back to article 152k cameras in 990Gbps record-breaking dual DDoS

The world's largest distributed denial of service (DDoS) attack has been clocked from the same network of 152,463 compromised low-powered cameras and internet-of-things devices which punted a media outlet off the internet. Last days, we got lot of huge DDoS. Here, the list of "bigger that 100Gbps" only. You can see the …

  1. Pascal Monett Silver badge

    Good news

    All this IoT malarky is going to have to tighten up, and this kind of massive screwup is just the thing needed to bring big guns to make it happen.

    IoT makers do not care if a consumer gets his kit hacked, but if a Google or major ISP gets into the legal game with a valid claim that the IoT maker did not do its due diligence in preventing massive communication disruption, that might start turning a few heads.

    Likewise, it is impossible to use a lawsuit to prevent Joe User from getting his PC infected, but it is quite easy to demonstrate that equipment made by a specific company is the source of a problem.

    I'm hoping this will happen and shake things up in the dismal security landscape of IoT.

    1. Doctor Syntax Silver badge

      Re: Good news

      "All this IoT malarky is going to have to tighten up, and this kind of massive screwup is just the thing needed to bring big guns to make it happen."

      Agreed, but the bad news is that there's more than enough kit out there to cause havoc and little if any means to get it cleaned up.

      1. Ole Juul

        Re: Good news

        "Agreed, but the bad news is that there's more than enough kit out there to cause havoc and little if any means to get it cleaned up."

        Cleaning up what's there may indeed take a long time. But surely there are a few key manufacturers of this kit who could be sued and prevented from continuing the situation. If not a class action suit, then publicly shaming of the these charlatans is at least a possibility. Other consumer devices are required to meet certain basic safety standards. I see no reason why the same principles wouldn't apply here.

        1. Mark 65

          Re: Good news

          Cleaning it up is easy - you just pass the cost onto the dickhead that bought it by telling them as an ISP that they have malware on their network causing issues contrary to their contract and their connection will be blocked or throttled until it is fixed i.e. put pressure on the ISPs and shit gets fixed.

          1. Black Betty

            Re: The d*ckhead who bought it is your average punter.

            He simply bought a consumer product marketed as a way to make his life more convenient and plugged it in. Nowhere on the box does it tell him that actually using the product for the purpose for which it is sold, is the online equivalent of hanging the door key on the gatepost.

            It's simple enough to identify what brands/models of devices. Hit the manufacturers for the cost of mitigating attacks. Let the worst idiots figure it's cheaper to pay up than fix the problem, third time it becomes habitual behaviour. Goodbye LLC status, ALL the assets of ALL the principles are up for grabs.

            IOT was a ludicrous concept from the very beginning. Billions of "smart" devices that can outperform the first true supercomputers by orders of magnitude ALL directly connected to the internet. What could possibly go wrong?

            How about one hardened smart controller and a host of utterly stupid devices that know their own function and no other. What additional utility is there in light bulbs that can be tracelessly hacked to become a wireless keyboard sniffer? Or security cameras that make you (or perhaps your children) internet famous, without bothering you with pesky little details like consent, or expectation of privacy?

            1. Charles 9

              Re: The d*ckhead who bought it is your average punter.

              "How about one hardened smart controller and a host of utterly stupid devices that know their own function and no other."

              Those are CUSTOM jobs. Custom jobs are EXPENSIVE...to expensive to make it worthwhile, so it MUST be generic or bust. And who cares about the law? They can just vanish in the night when the time comes...

    2. Anonymous Coward
      Anonymous Coward

      Re: Good news

      The sheer cost of such a lawsuit, discovery alone, is enough to frighten me!

      1. Mark 85

        Re: Good news

        It won't bother the lawyers though.

    3. AnoniMouse

      Re: Good news

      It's very unclear that any amount of legal action could prevent a deluge of unbranded "Things" from finding their way into every nook and cranny of personal, home and civic life. These Things will be imported in their millions and almost given away. The channels will be so broadly distributed that it wil frequently be impossible to identify a supplier / manufacturer that is in our jurisdiction, just the local vendor / market stall / web seller / .

      1. Anonymous Coward
        Anonymous Coward

        Re: Good news

        And every one of those local suppliers are fly-by-nights, meaning the instant legal pressure appears, they'll vanish like a mirage leaving disconnected phones, missing websites, and no idea who the people really were (since everyone there used aliases). Meanwhile, the manufacturers are likely in China, a rival power, who could care less what happens in the West and can invoke sovereignty to protect the manufacturers.

  2. Steve Davies 3 Silver badge

    Hands up...

    all those who still think that in its current guise IoT is a good thing.

    Come on now don't be shy. Let's be having you.

    Yet all the kit makers wil lstill be flogging this as hard as they can

    1. Mark 85

      Re: Hands up...

      Well.. there's one person here who disagrees with you. I do believe we have another paid shill running amok.

  3. Your alien overlord - fear me

    Why the fuck do ISPs allow shit traffic out of their own network in the first place?

    1. Paul 25

      Because they are spread around accross many many ISPs. Seen from each individual ISP's view the traffic is a drop in the ocean, but for the receiving site it's a deluge.

      152k devices would be spread pretty thin across many, many ISPs.

      1. Mike Tree

        Yeah. Hence the word 'Distributed'.

    2. Warm Braw

      Well, the hijacking of IoT devices is likely to be a response to more effective ingress filtering by ISPs.

      Historically, DDoS attacks would typically use faked source addresses, partially to conceal the source and partially to ensure that traffic that would otherwise have returned from the target was dropped. ISPs have got better at detecting spoofed source addresses and dropping the data.

      However, if you hijack enough actual devices with legitimate source addresses you can achieve your desired goal without the traffic from any one of them appearing anomalous.

      1. Dan 55 Silver badge

        If there's an ongoing confirmed DDoS, ISPs should route the address into a black hole as a matter of course. It just needs a bit of coordination, similar to e-mail spam.

        1. Anonymous Coward
          Anonymous Coward

          "If there's an ongoing confirmed DDoS, ISPs should route the address into a black hole as a matter of course. "

          Does't that aid the DDoSers in that then they only need to sustain enough traffic to keep their target on the black list, and it dissappear from the internet?

    3. Anonymous Coward
      Anonymous Coward

      more technical ineptitude

      Think about it carefully, then comment wisely.

      1. Charlie van Becelaere

        Re: more technical ineptitude

        "Think about it carefully, then comment wisely."

        I want that as an option in my Magic 8-ball.

    4. Crazy Operations Guy

      So, pray tell, how would an ISP be able to determine whether a packet belongs to "shit traffic" and not just legitimate traffic? Nearly all DDoS traffic nowadays looks exactly like legitimate traffic (In the Krebs case, it was a simple http request for a large image), except its performed over and over by many machines. Tracking who is requesting what to avoid them from grabbing the same thing over and over again would require a mythically large amount of RAM and CPU power to even run at even a few 10's of Gbps. Of course, that wouldn't really work for long as DDoS would just start grabbing multiple objects to confuse tracking.

      The only solution to DDoS is to ensure that a website's capacity is greater than that of the capcity of the attackers. This is the model that Akamai, CloudFront, and the other DDoS-protection services do: they built tens of thousands of web servers that can serve up data from any of the tens of thousands of sites the company is hosting. With normal traffic patterns, a website would use <1/10,000 of each of 10,000 servers; during a DDoS, that traffic is distributed across 10,000 machines and may only end up using at most a few percent of the capacity on each machine. The servers stay up and normal users are able to continue to browse websites as normla without any indication something is going wrong.

      1. Charles 9

        "The only solution to DDoS is to ensure that a website's capacity is greater than that of the capcity of the attackers."

        But that sounds like a losing battle to me. Pretty sure at some point someone's going to cook up the mother of all DDoS attacks with a traffic magnification not in the thousands but in the millions, with traffic in the exabyte per second range: such that anyone that needed to defend against an attack that massive probably couldn't afford it in any event. THEN what?

        1. Crazy Operations Guy

          "But that sounds like a losing battle to me."

          It is. That is just the nature of the internet and why DDoS attacks are so effective and are here to stay. The only way to blunt DDoS attacks to to ensure that anything connected to the internet is properly secured and fully updated.

          If someone were to pull off a magnification attack of that magnitude, then the target's upstream connection will become swamped and someone is going to cut the connection to spare the intermediary ISPs/NSPs. Of course, an Exabyte-level attack would impossible at this point (There isn't nearly that much bandwidth in the entire world).

          A short-term solution would be enable computationally-expensive anti-reflection features on the various public services that are used in reflection attacks. But secure end devices is the only solution.

          What would help, but cause some serious outages, would be to disconnect any device that participated in the attack. Send a letter to the end-user informing them that their device is compromised. If they don't fix it, then send a letter to the ISP to cut off their network access. If the ISP refuses to do so, cut them from their backbone provider. If the backbone provider refuses, start cutting their connections. We might end up with only a few thousand nodes left on the internet, but the cut-off ones will learn the lesson quickly...

          1. Charles 9

            Re: "But that sounds like a losing battle to me."

            "A short-term solution would be enable computationally-expensive anti-reflection features on the various public services that are used in reflection attacks. But secure end devices is the only solution."

            Then there's no solution since "In this corner, we have Dave." So we need another plan.

  4. Anonymous Coward
    Facepalm

    So all it takes...

    Is for someone to figure out how to turn each PVR/Smart TV etc into a DDoS vector and it's game over? Considering most of these have very little security, and quite a few manufactures "forget" to turn of development back doors/eaves dropping, it's not looking good.

    1. Doctor_Wibble
      Holmes

      Re: So all it takes...

      Or an ad script with an 'accidentally incorrect' URL and/or loop will do that without needing to hack anything other than a third party's sub-subcontracted agency-supplied unnamed generic temp script writer's computer. Or bypass all the technicality and offer said script writer a stack of cash for each 'typo'.

      How would anyone ever know the difference or even who to blame? See also the other article about XSS and trusting scripts etc...

  5. dcluley

    Smart meters

    I am waiting to hear about the first co-ordinated hacking of smart meters. Perhaps then the power companies will admit that it is maybe not such a good idea.

    1. Warm Braw

      Re: Smart meters

      It's a balance isn't it. On the one hand there's the capability to DDoS both the Internet and the Power Grid at the same time, but on the other hand British Gas can offer its customers "free" electricity on a Saturday afternoon. If it comes to a choice between security and creative marketing I think we all agree we prefer to see a nice advert on the telly.

    2. Ellis Birt 1

      Re: Smart meters

      Smart meters are not internet connected.

      They have a private low power local network with a GSM modem in the leccy meter to connect back to the energy supplier's systems.

      Not sure how secure the local network is, but I doubt whether there is scope for a large-scale coordinated attack.

  6. TRT Silver badge

    I'm trying to think of that sci-fi story...

    where every phone in the world rang at the same time. I think it was made into a film as well... or was it an episode of The Twilight Zone?

    1. Proud Father

      Re: I'm trying to think of that sci-fi story...

      https://en.wikipedia.org/wiki/The_Lawnmower_Man_(film)

      1. TRT Silver badge

        Re: I'm trying to think of that sci-fi story...

        Ah yes. That'll be it.

    2. robpomeroy

      Re: I'm trying to think of that sci-fi story...

      Lawnmower Man

  7. Anonymous Coward
    Anonymous Coward

    the world's largest single DDoS largest attack

    and all this LONG before this IoT junk is off the rip-off / novelty shelf. Think of the future, think MAINSTREAM use. There's MONEY to be made of them iot-thingies! :(

  8. Anonymous Coward
    Anonymous Coward

    Apparent ease

    I got some Chinese IP cameras but soon spotted they were doing far more talking to the internet than was required, including streaming via plug and play immediately (enabled PnP for a test only). They now have their own subnet and access to local DNS and a remote ports 123 for the date. When purchased it looked like they would be more useful than the current firmware makes them, I seriously doubt I'll get more firmware or, that if I did it, would be any better.

  9. phuzz Silver badge
    Joke

    1) Develop hack for insecure devices

    2) DDoS manufacturer of said devices

    3) Revel in schadenfreude

    It's also interesting to see how 'IoT' is now synonymous with 'insecure, buggy, piece of rubbish', when manufacturers have been churning out internet connected devices both useful and not, and both secure and not for many years before IoT was a twinkle in some marketing arsehole's eye.

    1. Crazy Operations Guy

      The problem with IoT security is that while people had insecure devices, they would only have a few of them and they'd only be running for a few hours per day. With IoT, people now have a dozen devices that are running 24/7.

      There is also the problem that users might notice something happening on their devices were there is no way to monitor an IoT device (unless you are doing a packet dump of the network and know what you are looking at...)

      1. This post has been deleted by its author

    2. PNGuinn

      "a twinkle in some marketing arsehole's eye"

      Ugh!

      Comment of the week

      +1

  10. Velv
    Boffin

    Name and Shame

    Is there any benefit to naming the major culprits?

    Would this focus the attention on getting fixes and security implemented, or would it just help the bad guys identify more targets?

    Is there already a list of bad devices or bad manufacturers, and presumably a lot of this kit is rebadged?

    1. Anonymous Coward
      Anonymous Coward

      Re: Name and Shame

      Is there any way to even know what these devices are? Most likely they are behind some sort of NAT (which allows any sort of outbound traffic)

      OTOH, they must have gotten infected somehow. So perhaps they use uPNP to open up inbound to port 80 say (so you can browse the pictures remotely). In which case, if you connect back to them you can probably find out what web server they are running. Methinks probably a hole in some PHP script.

      But allowing inbound access to port 80 *without* any authentication? So that the whole world can look through your camera? I guess this shows people *really* don't care.

  11. Anonymous Coward
    Anonymous Coward

    Consumers are the problem and the solution

    Consumers want "convenient" kit and manufacturers supply it.

  12. Anonymous Coward
    Anonymous Coward

    Arms race

    Like most things infosec it's an arms race, miscreants do something, enterprise and service providers get better, miscreants move on to new techniques. You see this with malware but DDoS over the past five+ years is the poster child for the infosec arms race: volumetric then state-exhausting then application level attacks, an incremental approach to the IANA list of UDP ports, improvements in reflection techniques, stepping away from TCP and UDP (into GRE), the use of general purpose computer botnets, the creation of IoT botnets.

    Frankly it's the last one that worries me the most - it buckled Akamai, it doesn't rely on spoofing or other behaviours ISPs can readily mitigate, owners of the bots won't ever notice because 'their computer isn't running slow' and they will be none the wiser that their correctly functioning IoT device is dishing it out to the world's inadequately protected enterprises.

    Oh and isn't even a metaphorical arms race when you see that an organisation can be taken down at the push of a button. I expect the anti-DDoS service providers will be getting nervous.

  13. cantankerous swineherd

    I can see some advantages to the death of the internet. decent local customer service from a human with agency, for instance.

    1. Charles 9

      On the other hand, they could just vanish and leave you in the lurch, if the Internet was the ONLY thing keeping the service alive. Since local service costs money that may not be there, which way do you think it'll go?

  14. ahowlett

    A simple fix?

    How about IP address owners be allowed to indicate they never want DNS servers to talk to them. Server owners would need to make alternative arrangements to look up addresses (eg a private DNS server that they used), but these DNS-server based attacks would get nowhere.

    1. Anonymous Coward
      Anonymous Coward

      Re: A simple fix?

      As I recall, this attack didn't really use DNS but was a sheer, raw HTTP flood, not to mention the flood was made of completely legitimate HTTP requests which was why it was extremely difficult to mitigate.

  15. Gigabob

    The Real Good News....

    Actors are showing their hands early on how easy it is to disrupt normal internet operations by hijacking very unsophisticated IoT devices. This make the need for high level secure control on these devices/systems. We are just on the cusp of major proliferation in medical operations, traffic control on intelligent roads, pumps, valves and key controls at utilities, not to mention financial systems. As they become embedded in our daily lives we enable terrorists and state actors to engineer massive attacks with a mouse.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like