When Sucuri researchers recently worked with a small jewelry store to mitigate a DDoS attack that had taken the store's website down for days, the researchers discovered that a botnet of 25,513 CCTV cameras was being leveraged to launch the attacks.
The attacks, which were generating as many as 50,000 HTTP requests per second on an ongoing basis for days at a time, were coming from CCTV cameras spread across 105 countries.
Just under a quarter of the cameras were in Taiwan, 12 percent were in the U.S., 9 percent in Indonesia, 8 percent in Mexico, 6 percent in Malaysia, 5 percent in Israel, and 5 percent in Italy.
"It is not new that attackers have been using IoT devices to start their DDoS campaigns -- however, we have not analyzed one that leveraged only CCTV devices and was still able to generate this quantity of requests for so long," Sucuri CTO and founder Daniel Cid wrote in a blog post examining the attack.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i
Stephen Gates, chief research intelligence analyst at NSFOCUS, told eSecurity Planet by email that security professionals have been warning for more than a decade that anything with an IP address can be used in a cyber attack. "Here is another case in point whereby a vulnerability has been exploited, remote code execution has been successful, and a botnet has been constructed from devices that rarely, if ever get updated," he said. "This problem is going to continue to grow as more and more devices get connected."
And IPv6, Gates said, will only increase the problem. "In the world of IPv4, network address translation (NAT) has helped hide devices from attackers on the Internet," he said. "Devices sitting behind a firewall using NAT are often not visible from the Internet itself. Although NAT was designed to solve the fossil fuel effect of IPv4, it was never intended to be a security feature -- but has helped. However, in IPv6 the concept of NAT isn’t needed. Every device can have a publicly visible IP address. As a result, hacking will grow exponentially."
A recent A10 Networks survey [PDF] of 120 IT decision makers at large organizations found that the average company suffers 15 DDoS attacks per year, with average attacks causing 17 hours of effective downtime.
More than half of respondents said they're planning to increase their DDoS prevention budgets in the next six months, with IT security teams most likely to lead DDoS prevention efforts (36 percent), followed by CISOs (26 percent) and CIOs (26 percent).
"DDoS attacks are called 'sudden death' for good reason," A10 CTO Raj Jalan said in a statement. "If left unaddressed, the costs will include lost business, time-to-service restoration and a decline in customer satisfaction. The good news is our findings show that security teams are making DDoS prevention a top priority."
A recent eSecurity Planet article examined the financial impact of DDoS attacks.