Botnets and DDoS Attacks

There’s just so much that seems as though it could go wrong with closed-circuit television cameras, a.k.a. video surveillance. With an ever-increasing number of digital eyes on the average person at all times, people can hardly be blamed for feeling like they’re one misfortune away from joining the ranks of Don’t Tase Me, Bro, esteemed internet celebrity.

However, if you think viral infamy is your worst-case scenario when it comes to CCTV, think again. Keep reading to find out why CCTV cameras and other internet-connected items are open to being hijacked by hackers looking to do DDoS damage, and about the bizarre case of the CCTV botnet located at a mall five minutes from a professional DDoS mitigation service.

The internet of issues with the Internet of Things

CCTV cameras belong to the Internet of Things (IOT), a grouping of, well, things that are linked through both wired and wireless networks, often using the same internet protocol as the internet. They’re embedded with network connectivity, electronics, sensors and software that allow them to collect data and exchange data. Pacemakers, smart thermostats and microchips in animals are all examples of the items that make up the Internet of Things.

The Internet of Things is actually very cool. It minimizes the gap between the physical world and computer-based systems. It’s what allows you to turn on your smart washing machine from the office, or lock your front door from the train. Here’s the issue with the Internet of Things, though. Your laptop is connected to the internet, so you’ve secured it. Same for your phone, tablet, probably your router, and any other number of internet-connected devices you use on a daily basis. You wouldn’t leave those open to exploitation, allowing just anyone to hijack and control them.

The Internet of Things is designed to be remotely controlled across network infrastructure. Read that again. These items are designed to be remotely controlled. And yet, how many of those cow microchips do you think are secured? How many smart TVs? How many of the 245 million surveillance camerasthat are installed worldwide? (And that’s only counting the professionally installed surveillance cameras. Imagine how many do-it-yourself cameras are out there with even less security.)

Hijacking horror stories

You’ve probably already read about the downside of the Internet of Things, you just may not have realized it. One of the most high-profile instances of this is the recent stories about baby monitors being hacked, with grown men screaming at babies in the dead of the night.

As you can imagine, the potential for foul play with the Internet of Things is extensive. This is what’s led to the creation of CCTV botnets, which have been behind a number of DDoS attacks. By gaining control of internet-connected devices, attackers are able to direct those resources at a target website or other internet service, overwhelming it with malicious traffic and either driving it offline, or slowing it down enough to be unusable for legitimate users.

The consequences of a DDoS attack are many and dire. Not only will a website that’s not working drive users away and erode consumer trust, but a DDoS attack can also cause hardware damage, software damage, and can act as a smokescreen while attackers steal intellectual property, customer information, and financial data. And in terms of dollars and cents, an unmitigated DDoS attack can cost an organization a staggering $40,000 per hour.

From a virtual battlefield to a physical one

CCTV botnets weren’t anything new to professional DDoS mitigation providers Imperva Incapsula. In fact, they first publicly warned about them in March of 2014 when a steep increase in botnet activity largely traced back to CCTV cameras.

However, it was a slightly different ballgame when Imperva Incapsula began to mitigate repeated HTTP flood attacks on one of their clients. The DDoS attack itself was nothing special – peaking at 20,000 requests per second, no big deal for professional DDoS mitigation – however when Imperva Incapsula began looking through the attacking IPs, they discovered something curious. Some of the botnet devices were located right near their office.


Geo-location of CCTV Botnet devices (Source: Imperva Incapsula)

Further detective work revealed that the botnet devices in question were CCTV cameras that were accessible to attackers through the devices’ default login credentials. Imperva Incapsula employees took a look through the camera lens and recognized a mall not five minutes from their offices. In a stark departure from a normal day spent fighting the evils of the internet, employees were able to head over to the mall and explain to the camera owners in-person what had happened, why it happened, and help them clean the malware from their cameras.

Lessons that need to be learned

What you need to learn from these Internet of Things incidents is two-fold. Firstly, if you have internet-connected devices like smart TVs, washing machines, thermostats, precision farming equipment, anything, they need to be secured. Even if you for some reason did not care if your devices were being used in a botnet to carry out DDoS attacks, rest assured that if attackers can hijack your devices for DDoS attacks, they can take control of them for other reasons. This is an especially frightening thought when it comes to nanny cams and other monitoring devices in your home.

The second lesson that needs to be learned in all of this is for website owners. The Internet of Things is already massive and it’s estimated by Gartner that by the year 2020, it will be comprised of over 25 billion devices. That is billions of devices that could potentially be used in DDoS attacks against websites just like yours.

Professional DDoS protection is already a necessity, and it’s only going to continue to become a bigger necessity. Professional DDoS mitigation services may not be able to protect you from the prying eyes of a CCTV camera during your most embarrassing moments, but they can protect your website, your users, your equipment, your intellectual property, and your finances from CCTV and other Internet of Things botnets.

By Naomi Webb


Attackers have compromised more than 25,000 digital video recorders and CCTV cameras and are using them to launch distributed denial-of-service (DDoS) attacks against websites.

One such attack, recently observed by researchers from Web security firm Sucuri, targeted the website of one of the company’s customers: a small bricks-and-mortar jewelry shop.

The attack flooded the website with about 50,000 HTTP requests per second at its peak, targeting what specialists call the application layer, or layer 7. These attacks can easily cripple a small website because the infrastructure typically provisioned for such websites can handle only a few hundred or thousand connections at the same time.

The Sucuri researchers were able to tell that the traffic was coming from closed-circuit television (CCTV) devices—digital video recorders (DVRs) in particular—because most of them responded to HTTP requests with a page entitled “DVR Components Download.”

Around half of the devices displayed a generic H.264 DVR logo on the page, while others had more specific branding such as ProvisionISR, QSee, QuesTek, TechnoMate, LCT CCTV, Capture CCTV, Elvox, Novus, and MagTec CCTV.

The botnet seems to have a global distribution, but the countries with the largest number of compromised devices are Taiwan (24 percent), the U.S. (16 percent), Indonesia (9 percent), Mexico (8 percent), Malaysia (6 percent), Israel (5 percent), and Italy (5 percent).

It’s not clear how these devices were hacked, but CCTV DVRs are notorious for their poor security. Back in March, a security researcher found a remote code execution vulnerability in DVRs from more than 70 vendors. In February, researchers from Risk Based Security estimated that more than 45,000 DVRs from different vendors use the same hard-coded root password.

However, hackers knew about flaws in such devices even before these disclosures. Back in October, security vendor Imperva reported seeing DDoS attacks launched from a botnet of 900 CCTV cameras running embedded versions of Linux and the BusyBox toolkit.

Unfortunately, there’s not much that the owners of CCTV DVRs can do, because vendors rarely patch identified vulnerabilities, especially in older devices. A good practice would be to avoid exposing these devices directly to the Internet by placing them behind a router or firewall. If remote management or monitoring is needed, users should consider a deploying a VPN (virtual private network) solution that allows them to connect inside the local network first and then to access their DVR.


An unknown party claiming to be part of the Anonymous hacker collective emailed the StarTribune on Wednesday morning, June 22, claiming responsibility for the ongoing DDoS attacks that downed the Minnesota Judicial Branch’s website for most of the business day.

The attacks started around 8:00 AM, and access to was restored around 5:15 PM, in the afternoon. At the time of writing, the website is still not accessible from some parts of the world, meaning the IT staff is still limiting access based on an IP filtering system.

“Anonymous Legion” takes responsibility for the attacks

In the email sent to the local newspaper, the hacker(s), who used the Anonymous Legion monicker, said they also managed to penetrate the Minnesota courts’ servers, stole data, and urged the newspaper not to believe the authorities if they denied the incident.

The attackers did not provide any proof to support their data breach allegations. Officials also informed the FBI Cyber Task Force.

This is the second time in six months when this happens to the Minnesota courts system. Last December, DDoS attacks took the same website offline for ten days between December 21 and 31. Previously, the website was hit with another DDoS attack on December 8, 2015.

No clues as to why (or if) Anonymous DDoSed the website

To this day, nobody has discovered who and why attacked the Minnesota courts system. No other judicial branch from any other state has suffered similar attacks.

This Twitter discussion from two cyber-security experts also shows the general confusion as to why Anonymous would attack this target. One of Anonymous’ biggest Twitter accounts has failed to provide any answers as well.

Outside the email the StarTribune received, there was no chatter online about the ongoing DDoS attacks.

It is exactly for these reasons that one of Anonymous’ biggest factions has decided to create a political party in the US, called The Humanity Party (THumP), to serve as the group’s official voice and to discourage smaller factions from launching blind DDoS attacks without any good reason.

THumP says it aims to coordinate Anonymous efforts in order to trigger a change in local politics, but not by launching senseless DDoS attacks, from which it will try to distance itself.


The number of distributed denial of service (DDOS) attacks is on the rise and online gaming sites remain the number one target.

According to the latest State of the Internet Security report by Akamai Technologies, the number of DDOS attacks in the first quarter of 2016 was up 125% from Q1 2015 and up 22.5% from Q4 2015.

Online gaming sites – which includes not only gambling but also console gaming networks – were the targets in 55% of the Q1 DDOS attacks, about the same as in Q4. Software & technology sites ranked a distant second at 25%, while media & entertainment were third with just 5%.

On the plus side, the average duration of Q1’s DDOS attacks was 16.14 hours, down more than one-third from Q1 2015.

On the downside, Akamai says multi-vector attacks are becoming more popular, presenting greater challenges for sites’ security practitioners. Single-vector attacks have declined from 56% of the total in Q2 2015 to just 41% in Q1 2016.

Akamai counted a record 19 attacks in which the volume of data topped 100 gigabytes per second (Gbps), up from just five such mega-attacks in Q4. The previous record of 17 100-Gbps attacks was recorded in Q3 2014.

The gaming industry was targeted in three of these mega-attacks, all of which occurred the day before or the day of this year’s SuperBowl, strongly suggesting that the attackers weren’t targeting console gamers.

Akamai believes DDOS attackers are becoming more persistent in targeting specific sites. Targeted sites were hit with an average of 29 attacks in Q1, up from 15 in the same period last year. Akamai credited the rise to the ease with which attackers could now acquire DDOS attack platforms.

Akamai didn’t name names, but Q1’s most frequently targeted website was hit with 283 DDOS attacks, an average of three per day. This type of focus is typical of what Akamai called the latest DDOS trend, in which attackers “hammer away at high-value organizations, regardless of effect, looking for a moment when defenses might drop.”

DDOS attacks are also being used more and more as “a diversion technique to exhaust company resources while attacks are launched against the primary target.” Akamai suggests data exfiltration as the true motivation behind many repeated DDOS attacks.

Akamai believes a lot of DDOS attackers are now mimicking tactics pioneered by the infamous DD4BC group, which offered to forego large-scale DDOS attacks if the victims coughed up a certain number of Bitcoins.

China was the source of 27% of all DDOS attacks in Q1, followed by the United States at 17% and Turkey with 10%. Turkey has now made the top-10 for two straight quarters, which Akamai credited to Russian hackers migrating outside their home country.


Authorities in Indonesia and South Korea have told Reuters about recent DDOS attacks aimed at the websites of their central banks.

Both Bank Indonesia and Bank of Korea took action by blocking IPs from parts of the globe they don’t usually see login attempts from. A Bank Indonesia spokesperson told Reuters that their institution blocked access from 149 countries in particular.

DDoS attacks are carried out using botnets. Botnets are a collection of hacked computers that act in sync based on orders received from the hackers, who control them with the help of a master server, called a C&C (command and control) server.

Usually, the infected machines are spread all over the world, and that’s why blocking IPs from some parts of the world might stymy such attacks. This is usually considered an extreme measure.

DDoS attacks used to mask more serious intrusions

The banking industry is on pins and needless right now, as most organizations are afraid of cyber-attacks and hacks similar to the ones suffered by the central bank of Bangladesh.

Last February, hackers stole $81 million from Bangladesh’s central by hacking the SWIFT inter-bank transaction system.

DDoS attacks are regularly used to mask more serious intrusions, as they keep IT staff busy with repelling the attacks, while hackers use other methods of infiltrating their systems. None of the two banks reported other incidents.

No actual evidence that Anonymous was behind the attacks

Without knowing who exactly carried out the attacks, authorities are now putting the blame on Anonymous, who announced last May a series of attacks aimed at banks around the world.

OpIcarus, as their campaign was called, lasted only for the month of May, and the group shifted focus to stock markets in June, and that’s how OpMayhem started. Additionally, Ghost Squad Hackers, one of the most active Anonymous subdivisions, launched OpSilence, aimed at mainstream media.

Normally, such groups carry out the attacks and spend as much time bragging about what they did on Twitter. There was no chatter from known Anonymous hackers regarding DDoS attacks on the infrastructure of these two banks.