Slashdot Mirror
OVH Hosting Suffers From Record 1Tbps DDoS Attack Driven By 150K Devices (hothardware.com)
MojoKid writes: If you thought that the massive DDoS attack earlier this month on Brian Krebs' security blog was record-breaking, take a look at what just happened to France-based hosting provider OVH. OVH was the victim of a wide-scale DDoS attack that was carried via a network of over 152,000 IoT devices. According to OVH founder and CTO Octave Klaba, the DDoS attack reached nearly 1 Tbps at its peak. Of those IoT devices participating in the DDoS attack, they were primarily comprised of CCTV cameras and DVRs. Many of these devices have improperly configured network settings, which leaves them ripe for the picking for hackers that would love to use them to carry out destructive attacks.The DDoS peaked at 990 Gbps on September 20th thanks to two concurrent attacks, and according to Klaba, the original botnet was capable of a 1.5 Tbps DDoS attack if each IP topped out at 30 Mbps. This massive DDoS campaign was directed at Minecraft servers that OHV was hosting. Octave Klaba / Oles tweeted: "Last days, we got lot of huge DDoS. Here, the list of 'bigger that 100Gbps' only. You can the simultaneous DDoS are close to 1Tbps!"
I always find it richly ironic when spam hosting isp's get cratered by a DDOS. Lie down with dogs, get up with fleas.
https://www.spamhaus.org/sbl/l...
Lawyers, MBA's, RIAA? A jedi fears not these things!
...stem this madness?
The sad fact is that it's already too late. The problem is that there are loads of these insecure devices out there now, and they will likely be online for years to come.
Even if every new IoT device that was sold starting tomorrow was actually secure, we have a huge pool of susceptible devices that are already in place just waiting to be exploited.
Our best hope is that these craptastic devices fail quickly and are replaced, but I'm not going to hold my breath hoping that their replacements will be any more secure. Frankly, I have no reason to believe that IoT device makers will ever do anything to make their devices secure. We'll be seeing this shit 10 years from now, only worse.
Just cruising through this digital world at 33 1/3 rpm...
By that logic why limit it to only IoT. Everything connected to the net should be held accountable which starts with ISP's holding each other and their customers accountable. ISP's need automated ways of telling each other about unwanted DDoS traffic in real time, or even just identifying members of botnets after an attack, and then demanding that those customers be warned/taken offline until they secure their local networks. If an ISP fails to act then their peering links would start getting throttled progressively more until either they fix the problem or they get cut off entirely.
If you can't see advantages and demand for controlling your house from your phone, regardless of if you're home, then you're very short sighted and not a good futurist.
Bullshit. There is a safe way to do this: Don't let any of the devices have direct access to the internet. None. Put them on their own dedicated wireless router, connect that wireless router to your real router and then set a firewall rule that doesn't allow anything from the IoT router to route outside your LAN. If you want to check the status of the devices when you aren't on your local LAN, VPN into your house and check them.
You don't need to trust shady vendors that don't give a shit. You don't need to open a billion insecure ports in your firewall to expose devices. Consider the devices 100% insecure, configure your network in a sane way and setup a VPN or use an SSH tunnel.
It is time to blacklist these devices and prevent insecure devices that participate in DDoS permanently. This may mean things like MAC-based blocking on ISP-level. In order to make ISPs do this, we may have to drop a few ISPs from global routing first though.
Another option would be to make hacking them to take them down legal, but that is hugely problematic.
Anyways, with the damage these idiots allow the DDoSers to do, terrorism begins to seem kind of irrelevant.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
"This is really no different than any other zombie botnet."
Oh, no, this one is quite different.
Typical Windows PCs in botnets (a) are never updated & therefore decay until they implode and are reinstalled, wiping out the zombie and (b) at least at re-install time, they get updated so the old exploit doesn't work anymore.
The current SOP for IOT manufacturers, however, breaks BOTH of these things at once: These badly-designed devices none the less usually run a well-designed underlayer (*nix), which means they don't just intrinsically bitrot and collapse on their own. And the same manufacturers who made these inexcusably insecure devices in the first place can't be bothered to remedy the problem and update their devices either. So now you've got devices with utterly broken security, which can't be fixed, can't be patched, and (as embedded devices are wont to) will be hanging around for all of eternity and then some... sitting on 10, 30, or 1000Mbps data lines.
The IoT (in)security catastrophe is going to make the 2000-era Windows security disaster look like pasta boiling over and making a minor mess on the stove while we watch out the windows as a school bus full of children and an oil tanker kamikaze each other at 100mph.
It is time to blacklist these devices and prevent insecure devices that participate in DDoS permanently. This may mean things like MAC-based blocking on ISP-level.
But all your ISP sees is your router...so they'd have to start cutting people off from the internet left and right. And many, many people won't know what to do when that happens because all the ISP can tell them is that "some device" is sending traffic out.
Is it their thermostat? One or more light bulbs? The washer or refrigerator or the furnace? Maybe it's little Johnny's Speak-N-Spell or Sally's Barbie Dream Castle. Maybe it's the TV or the DVR or the the remote-viewing doorbell.
They'll have to unplug their whole house, bit by bit, checking with the ISP each step of the way. How is Joe Sixpack or Grandpa going to know what to do? And what if two or more devices are the culprit?
Shit, the more I think about it, the more I realize that this shit is going to be way worse than I imagined, and I'm pretty pessimistic to start with.
Just cruising through this digital world at 33 1/3 rpm...
Yes. That's EXACTLY what they need to do. They need to figure out WHICH part of their SHIT is breaking the world for everyone else.
This is the same stupid kind of shit that causes entire neighborhoods to burn down because some idiot is too stupid to know not to put a space heater under the curtains in their house, get their house blazing, then (by the sheer idiocy of the developers) set ablaze the other houses that are only six feet away.
Take some damn responsibility for the shit you buy. Don't go buy a gun if you're too stupid to know you can accidentally kill someone with it. Don't buy a stupid Internet connected piece of shit if you're too stupid to know you can bring down the Internet with it.