Slashdot Mirror
OVH Hosting Suffers From Record 1Tbps DDoS Attack Driven By 150K Devices (hothardware.com)
MojoKid writes: If you thought that the massive DDoS attack earlier this month on Brian Krebs' security blog was record-breaking, take a look at what just happened to France-based hosting provider OVH. OVH was the victim of a wide-scale DDoS attack that was carried via a network of over 152,000 IoT devices. According to OVH founder and CTO Octave Klaba, the DDoS attack reached nearly 1 Tbps at its peak. Of those IoT devices participating in the DDoS attack, they were primarily comprised of CCTV cameras and DVRs. Many of these devices have improperly configured network settings, which leaves them ripe for the picking for hackers that would love to use them to carry out destructive attacks.The DDoS peaked at 990 Gbps on September 20th thanks to two concurrent attacks, and according to Klaba, the original botnet was capable of a 1.5 Tbps DDoS attack if each IP topped out at 30 Mbps. This massive DDoS campaign was directed at Minecraft servers that OHV was hosting. Octave Klaba / Oles tweeted: "Last days, we got lot of huge DDoS. Here, the list of 'bigger that 100Gbps' only. You can the simultaneous DDoS are close to 1Tbps!"
I always find it richly ironic when spam hosting isp's get cratered by a DDOS. Lie down with dogs, get up with fleas.
https://www.spamhaus.org/sbl/l...
Lawyers, MBA's, RIAA? A jedi fears not these things!
...stem this madness?
The sad fact is that it's already too late. The problem is that there are loads of these insecure devices out there now, and they will likely be online for years to come.
Even if every new IoT device that was sold starting tomorrow was actually secure, we have a huge pool of susceptible devices that are already in place just waiting to be exploited.
Our best hope is that these craptastic devices fail quickly and are replaced, but I'm not going to hold my breath hoping that their replacements will be any more secure. Frankly, I have no reason to believe that IoT device makers will ever do anything to make their devices secure. We'll be seeing this shit 10 years from now, only worse.
Just cruising through this digital world at 33 1/3 rpm...
By that logic why limit it to only IoT. Everything connected to the net should be held accountable which starts with ISP's holding each other and their customers accountable. ISP's need automated ways of telling each other about unwanted DDoS traffic in real time, or even just identifying members of botnets after an attack, and then demanding that those customers be warned/taken offline until they secure their local networks. If an ISP fails to act then their peering links would start getting throttled progressively more until either they fix the problem or they get cut off entirely.
If you can't see advantages and demand for controlling your house from your phone, regardless of if you're home, then you're very short sighted and not a good futurist.
Bullshit. There is a safe way to do this: Don't let any of the devices have direct access to the internet. None. Put them on their own dedicated wireless router, connect that wireless router to your real router and then set a firewall rule that doesn't allow anything from the IoT router to route outside your LAN. If you want to check the status of the devices when you aren't on your local LAN, VPN into your house and check them.
You don't need to trust shady vendors that don't give a shit. You don't need to open a billion insecure ports in your firewall to expose devices. Consider the devices 100% insecure, configure your network in a sane way and setup a VPN or use an SSH tunnel.
The sad part is that it was too late before the devices were even built. This is really no different than any other zombie botnet.
What is needed, IMO, is a standardized system for being able to report problems upstream—an ICMP response that says, in effect, "Suppress all traffic from x.x.x.x to y.y.y.y for five minutes" that propagates upstream. Ideally, it should use a three-step handshake to prevent forged block requests from being viable, where the recipient of that message waits until it sees a packet directed to y.y.y.y, (to avoid amplification attacks), then sends a packet that says, "confirm block id xxxx" and it responds "yes xxxx" after which it drops the traffic. If it gets no response, it should try three pings (with exponential backoff), and if they fail, it should assume that the server is saturated and it should block the traffic as requested. If they succeed and a subsequent confirmation fails, it should assume that the server doesn't actually support blocking requests, and that the blocking request was spoofed. If the response is "no xxxx", then the blocking request was spoofed, and the packet passes through with only that small extra bit of latency, and the blocking request is discarded.
If such a scheme were in place, then each botnet member joining in a DDoS attack would get blocked by their closest router, or at a bare minimum, by the router at their ISP, and would basically be unable to do any real harm.
Check out my sci-fi/humor trilogy at PatriotsBooks.
To be fair, they're like the #3 hosting provider in the world behind Amazon and GoDaddy.
Your hair look like poop, Bob! - Wanker.
Frankly, I have no reason to believe that IoT device makers will ever do anything to make their devices secure. We'll be seeing this shit 10 years from now, only worse.
As someone who owns a company that makes IoT devices and properly secures them, there are companies that do take security serious. The problem is that security is all too often seen as just a cost, not a feature you can charge money for. You need dedicated security people, incorporate security form the start, etc. and lots of companies just don't want or have the money. It makes the cost of the device go up, you get longer time to market, etc. and that's a hard sell to investors.
We actively try to educate on security, but it is going to take several more of these and some big losses before the majority will take security serious.
My blog, if you're interested: http://www.purp
It is time to blacklist these devices and prevent insecure devices that participate in DDoS permanently. This may mean things like MAC-based blocking on ISP-level.
But all your ISP sees is your router...so they'd have to start cutting people off from the internet left and right. And many, many people won't know what to do when that happens because all the ISP can tell them is that "some device" is sending traffic out.
Is it their thermostat? One or more light bulbs? The washer or refrigerator or the furnace? Maybe it's little Johnny's Speak-N-Spell or Sally's Barbie Dream Castle. Maybe it's the TV or the DVR or the the remote-viewing doorbell.
They'll have to unplug their whole house, bit by bit, checking with the ISP each step of the way. How is Joe Sixpack or Grandpa going to know what to do? And what if two or more devices are the culprit?
Shit, the more I think about it, the more I realize that this shit is going to be way worse than I imagined, and I'm pretty pessimistic to start with.
Just cruising through this digital world at 33 1/3 rpm...
Yes. That's EXACTLY what they need to do. They need to figure out WHICH part of their SHIT is breaking the world for everyone else.
This is the same stupid kind of shit that causes entire neighborhoods to burn down because some idiot is too stupid to know not to put a space heater under the curtains in their house, get their house blazing, then (by the sheer idiocy of the developers) set ablaze the other houses that are only six feet away.
Take some damn responsibility for the shit you buy. Don't go buy a gun if you're too stupid to know you can accidentally kill someone with it. Don't buy a stupid Internet connected piece of shit if you're too stupid to know you can bring down the Internet with it.
On the plus side it might finally lead to home routers getting some more interesting IP accounting features. That is one thing that has always annoyed me ever since I stopped having a Linux gateway - the home routers typically have no useful feedback as to what device is responsible for traffic.
Even a simple counter table would be incredibly useful, but I don't really see any reason why it would be hard to have good real-time graphs showing the current and total data usage from each IP on the network.
One interesting challenge though - what happens if you have an IoT device that is thoroughly pwned and keeps changing IP addresses (and/or MAC addresses!) specifically to make identifying it internally even more complicated?!