
New DDoS Attack record 1.5+ Tbps - Sami_Lehtinen
http://www.bbc.com/news/technology-37504719
======
smaili
_Web hosting company OVH said it had been attacked by a botnet (zombie army)
of hacked devices such as webcams._

It's scary to think about the potential for leveraging IoT devices for DDoS
attacks. Your dishwasher, fridge, thermostat, mattress, chairs could all be
partipants without you even knowing.

~~~
zitterbewegung
Its even scarier when someone takes one of your IoT devices and intends to
harm you. Like making your fridge's ice maker flood your house. They talked
about this at Defcon 24.

~~~
dqv
Whatever. What's the worst that could happen? My dishwasher opening and
spraying pressurized water at me?

In all seriousness, it could be a good niche market "not internet capable".

~~~
jhgkug
I think that there has been a report of an IOT running machine being hacked
and the settings suddenly being changed to max speed - causing the user to be
thrown off the back of it.

~~~
dqv
And because these devices are proprietary, there is no way to know. None of
this stuff is going to be in my house any time soon.

------
dx034
What I find most astonishing is that OVH can handle the attack. The one on
Krebs was a success for the attackers, this one apparently not.

Botnets are run for business and will attract well-paying customers if they
can demonstrate that they can disable (nearly) any target. The fact that any
client of a hosting company such as OVH is very bad news for the attackers and
excellent advertisment for OVH.

~~~
Shank
It's an astonishing ad for OVH if they can handle that with no problems. If
they were able to measure the size, they didn't nullroute the target, which is
something to be proud of.

------
cek
Seems like it would be easy to use these tools to brick all these
cameras/dvrs, saving everyone (but their owners) a lot of headache.

~~~
Analemma_
This is obviously horribly illegal and unethical, but it does sort of appeal
to that same small part of my brain that longs for things like violent
proletariat revolution. Imagine if some greyhat security outfit intentionally
bricked tens of thousands of these devices. Buyers would be pissed, go to the
manufacturer for recompense, possibly to the level of bankruptcy, and there
would finally be some incentive for taking IoT security seriously.

I'm not saying someone should do it... but I'm not saying someone _shouldn 't_
do it.

~~~
user5994461
Which brings the question:

Are the manufacturers stupid enough to put the items on the internet AND embed
a self-destruct command...

~~~
i_are_smart
These attacks are showing that's it's trivial to achieve remote-code-execution
on many of these devices. So in a way, yes, they do have self-destruct built
in.

Simple connect to one, and then overwrite the boot partition. Or rm -rf /. Or
even just use the firewall to block all inbound and outbound connections (an
IP camera isn't very useful if you can't view the feed).

~~~
Shank
The scarier thought to me is that this many _cameras_ installed in houses,
businesses, bedrooms, etc. are being commandeered. That's a huge problem for
privacy, let alone being used as botnets on the side.

~~~
i_are_smart
You are correct. I know there are sites out there that even aggregate camera
feeds, although the more ethical ones remove any feeds where there may be
privacy concerns.

Frankly, I would NEVER install such a device in my house. The engineering on
many is (almost?) criminally flawed.

------
valarauca1
The BBC article as far as I can tell doesn't actively talk about the OVH
attack possible source change suggested: [https://www.hackread.com/ovh-
hosting-suffers-1tbps-ddos-atta...](https://www.hackread.com/ovh-hosting-
suffers-1tbps-ddos-attack/)

~~~
lsh123
Thanks for the link, it makes more sense than BBC article. This is NOT a
single DDOS attack but a series of large (independent? time-separated?)
attacks.

------
FilterSweep
Please excuse my potential _naivete_ on the subject, as I don't work in the
hardware space, but I asked this in the dupe yesterday and didn't get a follow
up.

I don't understand why most IoT devices require an Internet connection to
work, for anything _other_ than phoning home (data collection by the device
provider). Of course, a Television is different than a Refrigerator here.

Unless you live in a mansion where the distance from devices becomes
significant, couldn't your "Home PC/Tablet/phone" connect to your IoT device
via bluetooth or on the subnet? Exploits are still possible, but the majority
of them would be localized. The cost of slightly lower ease-of-use (which can
be mitigated by good OS support) would appear to have numerous security
benefits.

~~~
matthewmacleod
One of the more obvious use cases is remote control of devices – say you want
to turn the heating on remotely, then at some point it's going to have to
communicate outside the network. Or if you have a remotely-accessible camera.
Or an alarm system that notifies you when it goes off. Or a locking system,
and so on.

I'm not arguing that this is a _good_ thing, but it does explain why the
devices want remote access. In an ideal world, this would function through
some kind of home hub device – a single point of communication between
"outside" and "inside", which has many clear benefits. In practice, it's going
to be difficult to do this; devices don't use any kind of shared protocol or
system that would enable this.

I am currently working on an 'IoT' project, and it also connects to a central
server, directly, over wifi, for exactly these reasons. It's hard to see what
other approaches are possible at this stage, until there is some kind of
industry-wide standard that's actually used by manufacturers.

~~~
FilterSweep
> In an ideal world, this would function through some kind of home hub device
> – a single point of communication between "outside" and "inside", which has
> many clear benefits

This is exactly what I was suggesting, and thanks for your input!

I believe this is a space where Raspberry Pi has some potential - as there are
some open sourced projects that handle some of these functions. Personal
anecdote: I recently bought a PiNoIR module and plan on building a (relatively
primitive) apartment security system in which the machine the camera-pi
"phones home" to can send my phone Twilio SMS if any motion is detected.

Problems I foresee is if the home computer is pwned, both devices can be
exploited for the same nefarious task.

:EDIT: Granted, most consumers don't want to "DIY" as much as I do.

------
mtgx
Time to start calling IoT what it really is - the _Internet of Threats_. No, I
didn't come up with that myself:

[http://www.nbcnews.com/tech/security/kaspersky-smart-
fridges...](http://www.nbcnews.com/tech/security/kaspersky-smart-fridges-
internet-things-i-call-it-internet-threats-n380541)

In just a few years we may be dealing with tens of Tbps DDoS attacks thanks to
the "explosion of IoT", unless IoT manufacturers get their shit together
(perhaps also encouraged by aggressive government actions and fines against
those who don't follow some set best practices on security).

~~~
unclebucknasty
> _unless IoT manufacturers..._

> _encouraged by aggressive government actions and fines..._

Funny, I just replied to another comment that it seems near hopeless to expect
this of manufacturers.

Seems that ISPs, on the other hand, might be able to play a more pivotal role.

~~~
pyvpx
ISPs should implement BCP38 (prevention of spoofed traffic originating from
their networks, in short) but when a device is compromised, it doesn't
necessarily have to spoof traffic at all.

ISPs have thin margins, and get paid to push bits. DDoS mitigation services
are extremely expensive not because they are complex or novel but because they
require significant resources (both in hardware and in software expertise).

If manufacturers are going to sling "shit" and we can't hold them accountable;
consumers are going to buy the polished turds and we can't prevent them
plugging it into their networks; and ISPs have little to zero incentive or
ability to "filter out the bad traffic" then we're basically looking at a 5-10
year span of increasingly detrimental, expensive, and effective denial of
service attacks.

~~~
bkmartin
Why aren't the major backhaul providers like L3 forcing this as part of their
pass through agreements? If the ISP cannot invest enough to follow the
simplest of best practices then why do they allow them to connect? Seem
dangerous for the backbone people.

~~~
pyvpx
because none of them can and none of them have a financial interest to do so.

Default free providers such at NTT, GTT, Zayo/AboveNet, Level3/Global
Crossing, ATT, CenturyLink/Qwest, Deutsche Telekom, Vodafone/Cable & Wireless,
and others commonly (but incorrectly) known as Tier 1/"backbone" providers
peer with other networks in a settlement free (no money is exchanged, or, on
an accounting basis, everything zeros out) fashion because they are "peers" in
the strictest sense: same size, same reach, same markets (mostly...)

there is no danger for them in passing bits

------
betaby
Internet of insecure IPv4 things.

~~~
kminehart
How are these devices being accessed despite most houses having a router with
a firewall? I thought IPv4, being so limited in possible IPs, pretty much
forced everyone to use a router for NAT? So would mean unless these people who
have these devices did something really dumb, they should be behind a firewll,
no?

Why are these devices being exposed to the internet?

~~~
pyvpx
NAT is not a firewall. Full stop.

Many home routers are horrifically insecure with numerous remote
vulnerabilities. Many IoT devices have vulnerable and accessible interfaces
locally and externally.

~~~
grp
It reminds me the times when I was on phone with my ISP and he reboots my
router remotely, live. In my head: what the * !?

Now, I'm paranoid each time they push an _upgrade_ without warning. It was
them or an E.T?

~~~
anarazel
I always use another router after the one by the ISP, for precisely that
reason.

------
wayneotau
IoT security is still so nascent that most vendors in it arent really spending
much time architecting a secure layer. Frankly they don't really care if their
products get co-opted for a DDOS attack. There's no harm to their customer.
This will be a huge problem as time goes on.

------
gardano
Are any developers avoiding working on IoT devices/interfaces because of the
uncertainty regarding the security of these devices?

I have no idea of the liability of developers in this space, but the fact that
the question even comes up in my mind certainly gives me pause.

~~~
cordite
"Please don't roll your own security" isn't much of an option when many of
these things are running on custom stuff from the ground up. But, I doubt many
will pay for a secure foundation to run on... Makes me wonder if the windows
for IoT has any promise.

~~~
gardano
I guess my _uninformed_ concern is… if I write an app that has an interface
that manages a device that is suddenly embroiled in a class-action lawsuit,
what are the chances that I'd be sucked into that lawsuit?

------
doctorshady
It looks like the attack is still growing too.
[https://twitter.com/olesovhcom/status/781547479879802880](https://twitter.com/olesovhcom/status/781547479879802880)

I can't see this ending well.

------
ayyn0n0n0
I really wish they would name the make/model of the IoT devices...

------
kkirsche
Where's the data to back this up?

