World’s Third-Largest ISP Attacked by Botnet of 100,000 IoT Devices

October 14, 2016 by Donald Krambeck

The world's third-largest internet service provider, OVH, was attacked by hackers at the end of last month.

The world's third-largest internet service provider, OVH, was attacked by hackers using over 100,000 IoT devices to overload their servers.

The Largest DDoS Attack Yet Seen

OVH isn't just an internet service provider, they provide shared cloud hosting, domain registration, and VOIP telephone services.

This was a DDoS (distributed denial of service) attack, which attempts to flood a network resource with online traffic, causing it to become unavailable to the internet.

One single computer cannot accomplish this task by itself. Instead, the hackers used over 100,000 IoT devices to hack OVH.

The network of devices, a large group of devices including cameras and digital video recorders (DVRs), was controlled through a multivector DDoS attack. According to OVH, however, other devices were also involved—even Raspberry Pis. 

One cause of this vulnerability was the settings on the devices used in the attack—i.e., these devices were improperly configured, allowing for them to be easily taken over.

On September 22nd, OVH founder and CTO Octave Klaba tweeted a picture which illustrates just how large attacks were. At one point, the simultaneous attacks accounted for almost 1 Tbps. Other numerous attacks were still well over 100 Gbps, causing the company's servers to be tested to their utmost ability.

Tweet from Octave Klaba / Oles (@olesovhcom) September 22, 2016

Klaba later tweeted that "This botnet with 145607 cameras/dvr (1-30Mbps per IP) is able to send >1.5Tbps DDoS. Type: tcp/ack, tcp/ack+psh, tcp/syn". While this was ongoing, OVH was facing more and more devices attacking them daily.

Not long before the attack on OVH, Brian Krebs' popular security news and investigation blog, KrebsOnSecurity, was targeted attacked through DDoS. This attack supposedly stemmed from taking part in exposing an Israeli firm, vDOS global, for its DDoS attack service. The attacks were so severe that Krebs' cloud-hosting service actually kicked KrebsOnSecurity off their servers, effectively killing the site temporarily. As of now, the site is back up and Krebs has since released several blog posts regarding the attack and how IoT hacks work in general.

How Can the IoT Be Hacked?

There are millions of IoT devices in use today, bringing households closer to becoming fully automated. IoT devices are physical objects that hold an IP address for the purpose of connecting to the internet and allowing communication between themselves and other physical IoT devices and systems.

There are various techniques to go about attacking these devices but in the case of OVH, hackers attacked a closed circuit television (CCTV system) to obtain a DDoS bot to their network and crash the OVH servers. As mentioned above, something as simple as having faulty settings on their devices or not changing default passwords allows for hackers to have an easy time forming an attack.

Web security company, Cloudflare, also suffered an attack recently. This week, they posted an in-depth exploration of the attacks targeted at their servers.


A graph of the attacks sustained by Cloudflare. Image courtesy of Cloudflare.


Cloudflare was contending with what are known as Layer 7 (L7) attacks which use HTTP GET and exhaust servers by pretending to be legitimate connections instigated by actual people. OVH, by comparison, was apparently dealing with Layer 3 (L3) attacks, a more common form of attack that aims to overwhelm server resources.

However, the attacks are similar in that Cloudflare, like OVH, is confident that they can trace the attack to IoT devices and CCTV cameras.


Preventing Future IoT-Fueled Attacks

So how can further attacks be prevented? It's not as straightforward of an answer as one would think. Many—if not all—companies are aware of the serious security issues presented by the IoT, but it isn't always easy to respond to attacks as soon as they happen. Attacks aren't generally the same and for each industry and vary greatly. This is what makes it rather hard for companies to address risks before they happen—they do not always see potential vulnerabilities. 

Intel's CTO Steve Grobman suggested that IoT devices should only be given the minimum amount of access to networks that they need for their specified function. As it is, many products are given more connectivity than they strictly need.

Below is a map that illustrates the density of open security cameras across the United States.

Map courtesy of CARTO Data Analysis Team

While OVH suffered from a huge attack, they have an extremely good anti-DDoS system in place. This system has a 3 Tbps surplus network that allows them to "soak up" data across their peer points that they have across the US.

While at its peak, the attack reached around 1 Tbps of botnets DDoSing their system, this only accounted for about a third of OVH's complete network.

In short, this extraordinary attack would have needed a much larger fleet of bots to completely take down OVH's system. However, with the number of IoT devices growing at such an extraordinary rate—increasing by the billions over the next 5 years—this DDoS attack clearly demonstrates the need for systemic improvements to IoT security.

1 Comment
  • redrooster01 October 30, 2016

    If they can find Mr big from the drug site Silk Road,that was hidden on the secret TOR network then surely they can trace back to these guys and prosecute them? They say its an Israeli firm so they know who it is? So why dont they prosecute them?

    Like. Reply