[SOLVED] Amcrest Security Camera causing DDOS attacks and repeated Masscan?

TheDarkPleco

Honorable
Jun 26, 2015
91
3
10,645
Hello,

I have recently purchased an Amcrest Security Camera and set it up via POE. It works great and I have been very pleased with it, but I have been having strange things occur ever since I got it. I run a nextcloud instance for personal use and I noticed that this morning it wasn't up and running. My server was still running, so I restarted it and tried again. The server was up for about a half hour and then suddenly went offline again. I then used htop to view resource usage and every core was heavily loaded with threads from apache's webserver. I realized someone was DDOSing my cloud and cut off the open port. I checked my security logs and sure enough I have been getting DDOSed by an IP stressing service. In addition, I am constantly getting a Masscan, from a machine, checking for open ports. This did not occur before I got the camera. Every time the camera boots, a Masscan is triggered from an external IP address. I am upgrading the firmware on the camera and checking if it may have just had a vulnerability, but I suppose I am looking for advice on if I should keep the camera or not and if anyone else has had this issue. The Nextcloud Server had no login attempts other than my own in the system logs, just repeated requests for the main page during the DDOS. The attacks stopped after I unplugged the camera as well.
 
Solution
Keep the camera and keep up your defenses.

What I have come to realize is that many people envision an attacker being someone sitting at a PC endlessly manually typing in IP addresses etc. targeting YOU.

That is unlikely to be true. The process is automated and attackers will likely be targeting a wide range of IP addresses.

Mindlessly, continually, constantly.

Nothing personal.

If a weakness is found then the attack will shift somewhat and continue hammering away.....

Bad guys know the defaults. They know the weak points.

The important concept for you is to recognize that fact. Set up your defenses. Monitor attacks.

What you want is defenses that "hold the line".

Regardless of the attacks.

And be prepared for...
Keep the camera and keep up your defenses.

What I have come to realize is that many people envision an attacker being someone sitting at a PC endlessly manually typing in IP addresses etc. targeting YOU.

That is unlikely to be true. The process is automated and attackers will likely be targeting a wide range of IP addresses.

Mindlessly, continually, constantly.

Nothing personal.

If a weakness is found then the attack will shift somewhat and continue hammering away.....

Bad guys know the defaults. They know the weak points.

The important concept for you is to recognize that fact. Set up your defenses. Monitor attacks.

What you want is defenses that "hold the line".

Regardless of the attacks.

And be prepared for a breach via your own "nuclear option" that protect you and your data.

That will not discourage bad guys (aka "bad actors").

It will protect you.
 
Solution