Slashdot Mirror
OVH Hosting Suffers From Record 1Tbps DDoS Attack Driven By 150K Devices (hothardware.com)
MojoKid writes: If you thought that the massive DDoS attack earlier this month on Brian Krebs' security blog was record-breaking, take a look at what just happened to France-based hosting provider OVH. OVH was the victim of a wide-scale DDoS attack that was carried via a network of over 152,000 IoT devices. According to OVH founder and CTO Octave Klaba, the DDoS attack reached nearly 1 Tbps at its peak. Of those IoT devices participating in the DDoS attack, they were primarily comprised of CCTV cameras and DVRs. Many of these devices have improperly configured network settings, which leaves them ripe for the picking for hackers that would love to use them to carry out destructive attacks.The DDoS peaked at 990 Gbps on September 20th thanks to two concurrent attacks, and according to Klaba, the original botnet was capable of a 1.5 Tbps DDoS attack if each IP topped out at 30 Mbps. This massive DDoS campaign was directed at Minecraft servers that OHV was hosting. Octave Klaba / Oles tweeted: "Last days, we got lot of huge DDoS. Here, the list of 'bigger that 100Gbps' only. You can the simultaneous DDoS are close to 1Tbps!"
The IoT is, by design, a security risk. Who the hell needs their oven, thermostat, refrigerator and each individual light-bulb connected to the Internet? I have no pity for anyone who gets their speaker-included light-bulb hacked, and I truly believe the companies whose products are involved in this DOS should be held completely responsible. CEOs and CTOs should be fired and charged with computer crimes.
--- Keep the choice with the user..
I always find it richly ironic when spam hosting isp's get cratered by a DDOS. Lie down with dogs, get up with fleas.
https://www.spamhaus.org/sbl/l...
Lawyers, MBA's, RIAA? A jedi fears not these things!
...stem this madness?
The sad fact is that it's already too late. The problem is that there are loads of these insecure devices out there now, and they will likely be online for years to come.
Even if every new IoT device that was sold starting tomorrow was actually secure, we have a huge pool of susceptible devices that are already in place just waiting to be exploited.
Our best hope is that these craptastic devices fail quickly and are replaced, but I'm not going to hold my breath hoping that their replacements will be any more secure. Frankly, I have no reason to believe that IoT device makers will ever do anything to make their devices secure. We'll be seeing this shit 10 years from now, only worse.
Just cruising through this digital world at 33 1/3 rpm...
Obligitory meme
It is pitch black. You are likely to be eaten by a grue.
The sad part is that it was too late before the devices were even built. This is really no different than any other zombie botnet.
What is needed, IMO, is a standardized system for being able to report problems upstream—an ICMP response that says, in effect, "Suppress all traffic from x.x.x.x to y.y.y.y for five minutes" that propagates upstream. Ideally, it should use a three-step handshake to prevent forged block requests from being viable, where the recipient of that message waits until it sees a packet directed to y.y.y.y, (to avoid amplification attacks), then sends a packet that says, "confirm block id xxxx" and it responds "yes xxxx" after which it drops the traffic. If it gets no response, it should try three pings (with exponential backoff), and if they fail, it should assume that the server is saturated and it should block the traffic as requested. If they succeed and a subsequent confirmation fails, it should assume that the server doesn't actually support blocking requests, and that the blocking request was spoofed. If the response is "no xxxx", then the blocking request was spoofed, and the packet passes through with only that small extra bit of latency, and the blocking request is discarded.
If such a scheme were in place, then each botnet member joining in a DDoS attack would get blocked by their closest router, or at a bare minimum, by the router at their ISP, and would basically be unable to do any real harm.
Check out my sci-fi/humor trilogy at PatriotsBooks.
It is time to blacklist these devices and prevent insecure devices that participate in DDoS permanently. This may mean things like MAC-based blocking on ISP-level. In order to make ISPs do this, we may have to drop a few ISPs from global routing first though.
Another option would be to make hacking them to take them down legal, but that is hugely problematic.
Anyways, with the damage these idiots allow the DDoSers to do, terrorism begins to seem kind of irrelevant.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
To be fair, they're like the #3 hosting provider in the world behind Amazon and GoDaddy.
Your hair look like poop, Bob! - Wanker.
It was in the summary... some idiot's minecraft server.
Also, it's entirely possible some of the botnet was OVH hosts in the first place. OVH isn't known for having the smartest customers. (In fact, they'll host anything.)
"This is really no different than any other zombie botnet."
Oh, no, this one is quite different.
Typical Windows PCs in botnets (a) are never updated & therefore decay until they implode and are reinstalled, wiping out the zombie and (b) at least at re-install time, they get updated so the old exploit doesn't work anymore.
The current SOP for IOT manufacturers, however, breaks BOTH of these things at once: These badly-designed devices none the less usually run a well-designed underlayer (*nix), which means they don't just intrinsically bitrot and collapse on their own. And the same manufacturers who made these inexcusably insecure devices in the first place can't be bothered to remedy the problem and update their devices either. So now you've got devices with utterly broken security, which can't be fixed, can't be patched, and (as embedded devices are wont to) will be hanging around for all of eternity and then some... sitting on 10, 30, or 1000Mbps data lines.
The IoT (in)security catastrophe is going to make the 2000-era Windows security disaster look like pasta boiling over and making a minor mess on the stove while we watch out the windows as a school bus full of children and an oil tanker kamikaze each other at 100mph.
Frankly, I have no reason to believe that IoT device makers will ever do anything to make their devices secure. We'll be seeing this shit 10 years from now, only worse.
As someone who owns a company that makes IoT devices and properly secures them, there are companies that do take security serious. The problem is that security is all too often seen as just a cost, not a feature you can charge money for. You need dedicated security people, incorporate security form the start, etc. and lots of companies just don't want or have the money. It makes the cost of the device go up, you get longer time to market, etc. and that's a hard sell to investors.
We actively try to educate on security, but it is going to take several more of these and some big losses before the majority will take security serious.
My blog, if you're interested: http://www.purp
A really dumb question - as all these devices can be configured to do DDOS attacks remotely, could they also be remotely reprogrammed to make the more secure?
It is time to blacklist these devices and prevent insecure devices that participate in DDoS permanently. This may mean things like MAC-based blocking on ISP-level.
But all your ISP sees is your router...so they'd have to start cutting people off from the internet left and right. And many, many people won't know what to do when that happens because all the ISP can tell them is that "some device" is sending traffic out.
Is it their thermostat? One or more light bulbs? The washer or refrigerator or the furnace? Maybe it's little Johnny's Speak-N-Spell or Sally's Barbie Dream Castle. Maybe it's the TV or the DVR or the the remote-viewing doorbell.
They'll have to unplug their whole house, bit by bit, checking with the ISP each step of the way. How is Joe Sixpack or Grandpa going to know what to do? And what if two or more devices are the culprit?
Shit, the more I think about it, the more I realize that this shit is going to be way worse than I imagined, and I'm pretty pessimistic to start with.
Just cruising through this digital world at 33 1/3 rpm...
As someone who owns a company that makes IoT devices and properly secures them, there are companies that do take security serious.
I know, but for every one that does take security seriously there are a hundred that don't. I applaud you for thinking of security, but you're the one out of a hundred. It's the other 99 I'm worried about.
Just cruising through this digital world at 33 1/3 rpm...
A really dumb question - as all these devices can be configured to do DDOS attacks remotely, could they also be remotely reprogrammed to make the more secure?
I don't know. Can you retrofit a sieve to hold water?
Just cruising through this digital world at 33 1/3 rpm...
Yeah, easily, if you lay in some plastic wrap or something. Actually it's easier than most things as the sieve is the right shape to hold water, and the holes are pretty easy to cover - the water will even help you do it!
Sieves are fun! Wait, what were we talking about?
I have developed a truly marvelous proof of this comment, which this signature is too narrow to contain.
1. He's French
2. Twitter character limit
3. Software translation
Also ironic because OVH has a poor record of responding to malicious activity abuse complaints.
Example
Well, it would be more like sending it back to the manufacturer for them to retrofit it, or maybe requesting they send you some plastic wrap to fix their defective water carrying device.
Just cruising through this digital world at 33 1/3 rpm...
I agree. I block email from all OVH IP addresses because they are a major source of spam. DDOSs are wrong, but I have no sympathy for the spam supporters at OVH.
Well in TV-land a hacker can just send a huge EMP to the device until smoke starts coming out of it and the screen melts.
Not sure what happens after that, it's usually where I choose a different show to watch.
Would be cool if the passwords on these devices could be reset to a random value from a remote hack tho.
If I had a DeLorean... I would probably only drive it from time to time.
Slashdot: News for nerds, stuff that matters
https://slashdot.org/index2.pl...
Slashdot
Jul 3, 2000 - Re:How do you know? (5 points, Insightful) by Z00L00K on Monday September 26, 2016 @06:30AM attached to Ask Slashdot: Is My IoT Device Part of a Botnet?
Google: IoT site:slashdot.org date:2000 - 2012
There are techniques using BGP and community strings to do this sort of thing, but not everyone has deployed it and it's difficult to set up properly.
some karma... and kinda lukewarm about it.
IoT vendors will only secure their devices after it starts costing them money or are legally required to do so. There are a few options but all of them require high-jacking IoT devices.
You could turn IoT devices on...
Not great options but turning them on congress would make something happen which may or may not be a good thing.
Anons need not reply. Questions end with a question mark.
Yes. That's EXACTLY what they need to do. They need to figure out WHICH part of their SHIT is breaking the world for everyone else.
This is the same stupid kind of shit that causes entire neighborhoods to burn down because some idiot is too stupid to know not to put a space heater under the curtains in their house, get their house blazing, then (by the sheer idiocy of the developers) set ablaze the other houses that are only six feet away.
Take some damn responsibility for the shit you buy. Don't go buy a gun if you're too stupid to know you can accidentally kill someone with it. Don't buy a stupid Internet connected piece of shit if you're too stupid to know you can bring down the Internet with it.
On the plus side it might finally lead to home routers getting some more interesting IP accounting features. That is one thing that has always annoyed me ever since I stopped having a Linux gateway - the home routers typically have no useful feedback as to what device is responsible for traffic.
Even a simple counter table would be incredibly useful, but I don't really see any reason why it would be hard to have good real-time graphs showing the current and total data usage from each IP on the network.
One interesting challenge though - what happens if you have an IoT device that is thoroughly pwned and keeps changing IP addresses (and/or MAC addresses!) specifically to make identifying it internally even more complicated?!
Collateral Damage.
Though the attack might be targeted at a games server, OVH and their datacentres almost certainly run a number of much more important services for much better paying customers.
DDoS is indiscriminate and affects everybody, not just the target of it.
Where's that "So you think you have a way to block spam?" fill-out-form joke?
A website, or a game server, is EXACTLY the kind of machine that receives a significant portion of its requests from people it's never seen before.
On top of that, a DDoS doesn't care if you "block" it. It's still consumed 1Tb of traffic. Even if every single packet never reaches the server, the DDoS will knock you offline by swamping your connection.
You can "firewall" it right at the first point that your connection comes in. It still consumes your connection.
You have to ask your upstream to block it - who have EXACTLY the same problem. They block it, but it still consumes Terabytes of otherwise-usable bandwidth to do so.
I'm afraid your suggestion would tick almost every one of the the "Will not work because" boxes.
Now think about pump-servers (areas that are below see-level!), air traffic control, etc
More devices can be attacked then just webservers
It would be very easy to factory-configure every IoT-thing with a unique and very strong password, print that on a label and stick that on the IoT-thing.
"Trump!!", the new Godwin.
If you have an automated way to block traffic, then someone will abuse that system for the same goals as the original attack...
The goal of a ddos is to take something offline, a system which is blocking traffic is offline.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
And how are consumers supposed to identify which devices are more secure at the pre-sale stage, and which vendors take security seriously?
Also in what way do you take security seriously? A lot of vendors go to great lengths to prevent anyone (including the legitimate owner of the device) from loading alternative firmware or gaining shell access to the underlying system etc. Vulnerabilities will still be found, but if you can't replace the firmware and the original vendor no longer produces an update or bundles the update with unwanted changes then your device remains vulnerable forever.
I've extended the useful life of various routers and access points by loading dd-wrt or openwrt on them, which will often continue to be updated long after the original vendor has given up on the device. The hardware is still fully functional, more than adequate and available very cheaply.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Many chinese products are sold with no brand whatsoever, or completely arbitrary brands which are made up just for that one product... They couldn't care less about brand reputation.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
You know, the third amendment prevents you from having to quarter troops in your house. Why buy all these "Internet of Things" devices, and quarter the troops of a cyber war? DDoS provides the censorship dreamed of by the worst governments and the casual keyboard tyrant alike. These "things" are just malicious tools.
This would be an excellent way to block those companies that send out piracy warnings. I'm fed up with their spam.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
I don't understand how this sort of thing happens anymore. In every one of these DDoS threads, a fellow slashdotter (anon, of course) is giving "expert" advice on how to easily manage such DDoS activities by configuring Windows NT.
First they have to use visual basic to build a gui, then they can track and EMP the hacker's screen.
I'm too lazy to compose a creative sig.
One interesting challenge though - what happens if you have an IoT device that is thoroughly pwned and keeps changing IP addresses (and/or MAC addresses!) specifically to make identifying it internally even more complicated?!
Or if you have multiple pwned devices working in concert to trade off the traffic so as to try and stay below the radar. What if there were 5 or 6 or 10 devices, all infected...they could each share the load in random rotation. Each would would behave normally except for a few seconds or minutes a day when it would act maliciously. I would think that would be fairly tricky to nail down.
O Brave New World.
Just cruising through this digital world at 33 1/3 rpm...
What do people do now if their home gets infested with pests?I think that a new kind of professional bugbusters could arise as a result.
Sure, but how much would this kind of service cost? Maybe as much or more than just replacing the suspect gadgets (not a refrigerator or furnace, obviously, but still...). And who's to say they won't get reinfected the next day?
I can see it now: "Norton Anti-Virus For Home Appliances". "Mcafee HomeGuard Extreme DoubleSecure". Ugh.
Just cruising through this digital world at 33 1/3 rpm...
And how are consumers supposed to identify which devices are more secure at the pre-sale stage, and which vendors take security seriously?
They can't, and I never said they could. We try to educate them. One thing we do for example is analyze potential devices for customers and figure out if there are any security issues. For example, GPS trackers that you buy cheaply on eBay or Alibaba all have major security issues. We show this to customers and have independent parties verify this before they decide to buy them. Granted, we usually don't deal with individual end users, but with re-sellers or distributors and industry, but each one of them gets the security talk.
Also in what way do you take security seriously?
Take security in mind from the start of the project. Have dedicated security and cryptography people on board (I'm a cryptographer and security researcher myself), have third party code reviews, use formal verification methods, use industry standard cryptographic routines, use strict privilege separation with e.g. an L4 kernel like Fiasco.OC, have data encrypted at every stage (in motion, at rest, ...), unique cryptographic keys per device, signed binaries for remote updates, every remote command is encrypted, signed and verified on the device, every communication from the device is encrypted, signed and verified by the server, etc.
In the end, if people want to change the firmware and use their own server etc., they still can as well. It just won't talk to our servers anymore, but that is usually what the goal is and we support our customers with that. We can also support our clients to use their own servers and give best practices to secure it, and often we just develop a firmware specifically for them that adheres to the same security standards.
My blog, if you're interested: http://www.purp
can you please elaborate and give me pointers where i can read more about this?
Except that what I described is carefully designed to make abuse almost impossible. Any fake blocks are removed almost immediately, and unless the server is actively being DDoSed, assuming it supports the protocol, such removal causes at most one additional packet to get sent in each direction, which means there's no amplification if the server supports the protocol, ignoring situations where packet loss causes a retry.
If the server doesn't support the protocol, there's typically only a 2x amplification (one confirmation request + 1 ping packet). That's a slight amplification, but nothing to write home about.
And the only situation where the block actually stays put is if the server is under DDoS, which is exactly when you would want it to stay put. In that case, a request to block an IP results in getting up to five packets back, but then that IP's traffic never reaches your server for a period of at least an hour (or longer if your server sends out a new packet to extend the block), which should be a huge net win.
But if you see something that I'm missing, feel free to suggest a better design that protects against additional forms of abuse.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Actually, now that I think about it, I did forget to mention one small bit of the protocol. Each router that passes on the original request should immediately ACK the request to the previous router so that the previous router knows that it does not need to handle the blocking itself. It should then sent it towards the attacker's IP, and if it does not get an ACK from any router that's closer to the attacker in a timely manner, it should handle the blocking request itself and send back a confirmation request to the original IP address. It should then presumably reject any blocking confirmation requests that come later from closer to the attacker's IP, because they are redundant at that point.
This ensures that only the last router that supports blocking sends a confirmation request to the original server. Otherwise, you could cause a huge amplification attack by causing every hop in the route to ask the original server for confirmation. :-)
There's still a risk of abuse if somebody is able to inject and sniff arbitrary packets between the user and the server by being able to receive the confirmation request and respond to it, but if they can do that, they can also inject RST packets, so I'm not convinced that's an interesting edge case to worry about.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Only for an hour, though I guess you could send a new blocking request every 45 minutes.
It would also let me block those idiots who keep trying to sign in to my servers via SSH. You'd think that when they send the original request (for authentication-free login) and the server says that it only accepts private key authentication, they wouldn't send thousands of password-based login attempts, but apparently the people who write those bots don't understand the SSH protocol very well, or else they just like wasting my bandwidth.
And I do periodically block them with filtering rules manually when I notice them, but I don't have time to scan the logs constantly, and they shift IPs often enough to make that problematic. But if I could make it so that the first password-based auth from an IP caused their attacks to immediately get blocked at their own edge router for an hour, it would be worth writing a log scanner.
Even better, ISPs could monitor their networks for those packets, and if a customer keeps getting blocked, they could contact the customer.
Check out my sci-fi/humor trilogy at PatriotsBooks.
The complaints aren't being "ignored". You try to deal with as many customers as they have while still turning a profit and see how many complaints you get and what your response time is. Besides, if OVH disappeared today, all the spammers would flock to the next-cheapest hosts, and then Amazon or Microsoft or Hetzner or whoever would be the #1 spammer, and we'd all be complaining about them.
Don't blame the landlord for a high crime rate in the city.