Mega IoT cyberattack: OVH suffers 1.5Tbps DDoS attack via 145,000 webcams

30 Sep 2016

War of the machines: massive 1.5Tbps attack on OVH raises questions about how secure IoT devices really are. Image: Graeme Dawes/Shutterstock

The machines are marching: in what is the world’s largest DDoS attack so far, hackers have enlisted a network of over 145,000 internet of things (IoT) devices, and hacked CCTV cameras to mount an attack on data hosting company OVH.

It doesn’t bode well for the future of IoT if hackers can disable an entire network of connected devices and turn them into a massive DDoS attack.

Just days after esteemed US infosec journalist Brian Krebs, of Krebs on Security, was taken offline in a 620Gbps DDOS attack, French hosting provider OVH was hit.

‘The internet of things, that marvellous evolution of network-enabled household items that promise[s] oodles of goodness to homeowners while, years on from its inception, still concerns those of us in the security industry who have long warned of manufacturers who consider the risks too late in the development cycle, or not at all’
– LEE MUNSON

This time, a fleet of cameras and digital video recorders were taken over by a multivector 1.5Tbps DDoS attack and then turned on OVH.

A DDoS attack is an attempt to make a network resource unavailable to the internet by flooding it with traffic. A number (often thousands) of unique IP addresses effectively crowd the entrance to an online store or business.

OVH chief technology officer Octave Klaba said that 145,607 hosted cameras were being used to hit the company with the equivalent of 30Mbps per IP, amounting to an overall 1.5Tbps.

Klaba confirmed that the attack used IoT devices, including hacked CCTV cameras.

The attack is understood to come from the same sources who spearheaded the attack on Krebs. Interestingly, after Akamai pulled Krebs’ pages, Google is now bearing the brunt of attacks for providing free mitigation services to Krebs.

Should IoT devices be regulated?

While OVH has been ultimately able to prevail against the attack, the real concern is what happens if the hackers decide to mount an attack against a smaller, less technically prepared target?

“The recent OVH DDoS attack has highlighted two key security issues, neither of which looks like being addressed any time soon,” Lee Munson, security researcher for Comparitech.com explained.

“The first is the number and scale of DDoS attacks that have been taking place recently.

“Gone are the days when a few script kiddies would shackle a few computers together to flood an individual’s blog into an overloaded pocketful of submission – nowadays it’s all about huge botnets and corresponding services that can be hired by the hour, by bandwidth or based on results.

“Secondly, it is all about the internet of things, that marvellous evolution of network-enabled household items that promise[s] oodles of goodness to homeowners while, years on from its inception, still concerns those of us in the security industry who have long warned of manufacturers who consider the risks too late in the development cycle, or not at all.

“Until governments regulate IoT devices, or manufacturers at least consider more than the bottom line, cameras, fridges and toasters around the world will continue to offer themselves up as willing slaves to botnet command and control centres, waiting to be unleashed on Krebs on Security or any other website that a bad actor wants to take down,” Munson warned.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com