Skip to content ↓ | Skip to navigation ↓

Attackers leveraged a botnet consisting of thousands of closed-circuit television (CCTV) devices to launch distributed denial-of-service (DDoS) attacks.

Daniel Cid, CTO of Sucuri Security, explains that a small jewelry shop recently signed up with his company. At the time, the new customer was experiencing a DDoS attack that had knocked it offline for a few days. Sucuri quickly analyzed the campaign to be a layer 7 attack (HTTP Flood) consisting of around 35,000 requests per second (RPS). The security firm then mitigated the attack.

That should have been the end of the story. But it wasn’t.

After the site came back up, the attackers renewed their DDoS campaign, this time launching a HTTP Flood that generated 50,000 RPS. The attack lasted for several days.

Curious, Cid and his security team took a deeper look into the campaign and found that the attackers were using only Internet of Things (IoT) CCTV devices to target the jewelry shop.

Cid hadn’t seen anything like it before:

“It is not new that attackers have been using IoT devices to start their DDoS campaigns, however, we have not analyzed one that leveraged only CCTV devices and was still able to generate this quantity of requests for so long. As we extracted the geo-location from the IP addresses generating the DDoS, we noticed that they were coming from all over the world, different countries and networks. A total of 25,513 unique IP addresses came within a couple of hours.”

About a quarter (24 percent) of the requests originated from devices located in Taiwan, with traffic also coming from the United States (12 percent), Indonesia (9 percent), Mexico (8 percent), and elsewhere.

sucuri cctv ddos botnet geographic distribution
Source: Sucuri

At this time, it is unclear how all of these CCTV devices were infected.

Cid explains companies can do little to protect themselves against CCTV DDoS attacks aside from having DDoS mitigation technologies in place.

He’s careful to note, however, that individuals can help prevent these types of attacks from occurring in the first place:

“If you are an online camera user or vendor, please make sure it is fully patched and isolated from the internet. Actually, not just your online camera, but any device that has Internet access (from DNS resolvers, to NTP servers, and so on).”

News of this campaign follows several months after another security firm spotted a botnet consisting of 900 CCTV cameras engaging in DDoS attacks.