DDoS attacks surge in power as botnets harness IoT devices

Massive DDoS attack on web host OVH may have peaked at 1.5 terabits per second

Distributed denial of service (DDoS) attacks are getting more powerful and more sophisticated.

"We experience the worst case scenario every year," said Dale Drew, chief security officer at tier-one network provider Level 3 Communications.

"Attack traffic becomes more sophisticated and brings to bear more bandwidth consumption than we have ever seen in years past. As such, we know the threats will only grow and morph."

Indeed new records are now being set on an almost daily basis. Last year Level 3 mitigated a 400 gigabits per second (Gbps) attack, whereas just last week an attack on the security blog KrebsOnSecurity peaked at 620 Gbps.

Proprietor Brian Krebs believes the attack, which took down his website before being mitigated using Google's Project Shield, may have been the result of his exposure of two Israelis who ran a business that sold subscriptions to a DDoS attack platform for between $20 and $200 per month.

He also said that the attackers seemed to have harnessed a botnet made up of internet-connected devices other than computers, such as security cameras.

The traffic surge that took down KrebsOnSecurity was dwarfed by a similar DDoS attack at around the same time on French web host OVH, which pounded the company with internet traffic at a rate of more than one terabit per second, possibly even rising as high as 1.5 Tbps.

That attack was also apparently being performed by a botnet comprised of hacked digital video recorders and security cameras and may have been orchestrated by the same perpetrators, who are now in custody.

The attacks were first reported on 19 September. Founder Octave Klaba said that after an initial attack of 1.1 Tbps 6,800 new cameras had joined the botnet and the site was being hit by wave after wave of traffic surges. The site is back online now.

This is not the first time connected Internet of Things (IoT) devices have been co-opted into botnets. In 2015 DDoS attack on Sony's PlayStation Network and Microsoft's Xbox Live were orchestrated through hacked home routers. In June this year the LizardStresser botnet capable of attacks of up to 400 Gbps was found to be targeting IoT devices using default passwords that are shared among entire device classes.