This week I’ve read a good article on a French IT News website (Zdnet FR) regarding a Cloud provider / ISP that has been victim of a major DDOS attack. This time, the devices that flooded OVH (French ISP/ Cloud Provider) servers were not computers but CCTV cameras.

Wouaaahhh!! 🙂 🙂 New kind of attackers?

Yes indeed, but it was predictable!

But before going further, the best option is to permit you to read the source article:

Zdnet FR: DDoS attack against OVH

Sorry, for those people who don’t speak French but here is a quick extract from the CTO of OVH that will help to understand the situation:

What about the context?

Since several years ago, we saw an exponential emergence of connected devices or smart devices, it started with phones, TV and now, almost everything is smart:

• SmartPhones
• Smart TV
• Smart Fridges
• Smart Watches
• Smart Cars
• Smart blabla …. 🙂 🙂

The announced arrival of all these devices pushed ISP to adopt IPv6 because they received directly Public IP when they’re connected to mobile carrier via 3G, GPRS, 4G,…

The fact that all these devices can get directly public IP, expose them to outside world and of course to hackers.

For this new generation of fully connected devices that represent a new ecosystem, marketers found a bright new acronym: IoT (Internet Of Things).
This new ecosystem is the new playground of hackers as they represent an impressive source of compute power and network bandwidth for massive DDoS.

The weak point of most of these devices is that the security has been left behind during the development because implementing high-level of security is a cost generator and competition to get the lowest price of the market is very aggressive.

As a technologist, I’m happy about the advantages some of these devices can afford us but unfortunately there’s a drawback: The security-How these devices are secured by their manufacturers?

As system administrator, I’m forced to notice that the security is not a top priority when all these devices are implemented. That’s why we need to stop security breaches before they reach those devices to prevent the OVH scenario. But this is not the worth scenario.

We can imagine that instead of flooding a 3rd party, it steals our personal data which can seriously impact us badly.

What this scenario teach us?

In today’s world securing connected devices (smart devices, IT infrastructures, Private and Public Cloud) is becoming more and more complex. At firewall level, we cannot just open and block ports as now the hackers try to find security breach at OS and application level. Nowadays, even user identity is compromised which is one of the most damageable security issue a company can live today.

In my consultant job, a big challenge when I’m facing customers for the implementation of security is the budget.

What I’ve often heard about new firewalls, centralized Antivirus Solutions, Antispam Gateways and so on:

• The firewall you propose is too sophisticated for the size of our company. We are not a bank
• Are you sure, you’re not exaggerating the risks?
• We have a free version of a named antivirus solutions, everything seems nice, why we should pay?
• In case of data loss we have a backup solution!
• Do you have some products that afford me central monitoring, efficient anti-spam solution, protect my network perimeter efficiently for the lowest cost. We have tight budget.

All of these arguments make me confident that they don’t realize how much they’re exposed. Sometimes, they realized after their lost their data because they never tested their backup before the issue.

As I explain to customers, potential customers, more devices you have connected to Internet, more your surface attack is important. The damages can be more than the price of a new firewall with a full UTM suite. The risks are not limited to the enterprise perimeter but also at home where the security measures are most of the time very limited or nonexistent.

Fortunately for most of the people, the law is 2 or 3 wars behind the IT security world.
When I say fortunately, I’m thinking about the owners of devices infected by a botnet participating in DDoS attack. For the moment, concerning the law, nothing is planned here in Belgium, France. If you have more info about this topic feel free to comment 😉

Only the hacker is punished, but when he is identified, most of the time, the guy was acting alone and generated a DoS and not a DDoS attack.

Maybe the day the law will generate fins against the infected devices participating in DDoS attacks, the mentalities will change and people will secure their infrastructure (even at home).

It’s just a thought, I’m not for, I’m not against this thought :-). It’s just an analysis !!!

My conclusion.

In each IT infrastructure, security should be design as a basement not as an option.
As the user in the enterprise needs to be more and more mobile, more devices he is susceptible to use, more the risks are present.
The budget should not be a brake as the risk and its consequences are real.
Don’t hesitate to buy a good antivirus on your smartphones, when you host risky devices like CCTV camera don’t forget IPS, restrict the number of hosts from where they’re reachable. When hosting e-commerce think about WAF and DDoS counter-measures.

All of these measures will save your money on the long term view.