WingNews logo WingNews GitHub [2]
top | item 12561928

Akamai takes Brian Krebs’ site off its servers after ‘record’ cyberattack

658 points| bishnu | 9 years ago |businessinsider.com | reply

440 comments

order
[+] parshimers|9 years ago|reply
Quite impressive. You know your blog is good when folks will try to take down a CDN to supress what's on it. He's also had heroin mailed to him in combination with a swatting attempt before: http://webcache.googleusercontent.com/search?q=cache:gEjqPfc...
[+] DSMan195276|9 years ago|reply
The google-cache page doesn't seem to be loading right for me - It's still trying to pull off extra content like css and images from the regular site. That said, I found the article in way.archive.org, and it has images and formatting intact:

https://web.archive.org/web/20151115154842/http://krebsonsec...

Thanks for giving a link to this post!

[+] YeGoblynQueenne|9 years ago|reply
That's an interesting read but I'm really not sure why Krebs posted the real name of "Fly's" wife. She doesn't seem to be involved in her husband's activities at all, so what's up with that?
[+] superuser2|9 years ago|reply
Wow. Imagine if he hadn't gotten access to the forum and preempted the police call.
[+] gnarbarian|9 years ago|reply
holy shit. that is terrifying.
[+] headmelted|9 years ago|reply
Still not a good move for Akamai, though.

I get him speaking out for them about the hosting having been free, but Akamai is now the CDN that got bullied into kicking someone of their service against their own will.

Terrible PR, and that mud will stick in tech circles. Akamai folds under pressure.

I know it's a crude comparison, but we don't negotiate with terrorists for a reason.

[+] zx2c4|9 years ago|reply
Isn't this the point at which Cloudflare is supposed to gain a handful of PR points for putting him back online, pro bono, and then doing a write up on how effortlessly they handled the bandwidth with eBPF?
[+] Jweb_Guru|9 years ago|reply
Unfortunately, Krebs has (correctly) repeatedly attacked Cloudflare for sheltering most of the most prolific DDOS attackers. I doubt that's going to happen.
[+] xarope|9 years ago|reply
Here's a "philosophical" question with regards to the internet, and perhaps even it's future. Given that a currently anonymous attacker, and likely not a "state" player (i.e. not a governmental entity with almost unlimited resources) has managed to DDoS a single website, does this portend that unless there are significant changes to the way the internet infrastructure works, we are seeing the demise of the WWW?

Kind of like a reverse wild-wild-west evolution, where the previously carefully cultivated academic and company site presence, gradually degenerates into misclick-hell? And the non-technical, non-IT savvy masses, in a bid to escape this all, end up in a facebook-style future where media is curated and presented for consumption (or perhaps in future, facebook-type entities end up with their own wild-wild-west hell)?

I have a strange feeling that we are seeing the decline of a city/civilisation; once you used to feel safe walking out at night, knew everybody in the neighbourhood, could leave your doors unlocked... and now, you don't dare to go down the lane to the left in case you pick up a nasty virus, and if you hear a knock on the door at night/email from DHL, you don't dare to even look through the peephole/preview the JPG!

[+] samplonius|9 years ago|reply
You are not the first to come up with this idea. This same thought has been posted every year for the past 20 or so years in mailing lists, forums or Usenet (thought lately, not too often to Usenet).

I think prevention should be emphasized. If there wasn't so much garbage plugged into the Internet, there wouldn't be huge botnets to send DDoSes. There are few groups that scan the Internet for vulnerable systems, and rather than compromise them, send notices to the ISPs. In Canada, the CCIRC does this. But they only check IP blocks assigned to Canadian ISPs and enterprises.

Plus, why do so many ISPs still allow spoofing of IPs? It isn't 1999 anymore.

We should start a grass roots group to talk to everyone they meet, and get people to update their OSes, devices, and get rid of crap.

[+] tdy721|9 years ago|reply
Perhaps its the government? Lots of people think all these NSA programs are evil surveillance, could be it's just the glue that has saved us from just this.

I'm personally amazed that people don't get hacked more often TBH... I can't think of any instances where non-technical people have been pwned in my own life.

I personally have a pa55word that I use for sites I don't trust, but the accounts never seem to fall or even falter. It's amazing really.

[+] rsync|9 years ago|reply
"Here's a "philosophical" question with regards to the internet, and perhaps even it's future. Given that a currently anonymous attacker, and likely not a "state" player (i.e. not a governmental entity with almost unlimited resources) has managed to DDoS a single website, does this portend that unless there are significant changes to the way the internet infrastructure works, we are seeing the demise of the WWW?"

Peak Internet:

http://blog.kozubik.com/john_kozubik/2010/12/peak-internet.h...

[+] betaby|9 years ago|reply
I would like to see stats from Tier1/Tier2/IX for that. Krebs claims it's 665Gbit/s https://twitter.com/briankrebs/status/778404352285405188 Such attack must be visible in many places, however not a single major ISP reported that in mailing list. Previous smaller attacks were reported 'slowing down' some regional ISPs. Perhaps ISPs got better.
[+] Gelob|9 years ago|reply
I've seen the graphs from prolexic, the claims are legit
[+] morecoffee|9 years ago|reply
In a world of 10 and 40 gigabit NICs, why is 665 considered big?
[+] solotronics|9 years ago|reply
theoretically if it was a well distributed bot net then it could be a few megs from a TON of different sources.. and since akami had their own ASN it could just be jamming up Akami and not other AS
[+] lossolo|9 years ago|reply
Akamai has ~140 000 servers around the world. Attack was probably spread around many locations that's why you don't see any report on mailing lists.
[+] WhitneyLand|9 years ago|reply
This is bad PR for Akamai and a tactical error for them to boot Krebs even if they were providing free service.

To some, the implication would will be "they couldn't handle it" so why should I trust the DDOS they are heavily promoting on their site?

At minimum they should comment on the situation, at best restore his service and learn how deal with high profile clients.

[+] cft|9 years ago|reply
Even if they tried to mitigate and quietly semi failed (like 30% packet loss) the PR would have been better. It could be that such attack takes down their entire network hard. Verisign said a year ago to us they could mitigate 2Tbps for comparison.
[+] daniel-levin|9 years ago|reply
Maybe because of the scale of this attack, relative to the business value Krebs provides Akamai? Shedding an attack of this magnitude (by dumping Krebs) was probably well worth the PR hit Akamai took.
[+] owenversteeg|9 years ago|reply
The first thing a lot of people are thinking (and saying) is "switch to Cloudflare". But there's another name I think needs to be said - OVH. OVH can withstand a Tbps scale attack as far as I know, and it provides this to pretty much anyone. They have a pretty good interface and some of their plans are extremely cheap. They're also great at standing up for free speech, which I really appreciate.
[+] thaeli|9 years ago|reply
Yeah, been quite happy with their DDoS protection myself for hosting game servers. And short of drawing the massive ire of organized crime and/or nation states, that's about the biggest DDoS bullseye you can paint on your back.

Krebs also hasn't publicly criticized OVH like he has CloudFlare, so I could see that working out well. Would be great press for them, too.

[+] flashman|9 years ago|reply
> “I likely cost them a ton of money today.”

But more specifically, whoever launched the attack cost them that money.

Also, ha:

PING krebsonsecurity.com (127.0.0.1): 56 data bytes

[+] guessmyname|9 years ago|reply
I would say that is a clever move, but to be honest that is the most he can do now.

https://twitter.com/briankrebs/status/779144394360381440

     @    123 IN SOA   ns1.prolexic.net. hostmaster.prolexic.com. 2016092204 86400 900 1209600 3600
     @    900 IN NS    ns1.prolexic.net.
     @    900 IN NS    ns2.prolexic.net.
    *@    300 IN A     127.0.0.1
     @    300 IN MX    10 smtp.krebsonsecurity.com.
     @    300 IN TXT   "v=spf1 ip4:... ip4:... ip6:... a mx ?all"
     m    300 IN CNAME krebsonsecurity.mobify.me.
     smtp 900 IN A     198.251.81.28
    *www  300 IN A     127.0.0.1
[+] kijin|9 years ago|reply
It might be more useful to return the IP address of whoever made the DNS query.

This could trick the computers that make up the botnet to either attack themselves on the public interface (more resource-intensive than trying to DDoS your own loopback), or even better, their ISP's resolvers (it would force the ISP to do something about it).

[+] reustle|9 years ago|reply
It would be interesting to try out some of these new p2p website technologies like IPFS/WebTorrent with these high profile sites who are frequently attacked.
[+] vmp|9 years ago|reply
+1 for IPFS

Hosting static blogs is really easy on IPFS (and if you absolutely can't live without comments: use disqus) but the URL's are cryptic and you either need a public IPFS gateway to access the site - which could get DDoS'ed - or run your own.

Another alternative is ZeroNet but you still need to run the client to access the site.

[+] xarope|9 years ago|reply
I tried to get to an article on Krebs' site from a Bruce Schneier blog post, and couldn't, then bumped into this post in HN.

It's a pity Akamai booted him off; on the one hand, I can understand that it would significantly impact on their SLAs to other customers, but on the other hand it's a shame they don't have a lower impact network to re-host him on, and use this as a learning lesson on how to better mitigate such DDoSs...

[+] josho|9 years ago|reply
I'd love to learn more about these botnets. I wonder about things like What's the average time that a compromised computer stays in this net. What is the typical computer (grandmas old PC running XP). Do the ISPs ever get involved to kill bots running on their networks?
[+] ChuckMcM|9 years ago|reply
Wow, I figured that everyone that had hired vDOS would be irritated but that is pretty impressive. Still it says a lot for how effective he has been at rooting out this stuff, not like the TierN infrastructure folks have managed to track this stuff down with their resources.
[+] mirekrusin|9 years ago|reply
Isn't this whole thing a bit silly? I mean what's the point? They just spend time on making him the best marketing, he'll double his audience/readers, no?
[+] Arcsech|9 years ago|reply
The point isn't to cost Krebs readers most likely. It's to show off how awesome this bonnet is.

I'd guess the DDoSer is jumping with joy over this news actually, because now the DDoSer can advertise his service with "I DDoSed Krebs so hard Akamai had to drop him!"

[+] codedokode|9 years ago|reply
They have shown who is stronger and probably got some PR for their DDOS services.
[+] zaidf|9 years ago|reply
He should get a Facebook page and publish a copy of all his posts on it.
[+] Jupe|9 years ago|reply
Interesting idea, but probably doesn't go far enough...

Perhaps he should re-post his blog articles everywhere: Facebook, flickr, tumbler, watpad, wordpress, various feedback forums, etc.

Combat a DDoS attack with a DPD (distributed publishing defense - just made that up)

[+] sandGorgon|9 years ago|reply
I was going to say a different version of this.

Real men mirror.

Krebsonsecurity deserves to be on git and use something like Jekyll. Mirror it instantly in a hundred different places.

[+] pbarnes_1|9 years ago|reply
And give Facebook ad $ for nothing?
[+] Futurebot|9 years ago|reply
Something about the platform-centric world we're in now is that this sort of attack doesn't have the blocking power it once did: you can mirror your content on Twitter, FB, G+, etc. and cross-link so people can still read your stuff. This makes the "denial" part pretty watered down; it's a wonder people even bother with these sorts of attacks anymore for non-services (i.e., for regular media material like text, photos, etc.)

Of course, maybe the goal is to deny someone ad revenue, but that seems awfully low-status for such a high-profile attack: "Yeah, we really got 'em! Denied 'em AD REVENUE for a whole week!"

[+] ckdarby|9 years ago|reply
The ddos attacks seem to be getting larger these days.

I've recently seen a ~200 Gbit/s hit us.

Does anyone have good resources around mitigation? I was looking at the BGP flowspec but was hopefully that someone might have come across other tactics?

[+] blhack|9 years ago|reply
>The ddos attacks seem to be getting larger these days.

Consumer bandwidth is increasing.

[+] dmix|9 years ago|reply
If you're curious what the source of the DDOS attacks are from, here is a recent one that hit OVH:

> This botnet with 145607 cameras/dvr (1-30Mbps per IP) is able to send >1.5Tbps DDoS. Type: tcp/ack, tcp/ack+psh, tcp/syn.

https://twitter.com/olesovhcom/status/779297257199964160

This is much higher than the Akamai attack on Krebs too. Welcome to the wonderful side-effects of the totally insecure firmware of IoT...