Researchers have encountered a denial-of-service botnet that's made up of more than 25,000 Internet-connected closed circuit TV devices.

The researchers with Security firm Sucuri came across the malicious network while defending a small brick-and-mortar jewelry shop against a distributed denial-of-service attack. The unnamed site was choking on an assault that delivered almost 35,000 HTTP requests per second, making it unreachable to legitimate users. When Sucuri used a network addressing and routing system known as Anycast to neutralize the attack, the assailants increased the number of HTTP requests to 50,000 per second.

The DDoS attack continued for days, causing the Sucuri researchers to become curious about the origins of the attack. They soon discovered the individual devices carrying out the attack were CCTV boxes that were connected to more than 25,500 different IP addresses. The IP addresses were located in no fewer than 105 countries around the world.

"It is not new that attackers have been using IoT devices to start their DDoS campaigns," Sucuri CTO and founder Daniel Cid wrote in a blog post, using the abbreviation for Internet of things. "However, we have not analyzed one that leveraged only CCTV devices and was still able to generate this quantity of requests for so long."

Sucuri researchers queried a sampling of the boxes and found that all of them showed they were running what was called the "Cross Web Server" that had a default Web page titled "DVR Components." The researchers later found the malicious IPs contained the company logos of resellers of CCTV services and that all the devices were running BusyBox, a collection of Unix-based utility tools that run on embedded devices. To make it harder to block the attack, the malicious devices had been programmed to emulate normal browser behavior by displaying a variety of common user agents, such as those associated with the Chrome, Internet Explorer, and Safari browsers. The hacked devices also displayed "referrers" falsely showing they had most recently visited sites including Engadget, Google, and USA Today.

It's still not clear how the attackers enslaved such a large number of devices. Cid speculated they were hacked by exploiting a recently disclosed vulnerability that allows remote code execution on digital video recorders from 70 different manufacturers, but so far this theory hasn't been confirmed.

However the devices were compromised, the 25,000-strong botnet provided formidable firepower, and it had the added advantages of being freely available, geographically dispersed, and extremely hard for whitehats to take down.

It's by no means the first mass attack that uses Internet-of-things devices. Attacks that took down both the Xbox and PlayStation gaming networks in late 2014, for instance, were powered mostly by hundreds of thousands of hacked home Internet routers. Given the lax to non-existent security that by default accompanies most IoT devices, this latest attack involving CCTV devices almost certainly won't be the last such episode.

Listing image by Lydia