Posted on Leave a comment

Well, that didn’t last long – DDoS record broken again with 990Gbps flood

image thumb 33 1

Snippet from IDS log showing DDoS attack against OVH

Just a week after Brian Krebs was hit with a 620Gbps IoT attack, reports are hitting the wires that OVH has been hit with an even larger attack – two simultaneous barrages of 799Gbps and 191Gbps for a whopping 990Gbps total.  And this may only be the beginning…

It is believed the attacks are similar to the one that hit Krebs – botnets of IoT devices (ISP gateway devices, routers, cameras, etc.) blasting a steady stream of packets at the target via Kaiten (aka KTN-Remastered, KTN-RM, or Tsunami) malware. One ISP even believes we’ve only seen the tip of the iceberg. According to Octava Klaba, founder of OVH,

“This botnet with 145,607 cameras/dvr (1-30Mbps per IP) is able to send >1.5Tbps DDoS.”

Klaba said the number of new devices participating in the attack is growing fast.

My guess is the large number of compromised devices may mean a specific (and popular) brand and model of hardware is vulnerable – and although connected to the Internet, is by design, unpatchable.

Currently there are two problems at play here. Firstly, many IoT devices, as crazy as it sounds, are unpatchable even though a lot of the system-on-chip devices are running embedded Linux (and hackers are able to inject executable binaries into them). That’s a huge problem and the industry recognizes such. Of course, the fix requires vendors consider the full lifecycle requirement of their devices and design them accordingly

Secondly, ISP’s must provide their customers with alerts when a suspected DDoS attack is originating from their node. This would provide the customer the opportunity to determine and hopefully replace the compromised device – with one from a vendor smart enough to recognize their device is not perfect and will need to be flashed from time to time.