Security researchers have revealed a unique new DDoS attack launched against a small business, which was powered entirely by thousands of compromised CCTV units.
Sucuri founder Daniel Cid explained in a blog post that 25,513 IP addresses were spotted, with a plurality in Taiwan (24%), the US (12%) and Indonesia (9%) – although they spread out over 105 countries in total.
By far the largest number of devices themselves (46%) were H.264 DVR units, with Cid suspecting they may have been compromised via a recently disclosed RCE bug in CCTV-DVR.
“It was a layer 7 attack (HTTP Flood) generating close to 35,000 HTTP requests per second (RPS) which was more than their web servers could handle,” Cid explained of the attack.
“After the site came back up, the attacks increased their intensity, peaking to almost 50,000 HTTP requests per second. It continued for hours, which turned into days.”
The victim was a small high street jewelry shop, and although Cid claimed he couldn’t reveal the reason for the attack, he explained that most such incidents come down to a competitor or a disgruntled customer or employee.
“Unfortunately, as website owners, there is not much you can do to get those 25,000+ CCTVs fixed and protected. You also can’t do much to fix the millions of vulnerable devices on the internet that can be used as botnets and DDoS amplification methods,” he concluded.
“However, you can do your part. If you are an online camera user or vendor, please make sure it is fully patched and isolated from the internet. Actually, not just your online camera, but any device that has internet access (from DNS resolvers, to NTP servers, and so on).”
Cid claimed Sucuri is in the process of contacting the networks running these compromised CCTV cameras, but admitted that even if these are patched, the black hats won’t have to go far to find some more vulnerable devices to add to their botnets.