Resultados 1 a 6 de 6
  1. #1
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    [EN] IoT devices launch unprecedented DDoS attacks

    DDoS attacks got a power boost thanks to hundreds of thousands of insecure IoT devices

    Lucian Constantin
    Sep 26, 2016

    Security researchers have been warning for years that poor security for internet of things devices could have serious consequences. We're now seeing those warnings come true, with botnets made up of compromised IoT devices capable of launching distributed denial-of-service attacks of unprecedented scale.

    Octave Klaba, the founder and CTO of French hosting firm OVH, sounded the alarm on Twitter last week when his company was hit with two concurrent DDoS attacks whose combined bandwidth reached almost 1 terabit per second. One of the two attacks peaked at 799Gbps alone, making it the largest ever reported.

    According to Klaba, the attack targeted Minecraft servers hosted on OVH's network, and the source of the junk traffic was a botnet made up of 145,607 hacked digital video recorders and IP cameras.

    With the ability to generate traffic of 1Mbps to 30Mbps from every single Internet Protocol (IP) address, this botnet is able to launch DDoS attacks that exceed 1.5Tbps, Klaba warned.

    The OVH incident came after, cybersecurity journalist Brian Krebs' website, was the target of a record DDoS attack that flooded the site at a rate of 620Gbps. The attack eventually forced content delivery and DDoS mitigation provider Akamai to suspend its pro bono service to Krebs, pushing the site offline for several days.

    According to Krebs, the attack was nearly twice the size of largest attack Akamai had seen before, and would have cost the company millions of dollars if it had been allowed to continue.

    "There is every indication that this attack was launched with the help of a botnet that has enslaved a large number of hacked so-called 'Internet of Things,' (IoT) devices -- mainly routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords," Krebs said in a blog post.

    On Thursday, antivirus and security vendor Symantec published a report warning that insecure IoT devices are increasingly hijacked and used to launch DDoS attacks. The company has seen the number of cross-platform DDoS malware programs that can infect Linux-based systems soar in 2015 and continue this year. These threats are designed to run on Linux-based firmware for CPU architectures commonly used in embedded and IoT devices.

    Symantec's data shows that most of these systems are not compromised through sophisticated or device-specific vulnerabilities, but due to a lack of basic security controls. Attackers typically scan the internet for devices with open Telnet or SSH ports and try to log-in with default administrative credentials. That's unfortunately all it takes today to build a large IoT botnet.

    And while IoT-powered DDoS attacks have now reached unprecedented size, there have been warning signs for several years that they were coming. In October 2015, security firm Incapsula mitigated a DDoS attack launched from around 900 closed-circuit television (CCTV) cameras and in June DDoS protection provider Arbor Networks warned that there are over 100 botnets built using Linux malware for embedded devices.

  2. #2
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    Over 100 DDoS botnets built using Linux malware for embedded devices

    Default and hard-coded credentials have led to the compromise of thousands of Internet-of-Things devices

    Lucian Constantin
    Jun 30, 2016

    LizardStresser, the DDoS malware for Linux systems written by the infamous Lizard Squad attacker group, was used over the past year to create over 100 botnets, some built almost exclusively from compromised Internet-of-Things devices.

    LizardStresser has two components: A client that runs on hacked Linux-based machines and a server used by attackers to control the clients. It can launch several types of distributed denial-of-service (DDoS) attacks, execute shell commands and propagate to other systems over the telnet protocol by trying default or hard-coded credentials.

    The code for LizardStresser was published online in early 2015, giving less-skilled attackers an easy way to build new DDoS botnets of their own. The number of unique LizardStresser command-and-control servers has steadily increased since then, especially this year, reaching over 100 by June, according to researchers from DDoS mitigation provider Arbor Networks.

    The DDoS bot is very versatile, with versions for the x86 CPU architecture as well as ARM and MIPS, which are commonly used on embedded device.

    IoT devices are perfect for DDoS bots, because they run some familiar variant of Linux, have limited resources so they don't have malware detection or advanced security features and, when they're connected directly to the Internet, they're typically not subjected to bandwidth limitations or firewall filtering.

    The reuse of software and hardware components is very common in the IoT world as it simplifies and lowers the cost of development. Because of this, default credentials that were used to initially manage one device may later make their way into entirely different classes of devices, the Arbor Networks researchers said in a blog post.

    IoT botnets can be very powerful. Arbor Networks investigated two of them that were used to launch attacks against banks, telecommunications companies and government organizations from Brazil, as well as three gaming companies from the U.S.

    One of the attacks peaked at over 400Gbps and 90 percent of the hosts from which the malicious traffic originated responded over HTTP with a Web-based interface called NETSurveillance WEB.

    "Doing some more research, the NETSurveillance WEB interface appears to be generic code used by a variety of Internet-accessible webcams," the Arbor Networks researchers said. "A default password for the root user is available online, and telnet is enabled by default."

    This is not the first time that IoT botnets have been used to launch DDoS attacks. Researchers from Web security firm Sucuri just recently reported DDoS attacks launched from a botnet of over 25,000 CCTV cameras and digital video recorders.

  3. #3
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010


    LizardStresser is a DDoS botnet written in C and designed to run on Linux. The code consists of two halves – a client and server. The client is designed to run on compromised Linux machines which connect to a hardcoded C2 server. The protocol is essentially a lightweight version of IRC chat. Infected clients will connect to the server and receive commands, listed below.

    • The ability to launch a DDoS attack using a variety of attack methods:
      • HOLD – holds open TCP connections.
      • JUNK – send a random string of junk characters to a TCP port.
      • UDP – send a random string of junk characters to a UDP port.
      • TCP – repeatedly send TCP packets with the specified flags.

    • A mechanism to run arbitrary shell commands. Useful for downloading updated versions of LizardStresser with new C2s, or entirely different malware.
    • Propogation via telnet brute forcing. Clients connect to random IP addresses and attempt to login via telnet using a list of hard-coded usernames and passwords. Successful logins are reported back to the C2 for later assimilation into the botnet.

    LizardStresser is extremely simple to compile and run. We’ve observed samples compiled for various architectures such as x86, ARM, and MIPS – the most common platforms for IOT devices.
    Última edição por 5ms; 26-09-2016 às 17:27.

  4. #4
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010
    Octave Klaba / Oles ‏@olesovhcom 6 hours ago

    +6857 new cameras participated in the DDoS last 48H.

    Octave Klaba / Oles ‏@olesovhcom 5 hours ago

    Last 48H we got only 15 times per day 100-800Gbps, 60 times per day 30-100Gbps. it's less but we've "null 0" all webcams ip ..

    Octave Klaba / Oles ‏@olesovhcom Sep 23

    This botnet with 145607 cameras/dvr (1-30Mbps per IP) is able to send >1.5Tbps DDoS. Type: tcp/ack, tcp/ack+psh, tcp/syn.

    "we've "null 0" all webcams ip" -> Se usa PAT lá se foram os acessos legitimos junto
    Última edição por 5ms; 26-09-2016 às 18:55.

  5. #5
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    More than half of IoT attacks originate from China & US

    High numbers of attacks are also emanating from Germany, the Netherlands, Russia, Ukraine and Vietnam.

    September 26, 2016

    Cybersecurity firm Symantec’s Security Response team has discovered that cybercriminals are hijacking home networks and everyday consumer connected devices to help carry out distributed denial of service (DDoS) attacks on more profitable targets, usually large companies.

    To succeed, they need cheap bandwidth and get it by stitching together a large web of consumer devices that are easy to infect because they lack sophisticated security.

    More than half of all IoT attacks originate from China and the U.S., based on the location of IP addresses to launch malware attacks. High numbers of attacks are also emanating from Germany, the Netherlands, Russia, Ukraine and Vietnam. In some cases, IP addresses may be proxies used by attackers to hide their true location.

    Most IoT malware targets non-PC embedded devices such as web servers, routers, modems, network attached storage (NAS) devices, closed-circuit television (CCTV) systems, and industrial control systems. Many are Internet-accessible but, because of their operating system and processing power limitations, they may not include any advanced security features.

    As attackers are now highly aware of insufficient IoT security, many pre-program their malware with commonly used and default passwords, allowing them to easily hijack IoT devices. Poor security on many IoT devices makes them easy targets, and often victims may not even know they have been infected.

  6. #6
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    F5 LABS - DDoS’s Latest Minions: IoT Devices

    Table of Contents

    DDoS is Commonplace
    IoT devices are the latest minions in cyber weaponry toolkits
    Hunting for IoT devices with default passwords
    SSH brute force attack numbers and trends
    Telnet brute force attack numbers and trends
    Telnet brute force attack origin countries
    Top 10 countries scanning
    Telnet and SSH attacks by ASN
    Whyare Telnet attacks getting so popular?
    Top 1000 ASNs launching SSH attacks
    Top 1000 ASNs launching Telnet attacks
    IoT Botnets DDoSing
    IoT Botnets attacked multiple US state agencies
    Android botnet DDoS attack
    IoT DDoS Attacks Increasing
    Where are the C & Cs? China, China, China
    TCP Attack Abuse Warnings!

    PDF (30p)

Permissões de Postagem

  • Você não pode iniciar novos tópicos
  • Você não pode enviar respostas
  • Você não pode enviar anexos
  • Você não pode editar suas mensagens