Slashdot Mirror
OVH Hosting Suffers From Record 1Tbps DDoS Attack Driven By 150K Devices (hothardware.com)
MojoKid writes: If you thought that the massive DDoS attack earlier this month on Brian Krebs' security blog was record-breaking, take a look at what just happened to France-based hosting provider OVH. OVH was the victim of a wide-scale DDoS attack that was carried via a network of over 152,000 IoT devices. According to OVH founder and CTO Octave Klaba, the DDoS attack reached nearly 1 Tbps at its peak. Of those IoT devices participating in the DDoS attack, they were primarily comprised of CCTV cameras and DVRs. Many of these devices have improperly configured network settings, which leaves them ripe for the picking for hackers that would love to use them to carry out destructive attacks.The DDoS peaked at 990 Gbps on September 20th thanks to two concurrent attacks, and according to Klaba, the original botnet was capable of a 1.5 Tbps DDoS attack if each IP topped out at 30 Mbps. This massive DDoS campaign was directed at Minecraft servers that OHV was hosting. Octave Klaba / Oles tweeted: "Last days, we got lot of huge DDoS. Here, the list of 'bigger that 100Gbps' only. You can the simultaneous DDoS are close to 1Tbps!"
To be fair, they're like the #3 hosting provider in the world behind Amazon and GoDaddy.
Your hair look like poop, Bob! - Wanker.
Frankly, I have no reason to believe that IoT device makers will ever do anything to make their devices secure. We'll be seeing this shit 10 years from now, only worse.
As someone who owns a company that makes IoT devices and properly secures them, there are companies that do take security serious. The problem is that security is all too often seen as just a cost, not a feature you can charge money for. You need dedicated security people, incorporate security form the start, etc. and lots of companies just don't want or have the money. It makes the cost of the device go up, you get longer time to market, etc. and that's a hard sell to investors.
We actively try to educate on security, but it is going to take several more of these and some big losses before the majority will take security serious.
My blog, if you're interested: http://www.purp
How... then would the vendors sell a phone app to naive users to change their thermostat settings when they're on vacation?
Seriously. IOT doesn't have to be this -- but it's basically a phrase for 'net enabled device creates reverse tunnel over outbound TCP:443 (to vendor website) so vendor's iphone app can control it'.
Ignoring that newer IP stacks would make some of this less backwards -- the fact that people don't want to remember to leave anything but their wifi/router plugged in (e.g. run a server and/or VPN) practically dictates this architecture.
The devices won't function as designed without net access, and that's not a bug, programming error, or design flaw -- and firewalling them off will probably only create a maintenance hastle unless you have a very intelligent application FW that knows things like when the vendor moves their website...
I say expose the insecurity to the world -- and hold the vendor accountable at multiple levels...
Make them pay your bandwidth if it's hacked. Make them pay fractions of the damages -- did 400 tbps of an attack have a user agent saying 'bob's smart fridge' ? Then go after them.
Got vendors not including user agents? Go after them and treat it as an aggravating factor.