the key assets I'm worried about... the PCs and NAS.. put them in their own bubble and create a rule for the admin console to get tot he ISY. 

 

Paul 

[MWareman]

Yeh, I too have been trying to figure out how to put IOT thingies on their own VLAN, without creating a virtual rube goldberg contraption of firewall rules. I think the trick is to protect the key assets I'm worried about... the PCs and NAS.. put them in their own bubble and create a rule for the admin console to get tot he ISY.

 

Paul

It's not very easy to do this with ISY, especially since if you use network resources, any portal or the weather module you'll at least need to allow DNS and web access to forever changing IP addresses. Given this attack was all about DNS it wouldn't have been mitigated at all by a segregated network.