CCTV botnets have been known for a long time and on the blog of Sucuri, a security company that provides protection services for websites and that also has a great free web scanner that detects infections on sites, they have commented on some details of a CCTV botnet that generated up to 50,000 HTTP requests per second against a site.
It all started with a client (an online jewelry store) that hired their services to stop DDoS, from Sucuri they changed the DNS of the domain to those of their network to mitigate the attack and in this way the client's site was easily online again.
Note: A free alternative that may be useful in certain DDoS attack situations is to use CloudFlare's DNS with your free plan.
From there, the analysis of the situation began as the attack increased in intensity and lasted several days, which is unusual. Although they do not mention what the client's website was, being an online jeweler, I imagine that the attack sought to generate a kind of negative SEO by leaving the site offline, something that can be quite serious since not only are sales lost but Positions in Google can also be affected.
They detected more than 25 thousand IPs from which the requests were sent, distributed all over the world. They used different types of User-Agents and referer spoofing techniques to simulate being normal visits, among the referers were:
Referer: http://engadget.search.aol.com/search?q=RANDOMKEYWORDReferer: http://www.google.com/?q=RANDOMKEYWORDReferer: http://www.usatoday.com/search/results?q = RANDOMKEYWORD
All requests were also identified as a Cross Web Server and loaded a default HTML page with the title DVR Components Download. It was clear that the attack came from CCTV-DVR surveillance systems that were compromised in some way.
They also identified companies that sold these surveillance systems as H.264 DVR, ProvisionISR, Qsee, QuesTek, TechnoMate, LCT CCTV, Capture CCTV, among others. And in the article they refer to a recently disclosed vulnerability of DVR systems that affects more than 70 distributors (white marks), but that operate under the same vulnerable software. Although it was not confirmed that it is the vulnerability exploited in this case, it is very possible that the computers have been hacked in this way.
Those who have security cameras with a DVR connected to the internet can apply filters so that only certain IPs can access the equipment, also make sure that they are using the latest available firmwares and something basic but that is often forgotten, change the users and passwords that come default.
This prevents the DVR from becoming infected, waiting for us on the cameras and until they try to attack other computers that are part of the same local network.