IoT botnet: 25,513 CCTV cameras used in crushing DDoS attacks

Over 25,000 hacked internet-connected CCTV cameras are being used for a denial-of-service botnet, according to researchers from the security firm Sucuri.

The discovery came after Sucuri mitigated a DDoS attack against a jewelry store site; it had been generating 35,000 HTTP requests per second. But after bringing the website back up, researchers said the attacks increased to nearly 50,000 HTTP requests per second. When the attack continued for days, the researchers discovered the attack botnet was leveraging only IoT CCTV devices, which were located across the globe.

Although this is not the first CCTV-based DDoS botnet discovered (900 had been used in attacks last year), it is the largest yet to be discovered.

“It is not new that attackers have been using IoT devices to start their DDoS campaigns,” Sucuri wrote. “However, we have not analyzed one that leveraged only CCTV devices and was still able to generate this quantity of requests for so long.”

The researchers determined 25,513 unique IP addresses were being used to generate the DDoS attack. One hundred five countries had compromised CCTV devices used in the attack. Twenty-five percent of the malware-infected devices were located in 95 different countries, but the top 10 countries with the most compromised CCTV devices accounted for 75 percent of locations. Those countries were:

Another interesting aspect of the attack was that about 5 percent of the IPs came from IPv6. Sucuri said, it doesn’t “see many DDoS attacks leveraging IPv6 yet, [but] that’s a change we expect to keep happening as IPv6 becomes more popular.”

Forty-six percent of the CCTV cameras used in the attack had default H.264 DVR logos, but the entire vendor distribution looked like this:

While the researchers cannot say for certain how more than 25,000 IoT CCTV devices were compromised, they suspect the devices “might have been hacked via a recently disclosed RCE vulnerability in CCTV-DVR.” Back in March, security researcher Rotem Kerner discovered a RCE flaw affecting DVR devices used by CCTV cameras sold by more than 70 vendors.

The DDoS attack “was a variation of the HTTP flood and cache bypass attack.” It leveraged random referrers and user-agent combinations in an attempt to emulate normal browser behavior in order to make it more challenging to identify and block the malicious requests. Engadget, Google and USA Today were the most popular referrers and the most popular browsers were the user-agents.

Sucuri wrote:

Unfortunately, as website owners, there is not much you can do to get those 25,000+ CCTVs fixed and protected. You also can’t do much to fix the millions of vulnerable devices on the internet that can be used as botnets and DDoS amplification methods.

The security firm said it is “in the process of reaching out to the networks that have these unprotected and compromised cameras, but that’s just one small piece of the problem. Once the cameras are patched, the attackers will find other easily hacked devices for their botnets.”