Akamai kicked journalist Brian Krebs' site off its servers after he was hit by a 'record' cyberattack is how Business Insider describes the ongoing DDoS (Distributed Denial of Service Attack) against Brian Krebs (currently offline; google cache). This is notable as Akamai was able to mitigate the effect of the record scale attack but has decided to end their service relationship with Krebs. Victory has currently been handed to the attackers: if the goal is to get Krebs' website off the Internet it has succeeded regardless of the mechanism. Despite being deleted off the Internet Krebs does not fault Akamai.
The really Interesting question is how long will it take for Krebs to return to operational status? Is there anyone else that will be willing to donate their mitigation services so Krebs can go back online? Is there any possible way he could afford to pay normal prices for mitigation services that could handle 600 gigabits per second of flooding? Exactly who do you have to piss off, how sophisticated do they need to be, and how long can they afford the risk involved with carrying out the attack? Free Speech for the Internet is going to be defined by how this plays out.
takyon: These cybercriminals are just going to get Krebs more attention and appearances in the mass media. Krebs expects his site to be back up later today. Also, it is important to note that Akamai/Prolexic provided Krebs free service.
Previously: Brian Krebs DDoSed After Exposing vDos Operators; Israeli Authorities Hit Back With Arrests
Brian Krebs' Blog Hit by 665 Gbps DDoS Attack
Related Stories
After Brian Krebs exposed a DDoS-for-hire service disguised as "stress testing", a denial-of-service attack was launched against his website. Now, the two alleged operators of the service have been arrested:
Krebs describes vDos as a DDoS-for-Hire service that offered paid accounts to users who wanted to launch DDoS attacks on their targets or developers who planned to build DDoS services (stressers) of their own. The investigator provided the vDos database to Krebs, who discovered that, in the last two years, vDos customers launched over 150,000 DDoS attacks that totaled more than 277 million seconds of attack time. The database also contained payment records. Krebs discovered that the site's two operators made $618,000 only in the last two years, based on financial records dating back to 2014. vDos launched in 2012, so it might be accurate to say that its creators have made over $1 million since its creation.
The investigator also told Krebs that vDos was hosted on servers in Bulgaria, but its two creators were from Israel, as revealed by support tickets. The site's two creators had banned the ability to launch DDoS attacks against Israeli IPs so that it would not cause problems with local authorities.
[...] Soon after the article went live and users started sharing it on social media, Reddit, Slashdot, and HackerNews, a DDoS attack hit Krebs' website. According to Krebs, the attack was initially small, only 20 Gbps, but more than enough to bring down his website. In reality, 1 Gbps is more than enough to bring down most web servers. This initial attack later turned into a 128 Gbps attack. [...] UPDATE: Minutes after publishing this story, reports came in that Israeli law enforcement arrested the two alleged vDos owners named in the Krebs report.
Also at The Register, which notes that the two men authored a paper about DDoS attacks signed with their real names, and that one of them had previously claimed to have attacked the Pentagon.
An article today on SecurityWeek details what may be the largest DDoS attack ever seen. The target? Brian Krebs' web site of course.
Investigative cybercrime journalist Brian Krebs reported on Tuesday that his website, KrebsOnSecurity.com, was hit by a massive distributed denial-of-service (DDoS) attack that could be the largest in history. According to Krebs, his site was targeted with various types of DDoS attacks, including SYN and HTTP floods. The attack peaked at 665 Gbps and 143 Mpps (million packets per second), but it was successfully mitigated by Akamai, the company that provides DDoS protection services for KrebsOnSecurity.
Akamai told Krebs that this attack was nearly twice the size of the largest attack they had previously encountered. It's worth noting that Arbor Networks reported in January that some of its customers had been hit by attacks that peaked at 500, 450 and 425 Gbps.
Quite the feather in the cap of Akamai to be able to mitigate this level of attack.
DDoS Mitigation Firm Founder Admits to DDoS:
KrebsOnSecurity exposed the co-administrators of vDOS and obtained a copy of the entire vDOS database, including its registered users and a record of the attacks those users had paid vDOS to launch on their behalf.
Those records showed that several email addresses tied to a domain registered by then 19-year-old Preston had been used to create a vDOS account that was active in attacking a large number of targets, including multiple assaults on networks belonging to the Free Software Foundation (FSF).
The 2016 story on BackConnect featured an interview with a former system administrator at FSF who said the nonprofit briefly considered working with BackConnect, and that the attacks started almost immediately after FSF told the company's owners they would need to look elsewhere for DDoS protection.
Perhaps having fun at the expense of the FSF was something of a meme that the accused and his associates seized upon, but it's interesting to note that the name of the FSF's founder — Richard Stallman — was used as a nickname by the co-author of Mirai, a potent malware strain that was created for the purposes of enslaving Internet of Things (IoT) devices for large-scale DDoS attacks.
Related:
DDoS Against Brian Krebs Scores a Victory: KrebsOnSecurity is Offline
Brian Krebs DDoSed After Exposing vDos Operators; Israeli Authorities Hit Back With Arrests
(Score: 5, Insightful) by bradley13 on Friday September 23 2016, @09:13PM
Sure, Akamai was providing him with service "for free". Of course, they did get to say "look, we host Brian Kreb!", which is worth a lot. The attacks got expensive enough that they reconsidered.
Fair enough, but it seems like a poor decision. Dropping such a prominent site, because you don't want to deal with DDoS? How much faster they will drop less prominent sites? They have sent a clear message to the rest of us: look elsewhere for seriously reliable hosting.
Everyone is somebody else's weirdo.
(Score: 5, Insightful) by edIII on Friday September 23 2016, @10:22PM
No kidding.
When you tout your mitigation services like that, actually mitigate an impressively large attack, and then promptly kick the customer off the Internet?
That's a corporation you stay away from and don't pay, of which he may not have been, but other corporations ARE. You need somebody that would stick with you to the end, not just drop you once the going gets a little tough. Akamai did itself no favors with this terrible, terrible, PR move.
If I was paying Akamai right now, I would be having a conversation with their rep asking for written statements that my account will not be dropped after a mitigated attack, and then dropping me would require 30 days written notice. Otherwise, that's no way to run a business.
Netflix has a CDN. I'm wondering if Mr. Krebs should ask them?
Technically, lunchtime is at any moment. It's just a wave function.
(Score: 0) by Anonymous Coward on Friday September 23 2016, @11:20PM
Akamai has been a shit company since at least 2003 when they cancelled a contract [nytimes.com] with the arabic news service Al Jazeera because one of their execs was on the 9-11 flight out of Boston. Their name is unearned.
(Score: 3, Funny) by Anonymous Coward on Friday September 23 2016, @11:30PM
9/11: just another attack Akamai couldn't mitigate.
(Score: 0) by Anonymous Coward on Saturday September 24 2016, @02:30AM
CloudFlare would have stopped the 911 attacks.
(Score: 3, Interesting) by Anonymous Coward on Saturday September 24 2016, @02:03AM
What this tells me is that their infrastructure was near the redline. The think it is better to drop him now and face the bad PR than have someone dial it up and successfully knock him off even with their help. I think that would have ended up hurting them more. Plus, the fact that this was supposed to be the full brunt of a relatively small botnet means that everyone knows that a bigger one, or one of the same size using reflection as well, could successfully take out someone who uses Akamai.
(Score: 2) by Fnord666 on Saturday September 24 2016, @03:31PM
That's a corporation you stay away from and don't pay, of which he may not have been, but other corporations ARE. You need somebody that would stick with you to the end, not just drop you once the going gets a little tough. Akamai did itself no favors with this terrible, terrible, PR move.
That's just it. He wasn't paying them and can't afford to pay them for the amount of "interest" that his site draws. They had been covering him "pro bono" but that good will only goes so far. At some point they have to say "enough".
(Score: 4, Interesting) by Knowledge Troll on Friday September 23 2016, @09:19PM
This one came out after I submitted the story originally: http://arstechnica.com/security/2016/09/why-the-silencing-of-krebsonsecurity-opens-a-troubling-chapter-for-the-net/ [arstechnica.com]. Juicy bits:
It's hard to imagine a stronger form of censorship than these DDoS attacks because if nobody wants to take you on then that's pretty effective censorship," Krebs told Ars on Friday. "I've had a couple of big companies offer and then think better of offering to help me. That's been frustrating.
Of course, if a ragtag band of pseudo-hackers can disrupt KrebsOnSecurity, they can disrupt plenty of other sites, too. And this should concern not just the Googles, Apples, and Microsofts of the world but their everyday users as well. Krebs said the threat "screams out" for the kind of industry-wide collaboration that's come together to counter previous threats, including the DNS spoofing bug researcher Dan Kaminsky disclosed in 2008, the Conficker worm that infected huge swaths of the Internet the same year, or the GameOver botnet from last year. Sadly, Krebs said he sees no signs of such cooperation now.
(Score: 3, Interesting) by Fnord666 on Saturday September 24 2016, @03:37PM
It's hard to imagine a stronger form of censorship than these DDoS attacks because if nobody wants to take you on for free then that's pretty effective censorship," Krebs told Ars on Friday. "I've had a couple of big companies offer and then think better of offering to help me. That's been frustrating.
FTFY. The key point is that Krebs' site draws a lot of fire and the cost to have a mitigation strategy in place that can handle it is high. Krebs can't afford it but had been getting coverage for free. I'm fairly certain there are a number of companies that would take him on as a client if he were willing to pay the going rate.
(Score: 4, Interesting) by bob_super on Friday September 23 2016, @09:36PM
Maybe he should go for a light solution which is not expected to survive major traffic. Let it vanish every now and then: unreachable, but safe behind the kind of custom-hardware firewall my customers want, until addresses get moved and the attack goes away.
Visitors to that kind of website can understand the availability tradeoff, as long as they end up getting the content eventually.
(Score: 3, Insightful) by Anonymous Coward on Friday September 23 2016, @09:43PM
Visitors to that kind of website can understand the availability tradeoff, as long as they end up getting the content eventually.
Nope. Tolerance for downtime died during the 00s. Your site will be as good as dead and will never recover from the bad reputation.
(Score: 0) by Anonymous Coward on Saturday September 24 2016, @02:58AM
Rusty, is that you?
(Score: 0) by Anonymous Coward on Friday September 23 2016, @11:23PM
This is proof we need a way to overlay the web on a P2P system. They go distributed to take centralized servers, we go distributed to put it back up.
Also, imagine how big of a botnet these guys must be running. If only they would stick it into the Tor network. Let them sniff the exit nodes, that's what SSL is for anyway.
(Score: 0) by Anonymous Coward on Saturday September 24 2016, @04:08AM
Peers aren't anonymous in most _high_ bandwidth P2P systems. His seeders will drop his site faster than some can say Akamai.
Go count how many seeds there are for even popular torrents. Most people wouldn't want to seed random sites and stuff. The laws can make it even more dangerous.
(Score: 0) by Anonymous Coward on Saturday September 24 2016, @04:21AM
> Go count how many seeds there are for even popular torrents. Most people wouldn't want to seed random sites and stuff. The laws can make it even more dangerous.
Except its not "random sites and stuff." Those popular torrents are limited by the laws, but legit sites like his aren't. A DDoS might even have the opposite effect of bring celebrity to his site and thus recruiting seeds.
(Score: 0) by Anonymous Coward on Saturday September 24 2016, @06:19AM
Making it "less voluntary" by building P2P into stuff like browsers to serve up all sorts of sites may cause all sorts of legal issues. Who is going to decide what people would automagically seed? After all how many would want to help distribute child porn?
(Score: 4, Informative) by Bot on Friday September 23 2016, @09:46PM
put a signed site snapshot on gnunet, freenet, ipfs, magnet link, together with a public key to verify it. New versions signed with the same key to avoid impersonation. Post links in all forums. Watch the DDoS guys raise hands.
This internet is made for the powerful. Bigger pipes, that is more money, wins. No wonder they can't even ipv6. There is no incentive. A content addressed overlay net which works offline too would be like getting internet in the 90s: slow unreliable, EXCITING.
Account abandoned.
(Score: 4, Funny) by Anonymous Coward on Friday September 23 2016, @09:49PM
slow unreliable, EXCITING
Slow and unreliable excites you too? Oh baby, baby. Do I have an iptables ruleset for you. Such throttling. So many resets.
(Score: 4, Funny) by Scruffy Beard 2 on Friday September 23 2016, @09:57PM
Stable and predictable is boring.
The few times I installed Windows98, the "most exciting OS yet!" slide started to take on a whole new meaning.
TL;Dr: You don't want your critical infrastructure to be "exciting".
(Score: -1, Flamebait) by Anonymous Coward on Friday September 23 2016, @10:03PM
You don't want your critical infrastructure to be "exciting".
Yes you do, and that's why you should use Tor, because you never know when your pubic library is going to get busted for kiddie porn!
(Score: 0) by Anonymous Coward on Saturday September 24 2016, @01:13AM
> pubic library
somehow I am not surprised it contains porn. Freudian or intentional?
(Score: 0) by Anonymous Coward on Friday September 23 2016, @09:59PM
I think its more about when and where to find stuff and how back in the day hunting down information was more difficult and resources could go on and offline. Everyone prefers 100% uptime, but there is some excitement with ephemeral resources. If impromptu warehouse/forest parties were always set up they wouldn't be nearly as fun and exciting.
(Score: 3, Interesting) by Scruffy Beard 2 on Friday September 23 2016, @10:00PM
Somebody told me about Zeronet [wikipedia.org], which seems to implement many of the features you outline.
A 10MB limit per site apparently.
(Score: 0) by Anonymous Coward on Friday September 23 2016, @10:07PM
I want NetZero. In my country it is not free.
(Score: 1, Informative) by Anonymous Coward on Friday September 23 2016, @11:37PM
> put a signed site snapshot on gnunet, freenet, ipfs, magnet link, together with a public key to verify it.
There is an extension to the DHT (distributed hash table) system that bittorrent uses to enable exactly that sort of verifiable dynamic update. Its BEP 44 [bittorrent.org] and IIRC it works by making the public key the DHT address, so if you know the site's public key you can get the latest info and authenticate the signature based on the DHT address.
(Score: 1, Flamebait) by nitehawk214 on Friday September 23 2016, @11:28PM
This is being reported in the news, now more people than ever will know who Brian Krebs is. Once the DDoS is over and his site is back online he will get more visitors then ever.
What a stupid clickbaity title.
"Don't you ever miss the days when you used to be nostalgic?" -Loiosh
(Score: 0) by Anonymous Coward on Saturday September 24 2016, @12:03AM
> This is being reported in the news, now more people than ever will know who Brian Krebs is.
Many of the esteemed minds on this site believe that the results are always intentional.
Therefore it is clear that it is the intent of the people doing the DDoS to promote Brian Krebs.
Is Krebs DDoSing himself?
(Score: 2) by Nuke on Saturday September 24 2016, @12:47PM
This is being reported in the news, now more people than ever will know who Brian Krebs is
Not sure why this has been modded as Flamebait (as I found it), unless it was the unnecessary last sentence.
It is true - a Streisand effect : I had heard the name Krebs before but knew nothing about him. Now I do, and I applaud him. Any way I can can help him I will (ZeroNet seeder?).
(Score: 0) by Anonymous Coward on Saturday September 24 2016, @01:16AM
The end of the world is coming. You remember Pharoah 99, correct?
(Score: 3, Interesting) by Spamalope on Saturday September 24 2016, @07:26AM
If Krebs is going to turn the site off, can you announce a route that stops the attack?
I.e. announce the gateway to his server is 127.0.0.1, 0.0.0.0 or a private IP address (or the attackers C&C server if know and you're feeling frisky) to stop the attacking systems traffic from being routed.
Is that a doable thing with the 'net architecture or are all the core routers set to filter announcements like that?