In September 2016, OVH Octave Klaba tweeted that his company had sustained a DDoS attack which reached over 1tb in size. This was in a week when security journalist Brian Krebs also suffered a significant attack on his own website. OVH shared information on some of the attacking addresses with Fujitsu CTI analyzing a number of the source addresses. We discovered a number of indicators that a botnet of insecure internet connected devices could be the reason for the large attacks which was the number one prediction in our annual report.
The attack, which resulted in downtime for Brian Krebs, reached 600GBs and the combined attacks on OVH reached over 1Tb in total traffic, Klaba said, “This botnet with 145607 cameras/dvr (1-30Mbps per IP) is able to send >1.5Tbps DDoS. Type: tcp/ack, tcp/ack+psh, tcp/syn.’’
How Was this Possible?
A number of the analyzed attacking addresses were what appeared to be commercial and residential CCTV portals. Identifying this pattern was relatively trivial and made possible by using a search parameter to discover information disclosed in the banner using Shodan the IoT search Engine. Searching for the string “H264DVR”, the encoding method used by the DVR.
In simple terms a DDoS attack is a flood of the victims systems resources by multiple servers ‘flooding’ the target with traffic, the attack is often facilitated by compromised devices and services such as WordPress sites. Researching deeper into the large number of devices, it appears a number of flaws existed in the devices which are named ‘Netsurveillance’ which allow access to the web portals without any formal authentication. As well as default passwords for insecure services such as Telnet.
Vulnerable Devices
YouTube tutorials offer guidance on bypassing the ‘Netsurveillance’ device portal and how to gain access to the GUI. The portal suffers from a SQLi (SQL injection) according to this video which effectively grants administrative controls to an attacker without entering a password. In Vietnam alone there was approximately 62,000 devices, of which, if only a small percentage of these are DVR/CCTV type devices they would amount to a significant number of potentially compromised devices.
The emergence of low cost technologies and the growth of cheap internet connectivity creates a potential critical mass of insecure devices such as DVR’s, CCTV’s and routers which have already been identified as Botnet capable devices. Any device linked directly to the internet with such low consideration for security implications adds risk and fuels the large scale DDoS attacks exponentially.
Defensive Measures
Preventing the devices from being harvested and thus being part of a DDoS capable botnet can be done by applying secure principles at all layers. Device manufacturers need to build security measures into the core of the devices by adhering to protocols and basic security principles such as unique passwords and security keys to prevent against automated attacks and subsequent compromise. Consumers of devices need education and advice on the risks of insecure devices and have the ability to check the vulnerable devices as soon as they are identified, rather than being informed as a result of an incident such as the recent DDoS attacks.