A series of DDoS attacks have hit a French web hosting company over the past few days, culminating in a 1Tbps DDoS attack – The largest DDoS attack ever reported.
Denial-of-Service attacks have increased significantly in recent months; however, the scale of the recent DDoS attacks is particularly alarming. Attacks of 300+Gbps can cause significant damage, but even attacks on this scale were rare. However, in the space of a week two record breaking DDoS attacks have been reported. First Brian Krebs reported an attack that resulted in the Krebs on Security site being taken down. At 620Gbps at its peak, it was the largest ever DDoS attack to date.
However, that was just the start. The DDoS attack on OVH exceeded 1Tbps. According to OVH CEO Octave Klaba, the attack involved 145,000 devices, each of which had a capacity of between 1-30Mbps. That puts the capacity of the botnet at around 1.5Tbps.
As if attacks on that scale were not bad enough, Klaba later reported that the botnet had grown considerably, increasing by a further 6857 devices on September 22. Klaba said the botnet had grown further on September 23, and included 15,654 more devices, increasing the maximum capacity of the botnet considerably.
The devices used for the attack were mostly hacked CCTV cameras and DVR recorders. The devices had been compromised as they used default usernames and password.
Huge botnets can now be created using a range of IoT devices. Those botnets are being rented out by the hour to anyone willing to pay the price. There are likely to be no shortage of takers. The attacks are virtually anonymous and most companies lack the defenses to deal with a 1Tbps DDoS attack.
Device manufacturers are still hardcoding usernames and passwords and shipping devices with default configurations that make them far too easy to compromise. In many cases, end users are not even aware that they should change the default configurations and are not instructed why it is important to do so.
To counter the threat, DDoS defenses must be improved. Organizations should ensure that they have sufficient DDoS mitigation capacity to cope with attacks well in excess of 600Gbps.
However, given the scale of the recent attacks, even organizations that have implemented a host of measures to deal with DDoS attacks could still be taken down. One thing is certain, the 1Tbps DDoS attack will certainly not be the last. DDoS attacks on this scale, or larger, are likely to become the new norm.
Worryingly, it is possible that large sections of the Internet could be taken out of action by an army of DVR recorders and washing machines.