Large botnet of CCTV devices knock the snot out of jewelry website

Researchers have encountered a denial-of-service botnet that's made up of more than 25,000 Internet-connected closed circuit TV devices.

The researchers with Security firm Sucuri came across the malicious network while defending a small brick-and-mortar jewelry shop against a distributed denial-of-service attack. The unnamed site was choking on an assault that delivered almost 35,000 HTTP requests per second, making it unreachable to legitimate users. When Sucuri used a network addressing and routing system known as Anycast to neutralize the attack, the assailants increased the number of HTTP requests to 50,000 per second.

The DDoS attack continued for days, causing the Sucuri researchers to become curious about the origins of the attack. They soon discovered the individual devices carrying out the attack were CCTV boxes that were connected to more than 25,500 different IP addresses. The IP addresses were located in no fewer than 105 countries around the world.

Read 5 remaining paragraphs | Comments

HSBC online banking suffers major outage, blames DDoS attack

(credit: Still from HSBC TV ad)

HSBC has been battling an apparent Distributed Denial of Service (DDoS) attack on its online banking system for the past few hours.

Many customers have been struggling to access HSBC online—via the bank's app or website—all morning.

HSBC blamed the outage on a DDoS attack, and attempted to spin the whole thing as a success story to mainstream news outlets. By way of example, witness this headline over at ITV News.

Read 4 remaining paragraphs | Comments

ProtonMail DDoS Attack – Sustained & Sophisticated

So the ProtonMail DDoS Attack – if you’re not familiar ProtonMail is an secure, free, encrypted e-mail service that promises absolutely no compromises. It’s been getting hit hard since November 3rd, with a large scale rather sophisticated set of DDoS attacks rendering it unable to receive or send e-mail. It seems to have...

Read the full post at

Researchers uncover “self-sustaining” botnets of poorly secured routers

Large numbers of home and small-office routers are under the control of hackers who are using them to overwhelm websites with more junk traffic than they can handle, security researchers said Tuesday. The devices are so poorly secured that they have given rise to self-perpetuating botnets commandeered by multiple attackers.

The distributed denial-of-service attacks have been underway since at least December and show no signs of letting up, researchers from DDoS-protection firm Incapsula said. Over the past four months, Incapsula has recorded attacks from 40,269 IP addresses belonging to 1,600 ISPs around the world. All of the compromised routers observed were able to be remotely administered, and almost all of those accounts continued to use vendor-provided login credentials. Incapsula found that the devices were infected by a variety of malware titles, including MrBlack, Dofloo, and Mayday. The ease of compromising the routers makes them free for the taking, all but ensuring an unending series of follow-on attacks. The researchers wrote:

Given how easy it is to hijack these devices, we expect to see them being exploited by additional perpetrators. Even as we conducted our research, the Incapsula security team documented numerous new malware types being added—each compounding the threat posed by the existence of these botnet devices.

Self-sustaining Botnets

Our analysis reveals that miscreants are using their botnet resources to scan for additional misconfigured routers to add to their “flock.” They do so by executing shell scripts, searching for devices having open SSH ports which can be accessed using default credentials.

This script identifies remotely accessible routers so they can be hijacked and made part of a botnet.

Facilitating the infiltration, all of these under-secured routers are clustered in the IP neighborhoods of specific ISPs, that provide them in bulk to end-users. For perpetrators, this is like shooting fish in a barrel, which makes each of the scans that much more effective. Using this botnet also enables perpetrators to execute distributed scans, improving their chances against commonplace blacklisting, rate-limiting and reputation-based defense mechanisms.

The proliferation of poorly designed routers and inexperienced Internet users are the two most crucial ingredients fueling the self-perpetuating botnets. Manufacturers design their routers to be easily connected by giving each one the same administrator username and password and in some cases making the devices open to remote administration by default rather than allowing remote administration only when a user turns it on. The manufacturers frequently include no documentation warning users to change the default credentials, and even when those warnings are included, many end users don't heed the advice.

Read 3 remaining paragraphs | Comments