Slashdot Mirror

← Back to Stories (view on slashdot.org)

OVH Hosting Suffers From Record 1Tbps DDoS Attack Driven By 150K Devices (hothardware.com)

Posted by BeauHD on from the internet-of-things dept.

MojoKid writes: If you thought that the massive DDoS attack earlier this month on Brian Krebs' security blog was record-breaking, take a look at what just happened to France-based hosting provider OVH. OVH was the victim of a wide-scale DDoS attack that was carried via a network of over 152,000 IoT devices. According to OVH founder and CTO Octave Klaba, the DDoS attack reached nearly 1 Tbps at its peak. Of those IoT devices participating in the DDoS attack, they were primarily comprised of CCTV cameras and DVRs. Many of these devices have improperly configured network settings, which leaves them ripe for the picking for hackers that would love to use them to carry out destructive attacks.The DDoS peaked at 990 Gbps on September 20th thanks to two concurrent attacks, and according to Klaba, the original botnet was capable of a 1.5 Tbps DDoS attack if each IP topped out at 30 Mbps. This massive DDoS campaign was directed at Minecraft servers that OHV was hosting. Octave Klaba / Oles tweeted: "Last days, we got lot of huge DDoS. Here, the list of 'bigger that 100Gbps' only. You can the simultaneous DDoS are close to 1Tbps!"

116 comments

  1. twat by Anonymous Coward · · Score: 0

    Octave Klaba / Oles tweeted: "Last days, we got lot of huge DDoS. Here, the list of 'bigger that 100Gbps' only. You can the simultaneous DDoS are close to 1Tbps!"

    I know tweeter limits the number of characters you can send (right?) but please try to sense.

    1. Re: twat by corychristison · · Score: 1

      1. He's French
      2. Twitter character limit
      3. Software translation

    2. Re:twat by Anonymous Coward · · Score: 0

      All your base are belong to us.

  2. How do IoT manufacturers... by Anonymous Coward · · Score: 0

    ...stem this madness?

    It's irresponsible of them to leave massive security holes open in their devices, allowing them to be commandeered at will to act as proxy online attack dogs.

    1. Re:How do IoT manufacturers... by JustAnotherOldGuy · · Score: 5, Insightful

      ...stem this madness?

      The sad fact is that it's already too late. The problem is that there are loads of these insecure devices out there now, and they will likely be online for years to come.

      Even if every new IoT device that was sold starting tomorrow was actually secure, we have a huge pool of susceptible devices that are already in place just waiting to be exploited.

      Our best hope is that these craptastic devices fail quickly and are replaced, but I'm not going to hold my breath hoping that their replacements will be any more secure. Frankly, I have no reason to believe that IoT device makers will ever do anything to make their devices secure. We'll be seeing this shit 10 years from now, only worse.

      --
      Just cruising through this digital world at 33 1/3 rpm...
    2. Re:How do IoT manufacturers... by dgatwood · · Score: 4, Interesting

      The sad part is that it was too late before the devices were even built. This is really no different than any other zombie botnet.

      What is needed, IMO, is a standardized system for being able to report problems upstream—an ICMP response that says, in effect, "Suppress all traffic from x.x.x.x to y.y.y.y for five minutes" that propagates upstream. Ideally, it should use a three-step handshake to prevent forged block requests from being viable, where the recipient of that message waits until it sees a packet directed to y.y.y.y, (to avoid amplification attacks), then sends a packet that says, "confirm block id xxxx" and it responds "yes xxxx" after which it drops the traffic. If it gets no response, it should try three pings (with exponential backoff), and if they fail, it should assume that the server is saturated and it should block the traffic as requested. If they succeed and a subsequent confirmation fails, it should assume that the server doesn't actually support blocking requests, and that the blocking request was spoofed. If the response is "no xxxx", then the blocking request was spoofed, and the packet passes through with only that small extra bit of latency, and the blocking request is discarded.

      If such a scheme were in place, then each botnet member joining in a DDoS attack would get blocked by their closest router, or at a bare minimum, by the router at their ISP, and would basically be unable to do any real harm.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    3. Re:How do IoT manufacturers... by gweihir · · Score: 2, Insightful

      It is time to blacklist these devices and prevent insecure devices that participate in DDoS permanently. This may mean things like MAC-based blocking on ISP-level. In order to make ISPs do this, we may have to drop a few ISPs from global routing first though.

      Another option would be to make hacking them to take them down legal, but that is hugely problematic.

      Anyways, with the damage these idiots allow the DDoSers to do, terrorism begins to seem kind of irrelevant.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    4. Re: How do IoT manufacturers... by Anonymous Coward · · Score: 0

      IoT has no meaningful relationship with the potential size of DDoS. For DDoS:

      It doesn't matter if your refrigerator is vulnerable, your edge router is already vulnerable.

      It doesn't matter if your light bulb is vulnerable, your phone is vulnerable.

      It doesn't matter if your TV is vulnerable, your laptop is vulnerable.

      It doesn't matter if your door lock is vulnerable, your game console is vulnerable.

      And they always will be. There will always be vulnerabilities available to utilize your laptop, your phone, your game console and your edge router in reflection attacks or as part of a botnet.

      And they are all (with the possible exception of your phone) limited to the throughput of your internet connection.

      So don't blame the size of the latest DDoS on the number of insecure devices on joe user's network, because all it takes is one. And there will always be at least one. And, one or one hundred packet sources, Joe User's network can only push so many packets.

      There are security issues that should concern you relating to IoT, but, pragmatically speaking, they're unrelated to DDoS.ï

    5. Re: How do IoT manufacturers... by Anonymous Coward · · Score: 0

      The only MAC your ISP sees is from your router, unless you are proposing to ban non-isp routers.

    6. Re:How do IoT manufacturers... by Anonymous Coward · · Score: 2, Insightful

      "This is really no different than any other zombie botnet."

      Oh, no, this one is quite different.

      Typical Windows PCs in botnets (a) are never updated & therefore decay until they implode and are reinstalled, wiping out the zombie and (b) at least at re-install time, they get updated so the old exploit doesn't work anymore.

      The current SOP for IOT manufacturers, however, breaks BOTH of these things at once: These badly-designed devices none the less usually run a well-designed underlayer (*nix), which means they don't just intrinsically bitrot and collapse on their own. And the same manufacturers who made these inexcusably insecure devices in the first place can't be bothered to remedy the problem and update their devices either. So now you've got devices with utterly broken security, which can't be fixed, can't be patched, and (as embedded devices are wont to) will be hanging around for all of eternity and then some... sitting on 10, 30, or 1000Mbps data lines.

      The IoT (in)security catastrophe is going to make the 2000-era Windows security disaster look like pasta boiling over and making a minor mess on the stove while we watch out the windows as a school bus full of children and an oil tanker kamikaze each other at 100mph.

    7. Re:How do IoT manufacturers... by PurpleAlien · · Score: 5, Informative

      Frankly, I have no reason to believe that IoT device makers will ever do anything to make their devices secure. We'll be seeing this shit 10 years from now, only worse.

      As someone who owns a company that makes IoT devices and properly secures them, there are companies that do take security serious. The problem is that security is all too often seen as just a cost, not a feature you can charge money for. You need dedicated security people, incorporate security form the start, etc. and lots of companies just don't want or have the money. It makes the cost of the device go up, you get longer time to market, etc. and that's a hard sell to investors.

      We actively try to educate on security, but it is going to take several more of these and some big losses before the majority will take security serious.

      --
      My blog, if you're interested: http://www.purp
    8. Re:How do IoT manufacturers... by Heart44 · · Score: 1

      A really dumb question - as all these devices can be configured to do DDOS attacks remotely, could they also be remotely reprogrammed to make the more secure?

    9. Re:How do IoT manufacturers... by JustAnotherOldGuy · · Score: 4, Insightful

      It is time to blacklist these devices and prevent insecure devices that participate in DDoS permanently. This may mean things like MAC-based blocking on ISP-level.

      But all your ISP sees is your router...so they'd have to start cutting people off from the internet left and right. And many, many people won't know what to do when that happens because all the ISP can tell them is that "some device" is sending traffic out.

      Is it their thermostat? One or more light bulbs? The washer or refrigerator or the furnace? Maybe it's little Johnny's Speak-N-Spell or Sally's Barbie Dream Castle. Maybe it's the TV or the DVR or the the remote-viewing doorbell.

      They'll have to unplug their whole house, bit by bit, checking with the ISP each step of the way. How is Joe Sixpack or Grandpa going to know what to do? And what if two or more devices are the culprit?

      Shit, the more I think about it, the more I realize that this shit is going to be way worse than I imagined, and I'm pretty pessimistic to start with.

      --
      Just cruising through this digital world at 33 1/3 rpm...
    10. Re:How do IoT manufacturers... by JustAnotherOldGuy · · Score: 1

      As someone who owns a company that makes IoT devices and properly secures them, there are companies that do take security serious.

      I know, but for every one that does take security seriously there are a hundred that don't. I applaud you for thinking of security, but you're the one out of a hundred. It's the other 99 I'm worried about.

      --
      Just cruising through this digital world at 33 1/3 rpm...
    11. Re:How do IoT manufacturers... by JustAnotherOldGuy · · Score: 2

      A really dumb question - as all these devices can be configured to do DDOS attacks remotely, could they also be remotely reprogrammed to make the more secure?

      I don't know. Can you retrofit a sieve to hold water?

      --
      Just cruising through this digital world at 33 1/3 rpm...
    12. Re:How do IoT manufacturers... by slimjim8094 · · Score: 2

      Yeah, easily, if you lay in some plastic wrap or something. Actually it's easier than most things as the sieve is the right shape to hold water, and the holes are pretty easy to cover - the water will even help you do it!

      Sieves are fun! Wait, what were we talking about?

      --
      I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
    13. Re:How do IoT manufacturers... by Anonymous Coward · · Score: 0

      Anyways, with the damage these idiots allow the DDoSers to do, terrorism begins to seem kind of irrelevant.

      Not be able to access your favorite website > getting blown up by a car bomb...

    14. Re:How do IoT manufacturers... by JustAnotherOldGuy · · Score: 1

      Well, it would be more like sending it back to the manufacturer for them to retrofit it, or maybe requesting they send you some plastic wrap to fix their defective water carrying device.

      --
      Just cruising through this digital world at 33 1/3 rpm...
    15. Re:How do IoT manufacturers... by LesFerg · · Score: 1

      Well in TV-land a hacker can just send a huge EMP to the device until smoke starts coming out of it and the screen melts.
      Not sure what happens after that, it's usually where I choose a different show to watch.
      Would be cool if the passwords on these devices could be reset to a random value from a remote hack tho.

      --
      If I had a DeLorean... I would probably only drive it from time to time.
    16. Re:How do IoT manufacturers... by Anonymous Coward · · Score: 0

      This is obviously stupid. Obviously the greater the problem becomes, the greater the measures taken in addressing it will become. An old vulcan ISP proverb comes to mind - "the squeaky wheel gets the grease". Or maybe it was something like that. If there are 5 billion devices on the internet, and four billion nine hundred million of them are working fine for just as many humans, and a hundred million are making as many humans annoyed with the equivalent of a high pitched squeak... You don't call the result "it's too late, it's all broken". You call the result "it's mostly working fine, and the most annoying squeeks will get the grease first".

      The propaganda is thick.

    17. Re:How do IoT manufacturers... by Anonymous Coward · · Score: 0

      While I am quite aware how legislators are really good at getting things wrong when legislating around technical issues, I think that's what we need here. It needs to be illegal to sell a consumer-style IoT device with poor security. This ought to be a product-safety kind of thing.

    18. Re:How do IoT manufacturers... by Anonymous Coward · · Score: 0

      There's a clear market for a after-firewall security appliance with filters, anomalous behaviour detectors, known exploit and plain-old malware detection..if the consumer market could somehow made aware of the situation. CMO, top floor, on the double!!

    19. Re:How do IoT manufacturers... by c-A-d · · Score: 1

      There are techniques using BGP and community strings to do this sort of thing, but not everyone has deployed it and it's difficult to set up properly.

      --
      some karma... and kinda lukewarm about it.
    20. Re:How do IoT manufacturers... by Anonymous Coward · · Score: 4, Insightful

      Yes. That's EXACTLY what they need to do. They need to figure out WHICH part of their SHIT is breaking the world for everyone else.

      This is the same stupid kind of shit that causes entire neighborhoods to burn down because some idiot is too stupid to know not to put a space heater under the curtains in their house, get their house blazing, then (by the sheer idiocy of the developers) set ablaze the other houses that are only six feet away.

      Take some damn responsibility for the shit you buy. Don't go buy a gun if you're too stupid to know you can accidentally kill someone with it. Don't buy a stupid Internet connected piece of shit if you're too stupid to know you can bring down the Internet with it.

    21. Re:How do IoT manufacturers... by Anonymous Coward · · Score: 0

      The sell for security is purely brand protection. If you value your brand you don't want to have it tainted by a bad security breach/issue security becomes important. If you're a startup who has no brand and getting to market is the most important thing so you can drive up your stock price for a quick sale security becomes very much less important.

    22. Re:How do IoT manufacturers... by trawg · · Score: 4, Interesting

      On the plus side it might finally lead to home routers getting some more interesting IP accounting features. That is one thing that has always annoyed me ever since I stopped having a Linux gateway - the home routers typically have no useful feedback as to what device is responsible for traffic.

      Even a simple counter table would be incredibly useful, but I don't really see any reason why it would be hard to have good real-time graphs showing the current and total data usage from each IP on the network.

      One interesting challenge though - what happens if you have an IoT device that is thoroughly pwned and keeps changing IP addresses (and/or MAC addresses!) specifically to make identifying it internally even more complicated?!

    23. Re:How do IoT manufacturers... by Anonymous Coward · · Score: 0

      The DDoS attacks will get worse, but then... the more likely scenario is that the largest ISPs will rollout software to identify the misbehaving things in their modem/router/ap devices. Customers that purchase their own modem/router/ap device, will have to buy one that the ISP has approved (i.e., can run the same diagnostics software) for their network.

    24. Re:How do IoT manufacturers... by Anonymous Coward · · Score: 0

      Anyways, with the damage these idiots allow the DDoSers to do, terrorism begins to seem kind of irrelevant.

      First world problems...

    25. Re:How do IoT manufacturers... by Anonymous Coward · · Score: 0

      Market, you say... And who is going to pay for these? The end user? I doubt it. What good to me, as an end user, would such appliances do?

    26. Re:How do IoT manufacturers... by avgapon · · Score: 0

      What do people do now if their home gets infested with pests? I think that a new kind of professional bugbusters could arise as a result.

    27. Re:How do IoT manufacturers... by tijgertje · · Score: 1

      Now think about pump-servers (areas that are below see-level!), air traffic control, etc
      More devices can be attacked then just webservers

    28. Re:How do IoT manufacturers... by slashrio · · Score: 1

      It would be very easy to factory-configure every IoT-thing with a unique and very strong password, print that on a label and stick that on the IoT-thing.

      --
      "Trump!!", the new Godwin.
    29. Re:How do IoT manufacturers... by Anonymous Coward · · Score: 0

      Well, you know, the security aspect of cyber is very, very tough. Never forget that!

    30. Re:How do IoT manufacturers... by Bert64 · · Score: 2

      If you have an automated way to block traffic, then someone will abuse that system for the same goals as the original attack...
      The goal of a ddos is to take something offline, a system which is blocking traffic is offline.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    31. Re:How do IoT manufacturers... by Bert64 · · Score: 1

      And how are consumers supposed to identify which devices are more secure at the pre-sale stage, and which vendors take security seriously?

      Also in what way do you take security seriously? A lot of vendors go to great lengths to prevent anyone (including the legitimate owner of the device) from loading alternative firmware or gaining shell access to the underlying system etc. Vulnerabilities will still be found, but if you can't replace the firmware and the original vendor no longer produces an update or bundles the update with unwanted changes then your device remains vulnerable forever.

      I've extended the useful life of various routers and access points by loading dd-wrt or openwrt on them, which will often continue to be updated long after the original vendor has given up on the device. The hardware is still fully functional, more than adequate and available very cheaply.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    32. Re:How do IoT manufacturers... by Bert64 · · Score: 1

      Many chinese products are sold with no brand whatsoever, or completely arbitrary brands which are made up just for that one product... They couldn't care less about brand reputation.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    33. Re:How do IoT manufacturers... by AmiMoJo · · Score: 1

      This would be an excellent way to block those companies that send out piracy warnings. I'm fed up with their spam.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    34. Re:How do IoT manufacturers... by Anonymous Coward · · Score: 0

      What is OVH?

    35. Re:How do IoT manufacturers... by Anonymous Coward · · Score: 0

      It is never too late. Never too late to employ a secret police to silently locate and terminate the persons behind the attacks.

    36. Re:How do IoT manufacturers... by Anonymous Coward · · Score: 0

      "We'll be seeing this shit 10 years from now, only worse."

      They sell tv boxes in my country. Every channel (all premium channels too, all movies, all sports, all premium football team channels like mutv, chelseatv etc.) for 150euro a year that would usually cost that much a month.

      You get an arm based linux box with dual satellite receiver. It connects via internet to a server farm in china that gives you the crypto keys to decrypt channels from dish.

      These things are installed with everything running as root, blank passwords and running open http, ftp, ssh, telnet and just about every frickin protocol you can think of. zero security.

      They are *everywhere*. I've been meaning to run the traffic through another linux box and see what the thing is doing, has to be on a botnet (either by chinese guys running it or somebody who just noticed them).

    37. Re:How do IoT manufacturers... by Anonymous Coward · · Score: 0

      Fortunately the end users have the option of not connecting everything in their home. For now..

    38. Re:How do IoT manufacturers... by Anonymous Coward · · Score: 0

      Even a simple counter table would be incredibly useful, but I don't really see any reason why it would be hard to have good real-time graphs showing the current and total data usage from each IP on the network.

      Certain Tomato firmware supports IP-based accounting and real-time graphs (possibly on DD-WRT and OpenWRT as well, either built-in or add-on). Of course, this is only for supported routers, but its reach is quite far. It is also one of my required "features" when looking to purchase a router.

    39. Re:How do IoT manufacturers... by dwillden · · Score: 1

      First they have to use visual basic to build a gui, then they can track and EMP the hacker's screen.

      --
      I'm too lazy to compose a creative sig.
    40. Re:How do IoT manufacturers... by Anonymous Coward · · Score: 0

      One interesting challenge though - what happens if you have an IoT device that is thoroughly pwned and keeps changing IP addresses (and/or MAC addresses!) specifically to make identifying it internally even more complicated?!

      Then the culprit is the thing that keeps changing IPs (or MACs), and grabbing new DHCP leases every minute. Or using a non-DHCP address that I haven't pre-defined.

    41. Re: How do IoT manufacturers... by Anonymous Coward · · Score: 0

      Yeaaaa let's give government more control. They don't have enough.

      It's idiots like you, that gave us the world we have today. Can't fight the boogeyman? Hire the government to do it.

    42. Re:How do IoT manufacturers... by JustAnotherOldGuy · · Score: 1

      One interesting challenge though - what happens if you have an IoT device that is thoroughly pwned and keeps changing IP addresses (and/or MAC addresses!) specifically to make identifying it internally even more complicated?!

      Or if you have multiple pwned devices working in concert to trade off the traffic so as to try and stay below the radar. What if there were 5 or 6 or 10 devices, all infected...they could each share the load in random rotation. Each would would behave normally except for a few seconds or minutes a day when it would act maliciously. I would think that would be fairly tricky to nail down.

      O Brave New World.

      --
      Just cruising through this digital world at 33 1/3 rpm...
    43. Re:How do IoT manufacturers... by JustAnotherOldGuy · · Score: 1

      What do people do now if their home gets infested with pests?I think that a new kind of professional bugbusters could arise as a result.

      Sure, but how much would this kind of service cost? Maybe as much or more than just replacing the suspect gadgets (not a refrigerator or furnace, obviously, but still...). And who's to say they won't get reinfected the next day?

      I can see it now: "Norton Anti-Virus For Home Appliances". "Mcafee HomeGuard Extreme DoubleSecure". Ugh.

      --
      Just cruising through this digital world at 33 1/3 rpm...
    44. Re:How do IoT manufacturers... by PurpleAlien · · Score: 1

      And how are consumers supposed to identify which devices are more secure at the pre-sale stage, and which vendors take security seriously?

      They can't, and I never said they could. We try to educate them. One thing we do for example is analyze potential devices for customers and figure out if there are any security issues. For example, GPS trackers that you buy cheaply on eBay or Alibaba all have major security issues. We show this to customers and have independent parties verify this before they decide to buy them. Granted, we usually don't deal with individual end users, but with re-sellers or distributors and industry, but each one of them gets the security talk.

      Also in what way do you take security seriously?

      Take security in mind from the start of the project. Have dedicated security and cryptography people on board (I'm a cryptographer and security researcher myself), have third party code reviews, use formal verification methods, use industry standard cryptographic routines, use strict privilege separation with e.g. an L4 kernel like Fiasco.OC, have data encrypted at every stage (in motion, at rest, ...), unique cryptographic keys per device, signed binaries for remote updates, every remote command is encrypted, signed and verified on the device, every communication from the device is encrypted, signed and verified by the server, etc.

      In the end, if people want to change the firmware and use their own server etc., they still can as well. It just won't talk to our servers anymore, but that is usually what the goal is and we support our customers with that. We can also support our clients to use their own servers and give best practices to secure it, and often we just develop a firmware specifically for them that adheres to the same security standards.

      --
      My blog, if you're interested: http://www.purp
    45. Re:How do IoT manufacturers... by greenfruitsalad · · Score: 1

      can you please elaborate and give me pointers where i can read more about this?

    46. Re:How do IoT manufacturers... by dgatwood · · Score: 1

      Except that what I described is carefully designed to make abuse almost impossible. Any fake blocks are removed almost immediately, and unless the server is actively being DDoSed, assuming it supports the protocol, such removal causes at most one additional packet to get sent in each direction, which means there's no amplification if the server supports the protocol, ignoring situations where packet loss causes a retry.

      If the server doesn't support the protocol, there's typically only a 2x amplification (one confirmation request + 1 ping packet). That's a slight amplification, but nothing to write home about.

      And the only situation where the block actually stays put is if the server is under DDoS, which is exactly when you would want it to stay put. In that case, a request to block an IP results in getting up to five packets back, but then that IP's traffic never reaches your server for a period of at least an hour (or longer if your server sends out a new packet to extend the block), which should be a huge net win.

      But if you see something that I'm missing, feel free to suggest a better design that protects against additional forms of abuse.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    47. Re:How do IoT manufacturers... by dgatwood · · Score: 2

      Actually, now that I think about it, I did forget to mention one small bit of the protocol. Each router that passes on the original request should immediately ACK the request to the previous router so that the previous router knows that it does not need to handle the blocking itself. It should then sent it towards the attacker's IP, and if it does not get an ACK from any router that's closer to the attacker in a timely manner, it should handle the blocking request itself and send back a confirmation request to the original IP address. It should then presumably reject any blocking confirmation requests that come later from closer to the attacker's IP, because they are redundant at that point.

      This ensures that only the last router that supports blocking sends a confirmation request to the original server. Otherwise, you could cause a huge amplification attack by causing every hop in the route to ask the original server for confirmation. :-)

      There's still a risk of abuse if somebody is able to inject and sniff arbitrary packets between the user and the server by being able to receive the confirmation request and respond to it, but if they can do that, they can also inject RST packets, so I'm not convinced that's an interesting edge case to worry about.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    48. Re:How do IoT manufacturers... by dgatwood · · Score: 1

      Only for an hour, though I guess you could send a new blocking request every 45 minutes.

      It would also let me block those idiots who keep trying to sign in to my servers via SSH. You'd think that when they send the original request (for authentication-free login) and the server says that it only accepts private key authentication, they wouldn't send thousands of password-based login attempts, but apparently the people who write those bots don't understand the SSH protocol very well, or else they just like wasting my bandwidth.

      And I do periodically block them with filtering rules manually when I notice them, but I don't have time to scan the logs constantly, and they shift IPs often enough to make that problematic. But if I could make it so that the first password-based auth from an IP caused their attacks to immediately get blocked at their own edge router for an hour, it would be worth writing a log scanner.

      Even better, ISPs could monitor their networks for those packets, and if a customer keeps getting blocked, they could contact the customer.

      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

    49. Re: How do IoT manufacturers... by Anonymous Coward · · Score: 0

      Hardly giving them more control, legislation is more like making an official announcement about it. It does not stop people from doing something. At least when things go bad there's a way to hold the abuser responsible.

      Kinda like the no-smoking sign by building's doors. It does not actually PREVENT people from smoking, but if someone does light up and annoy others- a passer by can point at the sign and say 'hey do you mind'?

    50. Re: How do IoT manufacturers... by Anonymous Coward · · Score: 0

      Why not using Fail2ban, maybe?

    51. Re:How do IoT manufacturers... by Anonymous Coward · · Score: 0

      Jesus, you bunch of negative Nellie's seem to not get that if a hacker can get into a device everybody else can, too.

      If a device can be hacked it can be secured. I'll hire people that are capable and intelligent enough to come up with logical solutions based onr eality, as opposed to hysterical 12 year old girls.

    52. Re:How do IoT manufacturers... by Anonymous Coward · · Score: 0

      Godspeed on the devils thunder, my friend - I hear by nominate you for the title "cybersecurity czar". The world needs more people like you.
      CAPTCHA: autocrat
      honestly /.
      I love the sense of humor, keyword matching perhaps?

  3. IoT is an unnecessary security risk. by bjwest · · Score: 2

    The IoT is, by design, a security risk. Who the hell needs their oven, thermostat, refrigerator and each individual light-bulb connected to the Internet? I have no pity for anyone who gets their speaker-included light-bulb hacked, and I truly believe the companies whose products are involved in this DOS should be held completely responsible. CEOs and CTOs should be fired and charged with computer crimes.

    --

    --- Keep the choice with the user..
    1. Re:IoT is an unnecessary security risk. by thoughtspace · · Score: 1

      They said the same thing about the internet.

    2. Re: IoT is an unnecessary security risk. by Anonymous Coward · · Score: 0

      There we go with that mysterious "they" again. Who are you talking about? As far as I can remember, people were pretty hyped up for getting the internet into every home.

    3. Re:IoT is an unnecessary security risk. by Anonymous Coward · · Score: 0

      If you can't see advantages and demand for controlling your house from your phone, regardless of if you're home, then you're very short sighted and not a good futurist.

    4. Re:IoT is an unnecessary security risk. by phizi0n · · Score: 4, Insightful

      By that logic why limit it to only IoT. Everything connected to the net should be held accountable which starts with ISP's holding each other and their customers accountable. ISP's need automated ways of telling each other about unwanted DDoS traffic in real time, or even just identifying members of botnets after an attack, and then demanding that those customers be warned/taken offline until they secure their local networks. If an ISP fails to act then their peering links would start getting throttled progressively more until either they fix the problem or they get cut off entirely.

    5. Re:IoT is an unnecessary security risk. by Anonymous Coward · · Score: 1

      You forgot to mention DVRs, Roku, AppleTV, printers, home security cameras, Xbox/Playstation, etc, etc, etc.

      But in reality it's not likely these are all home devices, which are typically behind NAT routers with at least some basic firewall features. I suspect most of these are devices that aren't firewalled.

    6. Re:IoT is an unnecessary security risk. by phizi0n · · Score: 1

      Forgot to mention that the ISP's could also pressure any device manufacturer to secure their products better and all the customers with devices that are inherently insecure could take legal action against the device manufacturers for a defective product.

    7. Re:IoT is an unnecessary security risk. by Anonymous Coward · · Score: 1

      Which is how it should work. But the problem with that is that many/(most) ISP's don't do source address filtering. Which means that if the attack nodes also use source address spoofing, once the traffic gets to the target you don't know which ISP it came from.

      If you knew which ISP the traffic was coming from you could indeed grab them by the throat and work backwards, but unfortunately the target doesn't know that.

    8. Re:IoT is an unnecessary security risk. by somenickname · · Score: 5, Insightful

      If you can't see advantages and demand for controlling your house from your phone, regardless of if you're home, then you're very short sighted and not a good futurist.

      Bullshit. There is a safe way to do this: Don't let any of the devices have direct access to the internet. None. Put them on their own dedicated wireless router, connect that wireless router to your real router and then set a firewall rule that doesn't allow anything from the IoT router to route outside your LAN. If you want to check the status of the devices when you aren't on your local LAN, VPN into your house and check them.

      You don't need to trust shady vendors that don't give a shit. You don't need to open a billion insecure ports in your firewall to expose devices. Consider the devices 100% insecure, configure your network in a sane way and setup a VPN or use an SSH tunnel.

    9. Re:IoT is an unnecessary security risk. by Sique · · Score: 1

      But most of those devices have some "check for updates" functionality built in, and if you can intercept that and feed false data back to the device, it will gladly download bogus firmwares or execute commands injected in the data stream. And now the attack starts behind the NAT/firewall, and this direction is not in any way filtered at most sites, but set to In->Out Allow All.

      --
      .sig: Sique *sigh*
    10. Re:IoT is an unnecessary security risk. by Anonymous Coward · · Score: 0

      Fuck you, get off your fat, lazy ass and adjust the thermostat the old fashioned way, dipshit.

    11. Re:IoT is an unnecessary security risk. by BlueStrat · · Score: 1

      Everything connected to the net should be held accountable which starts with ISP's holding each other and their customers accountable.

      Which is exactly the logic governments will use to justify enforcing licensing and registration for every user and device.

      Strat

      --
      Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
    12. Re:IoT is an unnecessary security risk. by Anonymous Coward · · Score: 2, Informative

      How... then would the vendors sell a phone app to naive users to change their thermostat settings when they're on vacation?

      Seriously. IOT doesn't have to be this -- but it's basically a phrase for 'net enabled device creates reverse tunnel over outbound TCP:443 (to vendor website) so vendor's iphone app can control it'.

      Ignoring that newer IP stacks would make some of this less backwards -- the fact that people don't want to remember to leave anything but their wifi/router plugged in (e.g. run a server and/or VPN) practically dictates this architecture.

      The devices won't function as designed without net access, and that's not a bug, programming error, or design flaw -- and firewalling them off will probably only create a maintenance hastle unless you have a very intelligent application FW that knows things like when the vendor moves their website...

      I say expose the insecurity to the world -- and hold the vendor accountable at multiple levels...

      Make them pay your bandwidth if it's hacked. Make them pay fractions of the damages -- did 400 tbps of an attack have a user agent saying 'bob's smart fridge' ? Then go after them.

      Got vendors not including user agents? Go after them and treat it as an aggravating factor.

    13. Re:IoT is an unnecessary security risk. by slimjim8094 · · Score: 1

      The problem is the user doesn't care because it doesn't affect him, right? The whole problem here is that other people are affected.

      --
      I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
    14. Re:IoT is an unnecessary security risk. by Anonymous Coward · · Score: 0

      And when do you deem it appropriate to lay blame on the actual motherfuckers launching these attacks? This entire thread complains about stupid users, bad security processes, and bad devices but totally ignore the people actually carrying out the attacks. Sort of like when some maniac straps a bomb on and wanders into a crowd killing people and the only one to ever get blamed is the government and it's policies. The psychotic murderer gets mentioned in passing while some people go out of their way trying to "understanding" the murdering fucks angst and all but justifying his actions. Oh and before Apples and Oranges are mentioned there are quite a few ways of killing a large number of people breeching computer security measures.

      People are so passionate about their security and privacy but as usual the herd has ignored the real danger and placed the blame on the nations covert intelligence agencies. Those agencies are a minor nuisance compared to the criminals actively search and collecting personal data anywhere they can get it. The government may have a good cyber toolset but that is accompanied with a shit load of bureaucracy and limited resources. Resources that get targeted at threats to national security. Reading grandmas e-mails and all the other mundane electronic messaging is really not a top priority.

      And you know why the laws regarding security have become wide ranging and produce some draconian jail time upon conviction? Look no further than all the people, from script kiddie to software engineer, who break the laws involving computer hacking and fraud statutes. Whether the hacking is for fun or profit they are handing the politicians all the ammunition they need to create more laws. The ones who concentrate on gaining profit usually try to remain under the radar and don't advertise their achievements. The "fun and games jerk offs" like to be splashy and announce their perceived genius to the world and usually get thrown a pity party when they get caught and then try to make everyone understand he was just kidding and really didn't mean any harm. If that excuse worked for other non-computer related crimes it may be a valid defense. Until then a little exposure to the real world may called for.

    15. Re:IoT is an unnecessary security risk. by LesFerg · · Score: 1

      I'm sure there must be a simple way to require an inexperienced new user to load up a phone app and initialize each new device before enabling its network connection. The app could even supply a GUID or something as the password, so said inexperienced new user doesn't even need to be bothered with thinking of one, and all of his IoT devices could share the same unique activation code.

      The mythological they should have set a standard and enforced this from the beginning.

      --
      If I had a DeLorean... I would probably only drive it from time to time.
    16. Re:IoT is an unnecessary security risk. by Anonymous Coward · · Score: 0

      Harsher sentencing is needed when they get caught. Don't bother 'banning' computer access; their hacking skills will be vastly reduced if they only have a nose to press the keys with.

    17. Re:IoT is an unnecessary security risk. by Anonymous Coward · · Score: 0

      Apple TV's I doubt since TvOS is tweaked iOS, which was built up from a stripped down version of OS X which is a symphony of a Mach Micro Kernel, FreeBSD and Aqua. I also doubt the xbox and playstation OS's are part of it, more the stuff with no security and likely default passwords set - IP cameras, DVRs, toasters, fridges, - the h4x0rz have probably haxked the slack at security companies that all these devices connect back to and pwnd the lot of them.

    18. Re:IoT is an unnecessary security risk. by Anonymous Coward · · Score: 0

      That's nice (BCP38 etc) but the now two largest DDoS in the history of the internet weren't done with spoofing. This is a botnet of owned devices sending traffic from their legitimately allocated IPs. Every ISP on earth could start dropping spoofed packets at the edge tomorrow morning, and the attacks on Krebs/OVH would still succeed.

    19. Re: IoT is an unnecessary security risk. by Anonymous Coward · · Score: 0

      That's right! God wouldn'ta put them dials on that there TV if you weren't meant to get up and change it at the set!

    20. Re: IoT is an unnecessary security risk. by Anonymous Coward · · Score: 0

      There we go with that mysterious "they" again. Who are you talking about?

      The Luddites!!!

    21. Re:IoT is an unnecessary security risk. by Xest · · Score: 1

      Yerrrr! fucking technology, taking our jobs. I remember when Jeeves would stand there and sing to me whilst holding a candle, I didn't need no speaker light bulb. Jeeves would never attack me as he knew his place unlike these internets, good old Jeeves, I miss him. Damn slavery laws, fucking god damn liberals and their "progress"!

    22. Re:IoT is an unnecessary security risk. by Bert64 · · Score: 1

      Yes this is how it should work, although because of NAT and the difficulties of setting up a VPN etc most of these products talk to an external server somewhere and then your mobile app communicates with that.
      What's worse is that these devices often communicate with random target addresses (eg the vendors host their stuff on amazon and just allocate more machines on new ips as load increases) so you cant set up sensible firewall rules.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    23. Re:IoT is an unnecessary security risk. by Anonymous Coward · · Score: 0

      "They" said that, did they?

      Care to cite your sources or are you just another lost redditor talking out of your ass?

    24. Re:IoT is an unnecessary security risk. by Anonymous Coward · · Score: 0

      They said the same thing about the internet.

      and they were right

    25. Re:IoT is an unnecessary security risk. by thegarbz · · Score: 1

      No one needs what you describe. But on the other hand that us only a small tiny part of what IoT is. Please stay away from consumer marketing material when discussing conceptual technologies with a wide breadth.

    26. Re:IoT is an unnecessary security risk. by somenickname · · Score: 1

      How... then would the vendors sell a phone app to naive users to change their thermostat settings when they're on vacation?

      They shouldn't. None of this should be happening. What should be happening is that vendors should be selling "IoT-enabled" routers that are highly secure and will generate a VPN connection package for a device type. I run an Untangle appliance and it will literally generate a unique Windows installer package for a VPN to your home network. And it's very easy to do. There is no reason why it couldn't generate a VPN package for any device you wanted to use outside your home. In fact, I would say that if you are connecting to random wifi networks without initiating a VPN to a more trusted network (like your home), you are doing it wrong.

  4. Who was the target this time? by Anonymous Coward · · Score: 0

    We know Krebs has a giant bulls-eye on his back that put Akamai at risk, but who does OVH host that some folks want to silence or embarrass?

    1. Re:Who was the target this time? by Cramer · · Score: 1

      It was in the summary... some idiot's minecraft server.

      Also, it's entirely possible some of the botnet was OVH hosts in the first place. OVH isn't known for having the smartest customers. (In fact, they'll host anything.)

    2. Re: Who was the target this time? by Anonymous Coward · · Score: 0

      Try to have a compromised OVH server to see how long it takes for OVH to stop it and reboot on the emergency image and gently asking you to clean up your mess. OVH is really making sure that this kind of shit is not coming out of their network. Have a look at their support forum, where people are crying because their unsecured server is now offline.

  5. that should slow down the amount of spam they send by Indy1 · · Score: 5, Insightful

    I always find it richly ironic when spam hosting isp's get cratered by a DDOS. Lie down with dogs, get up with fleas.

    https://www.spamhaus.org/sbl/l...

    --
    Lawyers, MBA's, RIAA? A jedi fears not these things!
  6. Obligitory meme by TheDarkener · · Score: 1

    Obligitory meme

    --
    It is pitch black. You are likely to be eaten by a grue.
  7. Re:that should slow down the amount of spam they s by OverlordQ · · Score: 3, Informative

    To be fair, they're like the #3 hosting provider in the world behind Amazon and GoDaddy.

    --
    Your hair look like poop, Bob! - Wanker.
  8. Re:that should slow down the amount of spam they s by Anonymous Coward · · Score: 0

    To be fair, they're like the #3 hosting provider in the world behind Amazon and GoDaddy.

    I know they're a major player in domains but is GoDaddy that big in hosting? God, I hope not. One of the worst companies out there.

  9. Re:that should slow down the amount of spam they s by Anonymous Coward · · Score: 0

    Oh yeah. All the attacks you probably see from "secureserver.net" ... that's Godaddy.

  10. I'm shocked by Anonymous Coward · · Score: 0

    that there are 152,000 IoT devices in active use. People really will buy anything.

  11. OVH - the abuser gets abused by Anonymous Coward · · Score: 0

    On a related note: world-wide spam flows decreased.

    Seriously, OVH is a massive spammer harborer who ignores abuse complaints. The world is a better place with them DDOS'd offline.

    1. Re:OVH - the abuser gets abused by allquixotic · · Score: 1

      The complaints aren't being "ignored". You try to deal with as many customers as they have while still turning a profit and see how many complaints you get and what your response time is. Besides, if OVH disappeared today, all the spammers would flock to the next-cheapest hosts, and then Amazon or Microsoft or Hetzner or whoever would be the #1 spammer, and we'd all be complaining about them.

      Don't blame the landlord for a high crime rate in the city.

  12. Re:that should slow down the amount of spam they s by bengoerz · · Score: 1

    Also ironic because OVH has a poor record of responding to malicious activity abuse complaints.

    Example

  13. Re:that should slow down the amount of spam they s by batray · · Score: 1

    I agree. I block email from all OVH IP addresses because they are a major source of spam. DDOSs are wrong, but I have no sympathy for the spam supporters at OVH.

  14. IoT has been a /. concern for awhile by Trax3001BBS · · Score: 1

    Slashdot: News for nerds, stuff that matters
    https://slashdot.org/index2.pl...
    Slashdot
    Jul 3, 2000 - Re:How do you know? (5 points, Insightful) by Z00L00K on Monday September 26, 2016 @06:30AM attached to Ask Slashdot: Is My IoT Device Part of a Botnet?

    Google: IoT site:slashdot.org date:2000 - 2012

    1. Re:IoT has been a /. concern for awhile by Trax3001BBS · · Score: 1

      Slashdot: News for nerds, stuff that matters
      https://slashdot.org/index2.pl...
      Slashdot
      Jul 3, 2000 - Re:How do you know? (5 points, Insightful) by Z00L00K on Monday September 26, 2016 @06:30AM attached to Ask Slashdot: Is My IoT Device Part of a Botnet?

      Google: IoT site:slashdot.org date:2000 - 2012

      My bad, just noticed the 2016 reply by Z00L00K , just a bad link all around.

  15. The answer by Anonymous Coward · · Score: 0

    Keep a history of "good" IPs. You know the many millions that sent requests in the months prior to the "event". Let them through. Respond to all others with appropriate HTTP response code of "sorry overwhelmed at the moment".

    1. Re: The answer by Anonymous Coward · · Score: 0

      So basically, this would delay the exact same attack by one month.

    2. Re:The answer by ledow · · Score: 1

      Where's that "So you think you have a way to block spam?" fill-out-form joke?

      A website, or a game server, is EXACTLY the kind of machine that receives a significant portion of its requests from people it's never seen before.

      On top of that, a DDoS doesn't care if you "block" it. It's still consumed 1Tb of traffic. Even if every single packet never reaches the server, the DDoS will knock you offline by swamping your connection.

      You can "firewall" it right at the first point that your connection comes in. It still consumes your connection.

      You have to ask your upstream to block it - who have EXACTLY the same problem. They block it, but it still consumes Terabytes of otherwise-usable bandwidth to do so.

      I'm afraid your suggestion would tick almost every one of the the "Will not work because" boxes.

  16. Ohh boy by Anonymous Coward · · Score: 0

    Minecraft servers went down. Let's all give a fuck

    1. Re:Ohh boy by ledow · · Score: 1

      Collateral Damage.

      Though the attack might be targeted at a games server, OVH and their datacentres almost certainly run a number of much more important services for much better paying customers.

      DDoS is indiscriminate and affects everybody, not just the target of it.

  17. Re:that should slow down the amount of spam they s by Anonymous Coward · · Score: 0

    I always find it richly ironic when spam hosting isp's get cratered by a DDOS.

    oddly enough, OVH was quick to take down a tabloid news site for reporting that Brianna Wu had never been forced to flee her house.

    http://theralphretort.com/anti...

    Priorities.

  18. Only when it costs them money. by Gravis+Zero · · Score: 2

    IoT vendors will only secure their devices after it starts costing them money or are legally required to do so. There are a few options but all of them require high-jacking IoT devices.

    You could turn IoT devices on...

    • - their makers by DDoSing their websites indefinitely. (Probably the best option.)
    • - a larger more powerful corporation in hopes that they will sue the device vendors. (A serious gamble.)
    • - against the servers of law-makers so that they do something. (Poking a rabid dog may not be a good idea.)

    Not great options but turning them on congress would make something happen which may or may not be a good thing.

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:Only when it costs them money. by GNious · · Score: 1

      Have ISPs take them offline.

      If your equipment is found to be part of a DDoS attack, taking you offline removes teh DDoS, and you get the necessary incentive to fix your security. Once word gets around that having brand X VoIP/Camera/IPTV/Printer device causes you to lose internet access, people stop buying them, and at this point the manufacturer is incentiviced to fix their shit.

    2. Re:Only when it costs them money. by bill_mcgonigle · · Score: 1

      There are a few options but all of them require high-jacking IoT devices.

      If I were feeling more energetic I'd pull out some comments from here I left a decade ago talking about a guild of Internet engineers and a trust system where certified operators could send cryptographically-signed messages upstream to shut off attacking ports (or requests to do so - that's a local detail).

      Yes, we're decentralized, and that's good, but we also need to cooperate.

      When homeowners get their Internet shut off because their IoT is attacking and they have to call a local tech to diagnose the problem and pull out the offending light bulb before it's turned back on, suddenly everybody will demand secure light bulbs (except us 'luddites' who are still using dumb dishwashers because we know that complexity breaks).

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    3. Re:Only when it costs them money. by somenickname · · Score: 1

      There is actually a fourth option: Turn the IoT devices against their local LAN. Pretty innocuous in the grand scheme of things but, if you discover that you can't watch Netflix when you have your IoT lightbulb plugged in, it might make you wonder about the value of IoT devices.

      (Also, your 3 options made me literally laugh out loud).

  19. Internet of Tyrants by cfalcon · · Score: 1

    You know, the third amendment prevents you from having to quarter troops in your house. Why buy all these "Internet of Things" devices, and quarter the troops of a cyber war? DDoS provides the censorship dreamed of by the worst governments and the casual keyboard tyrant alike. These "things" are just malicious tools.

  20. Minecraft servers?! by Anonymous Coward · · Score: 0

    They missed Minecon by about a week.
    Surely they would have waited to unleash ultimate butthurt at children and autists by waiting just that little bit more?

    Must have been some skid that got banned from servers for using Impact.

  21. Julius Kivimaki by Anonymous Coward · · Score: 0

    Rumor around the campfire is that it's everyone's Finnish friend, Julius Kivimaki, who's behind the "Krebs cannon". Apparently he's been bragging on IRC to just about anyone who will listen that this is his doing and that he's the one in control of the botnet.

    If the name sounds familiar, it should: This is the same Julius Kivimaki who was brought up on over 50,000 separate hacking charges just a short time ago, and managed to get little more than a two-year suspended sentence thanks to his rich dad bankrolling some epic lawyers who somehow successfully made the argument that "Awww, he's just a pwecious wittle chiwd, he had no idea what he was doing!"

    Well, it seems that he knew quite well what he was doing, and pretty much all of the blackhats that I've talked to tend to agree that he's an irredeemable sociopath. A shit human being who will forever be a shit human being. He gets off on breaking other peoples' shit with impunity. The fact that this particular shit hasn't been pinched off, so to speak, by the relevant authorities, leads me to believe that the Finnish authorities probably already know what he's doing and are just trying to wait until they have more people to charge in conjunction with The Finnish Fuckwit.

    Personally? I wouldn't be surprised - I'd be overjoyed, in fact - if I learned that precious little Julius wound up dead in a ditch with a bullet in his head. I would actually encourage anyone with the capability to go on the hunt - being a pure sociopath, no amount of punishment is ever going to stop him. He brings shame to the rest of us Finns, and quite honestly the already-burdened taxpayers of this country shouldn't have to pay to house him as he goes in and out of jail for the rest of his life.

    1. Re:Julius Kivimaki by Anonymous Coward · · Score: 0

      Was he the same asshole who is feuding with his American forum love-buddies by including their families in his target list and teasing them for years like a little narcissistic mob-bitch? There was a TV-document about it.

  22. Cueing the "just edit the hosts file" guy.. by bad-badtz-maru · · Score: 1

    I don't understand how this sort of thing happens anymore. In every one of these DDoS threads, a fellow slashdotter (anon, of course) is giving "expert" advice on how to easily manage such DDoS activities by configuring Windows NT.

  23. Amazon & MS do it fool... apk by Anonymous Coward · · Score: 0

    See subject: You can't handle the fact I handed you YOUR ASS pointing out defenses galore vs. DoS/DDoS & you didn't (and that MS & Amazon have setups that detect + handle attacks of LARGE magnitude easily, among other preventative measures possible I pointed out vs. DDoS/DoS).

    * Grow up...

    APK

    P.S.=> You're worse than a bitch "gossiping" behind my back when you thought I wasn't around to see it, lol - WEAK! apk

    1. Re:Amazon & MS do it fool... apk by Anonymous Coward · · Score: 0

      weak troll, didn't even follow APK's actual punctuation habits.

  24. IoT EPIC FAIL by Anonymous Coward · · Score: 0

    This is the #1 reason I hate IoT.