The website of prominent security blogger Brian Krebs is back online this week after sustaining one of the largest distributed denial of service attacks in Internet history.
DDoS attacks typically disrupt service at a website by flooding it with junk traffic. In this case, garbage traffic assaulted Krebs’ site at 620 gigabits per second. By comparison, consumer bandwidth is in the 10-15 megabit per second range; businesses, 100 Mbps to 1 Gbps.
The attack may have been even larger than reported so far, maintained Matthew Prince, CEO of Cloudflare.
“There was evidence that a lot of the upstream providers were getting congested and dropping packets upstream,” he told TechNewsWorld.
When that’s taken into account, “this attack could have been close to a terabit attack,” Prince said.
The attack was so large that Akamai, the company that had been protecting Krebs’ site from DDoS attacks for years, had to withdraw its support from the blogger.
“Let me be clear: I do not fault Akamai for their decision,” Krebs wrote in a Sunday post.
“I was a pro bono customer from the start, and Akamai and its sister company Prolexic have stood by me through countless attacks over the past four years. It just so happened that this last siege was nearly twice the size of the next-largest attack they had ever seen before,” he explained.
“Once it became evident that the assault was beginning to cause problems for the company’s paying customers, they explained that the choice to let my site go was a business decision, pure and simple,” said Krebs.
Akamai had to assess what the attack was costing it in manpower and network overages, said Martin McKeay, a senior security advocate at the company.
“An attack of this size has serious financial costs,” he told TechNewsWorld.
Google to the Rescue
Krebs had to pull the plug on his website until he could find a new safe harbor. He found one behind Google’s Project Shield, which uses the search giant’s massive infrastructure to protect independent news sites from DDoS attacks.
Although it isn’t known who launched the attack on Krebs’ website, Akamai’s McKeay doesn’t believe it was a nation-state actor because it exposed a valuable asset to discovery.
“It’s very unlikely a state-actor because it’s burning this botnet,” he said.
“There’s enough people looking at this that this botnet will not last very long,” McKeay observed. “It’s somebody who doesn’t care if this botnet is useless in a week or two.”
It may be someone with a short tenure on freedom.
“When large attacks like this happen, the people behind them aren’t long for walking around freely,” Cloudflare’s Prince suggested.
“When you look at the history of attacks like this, in almost every case, the individuals behind them are tracked down and prosecuted,” he added. “It’s hard to generate this much traffic and create this much pain without leaving fingerprints.”
A botnet of hijacked Internet of Things devices — routers, IP cameras and digital video recorders that are exposed to the Internet and protected with weak or hard-coded passwords — mounted the attack on Krebs’ site.
“There are hundreds of thousands of cameras connected to the Internet that have a vulnerability that allows an attacker to abuse them and start sending attack traffic at a victim,” Prince pointed out.
An attacker sends a message to an IoT device and spoofs the return address, explained Slawek Ligier, vice president of engineering for security at Barracuda Networks.
“Those responses are directed at the victim, so the victim receives a flood of data from IoT devices from around the world,” he told TechNewsWorld.
The IoT is opening the floodgates for DDoS hackers, said Akamai’s McKeay. “When people create IoT devices, unless they’re secured properly, you’re opening up the possibility of it being used for just about any malicious purpose that you want.”
While the attack on Krebs’ site appears abnormal now, it may not be in the future, he said. “Within two years, this will probably be the new norm.”