EDITOR'S NOTE: This story originally appeared on the A10 Networks blog.
A pair of distributed denial-of-service (DDoS) attacks against high-profile targets last week rank among the largest DDoS attacks on record. And a common thread has emerged: these attacks are leveraging botnets comprising hundreds of thousands of unsecured Internet of Things (IoT) devices.
OVH attack reaches 1 Tbps
European Web hosting company OVH confirmed last week that it suffered a string of DDoS attacks that neared the 1 Tbps mark. On Twitter, OVH CTO Octave Klaba said the attacks OVH suffered were “close to 1 Tbps” and noted that the flood of traffic was fueled by a botnet made up of nearly 150,000 digital video recorders and IP cameras capable of sending 1.5 Tbps in DDoS traffic. Klaba said OVH servers were hit by multiple simultaneous attacks exceeding 100 Gbps each, totaling more than 1 Tbps. The most severe single attacks that was documented by OVH reached 93 million packets-per-second (mpps) and 799 Gbps.
Last days, we got lot of huge DDoS. Here, the list of "bigger that 100Gbps" only. You can see the— Octave Klaba / Oles (@olesovhcom) September 22, 2016
simultaneous DDoS are close to 1Tbps ! pic.twitter.com/XmlwAU9JZ6
SC Magazine UK quoted security researcher Mustafa Al-Bassam as saying the DDoS attack against OVH is “the largest DDoS attack ever recorded.”
Krebs gets slammed
The OVH attack came on the heels of another gargantuan DDoS incident, this one targeting respected cybersecurity blog Krebsonsecurity.com, which knocked the site offline for several hours.
“The outage came in the wake of a historically large distributed denial-of-service (DDoS) attack which hurled so much junk traffic at Krebsonsecurity.com that my DDoS protection provider Akamai chose to unmoor my site from its protective harbor,” Brian Krebs wrote, adding that he has since implemented DDoS protection from Google’s Project Shield.
The attack on Krebs clocked in at a massive 620 Gbps in size, which is several orders of magnitude more traffic than is typically necessary to knock most websites offline.
SecurityWeek reported that Krebs believes the botnet used to target his blog mostly consists of IoT devices — perhaps millions of them — such as webcams and routers that have default or weak credentials.
“There is every indication that this attack was launched with the help of a botnet that has enslaved a large number of hacked so-called ‘Internet of Things,’ (IoT) devices — mainly routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords,” Krebs wrote.
Reports indicate that the attack was in response to Krebs reporting on and exposing vDOS, a service run by two Israelis who were offering a DDoS-as-a-Service play and were arrested after Krebs’ story was published.
Security researchers have warned that improperly secured IoT devices are more frequently being used to launch DDoS attacks. Symantec last week noted that hackers can easily hijack unsecured IoT devices due to lack of basic security controls and add them to a botnet, which they then use to launch a DDoS attack.
“Poor security on many IoT devices makes them soft targets and often victims may not even know they have been infected,” Symantec wrote. “Attackers are now highly aware of lax IoT security and many pre-program their malware with commonly used and default passwords.”
And while DDoS attacks remain the main purpose of IoT malware, Symantec warned that the proliferation of devices and their increased processing power may create new ways for threat actors to leverage IoT, such as cryptocurrency mining, information stealing and network reconnaissance.