The OVH founder and CTO Octave Klaba reported the 1Tbps DDoS attack on Twitter sharing an image that lists the multiple sources of the attack.

Last days, we got lot of huge DDoS. Here, the list of “bigger that 100Gbps” only. You can see the

simultaneous DDoS are close to 1Tbps ! pic.twitter.com/XmlwAU9JZ6 — Octave Klaba / Oles (@olesovhcom) 22 settembre 2016

Klaba explained that the servers of its company were hit by multiple attacks exceeding 100 Gbps simultaneously concurring at 1 Tbps DDoS attack. The severest single attack that was documented by OVH reached 93 MMps and 799 Gbps.

One of the attacks documented by the OVH reached 93 MMps and 799 Gbps.

According to Klaba, the attackers used an IoT botnet composed also of compromised CCTV cameras.

This botnet with 145607 cameras/dvr (1-30Mbps per IP) is able to send >1.5Tbps DDoS. Type: tcp/ack, tcp/ack+psh, tcp/syn. — Octave Klaba / Oles (@olesovhcom) 23 settembre 2

Unfortunately, this is not a novelty, in June 2016 security experts from Sucuri firm have discovered a large botnet of compromised CCTV devices used by crooks to launch DDoS attacks in the wild.

Earlier this week, the website of the popular cyber security expert Brian Krebs was targeted by a DDoS attack of 665 Gbps. Experts speculate the attackers hit Krebs in response to his blog post in which he exposed a the operators behind the vDOS DDoS service.

IoT devices, including CCTV, often lack proper configuration, it is easy for hackers to locate on the Internet systems with weak or default login credentials.

Recently security experts reported several Linux malware targeting IoT devices such as Luabot and Bashlite.

Earlier September, experts from Level 3 and Flashpoint confirmed the overall number of devices infected by the BASHLITE malware is more than 1 million.

The number includes compromised devices belonging to several botnets, according to the experts, almost every infected device are digital video recorders (DVRs) or cameras (95%), the remaining is composed of routers (4%), and Linux servers (1%).

“Of the identifiable devices participating in these botnets, almost 96 percent were IoT devices (of which 95 percent were cameras and DVRs), roughly 4 percent were home routers and less than 1 percent were compromised Linux servers. This represents a drastic shift in the composition of botnets compared to the compromised server- and home router-based DDoS botnets we’ve seen in the past.” states a blog post published by Level 3 firm.

The researchers have been tracking more than 200 C&C worldwide used by the BASHLITE botnets. Fortunately, the IP addresses of the C&C servers were found hardcoded in the instance of malware detected in the wild making easy for experts to shut them down.

Back to the case of the 1Tbps DDoS attack against the OVH firms, at the time I was writing the servers were back online.

Pierluigi Paganini

(Security Affairs – 1 Tbps DDoS attack, IoT)