
Akamai takes Brian Krebs’ site off its servers after ‘record’ cyberattack - bishnu
http://www.businessinsider.com/akamai-brian-krebs-ddos-attack-2016-9
======
parshimers
Quite impressive. You know your blog is good when folks will try to take down
a CDN to supress what's on it. He's also had heroin mailed to him in
combination with a swatting attempt before:
[http://webcache.googleusercontent.com/search?q=cache:gEjqPfc...](http://webcache.googleusercontent.com/search?q=cache:gEjqPfcbtlgJ:krebsonsecurity.com/2015/10/hacker-
who-sent-me-heroin-faces-charges-in-u-s/&num=1&hl=en&gl=us&strip=1&vwsrc=0)

~~~
DSMan195276
The google-cache page doesn't seem to be loading right for me - It's still
trying to pull off extra content like css and images from the regular site.
That said, I found the article in way.archive.org, and it has images and
formatting intact:

[https://web.archive.org/web/20151115154842/http://krebsonsec...](https://web.archive.org/web/20151115154842/http://krebsonsecurity.com/2015/10/hacker-
who-sent-me-heroin-faces-charges-in-u-s/)

Thanks for giving a link to this post!

~~~
spyder
Google cache: you have to click Text-only version which isn't trying to load
anything from the original site:

[http://webcache.googleusercontent.com/search?q=cache:kaymYsb...](http://webcache.googleusercontent.com/search?q=cache:kaymYsbcGc8J:krebsonsecurity.com/2016/09/israeli-
online-attack-service-vdos-earned-600000-in-two-years/&num=1&strip=1&vwsrc=0)

(it's the "strip=1" parameter in the URL)

------
headmelted
Still not a good move for Akamai, though.

I get him speaking out for them about the hosting having been free, but Akamai
is now the CDN that got bullied into kicking someone of their service against
their own will.

Terrible PR, and that mud will stick in tech circles. Akamai folds under
pressure.

I know it's a crude comparison, but we don't negotiate with terrorists for a
reason.

~~~
wpietri
> Terrible PR, and that mud will stick in tech circles. Akamai folds under
> pressure.

Definitely. The lesson I'd take from this is that Akamai isn't serious about
DDOS protection.

For me, buying DDOS protection is something like buying insurance. I don't
expect to need it, but if the worst happens, I expect them to stick with me.
The way I measure insurance providers is by asking friends how it was when
they had a claim.

It strikes me as especially bad that they're doing it in the moment. It'd be
bad enough if they said, "Sorry, Brian, this is too big a distraction; you've
got 90 days to find a new home." But that they're dropping him in the middle
of an attack? That means I can't trust Akamai.

~~~
DoofusOfDeath
I had some friends who worked at Akamai. I always got the impression that they
were very serious about addressing anything which could disrupt service,
including DDoS.

~~~
wpietri
Yup. And it's those people I feel bad for. I'm sure I would have been one of
the tech people saying, "We must not give in! Let's use this as incentive to
keep upping our game. That's the only way we'll win in the long haul."

------
zx2c4
Isn't this the point at which Cloudflare is supposed to gain a handful of PR
points for putting him back online, pro bono, and then doing a write up on how
effortlessly they handled the bandwidth with eBPF?

~~~
godzillabrennus
I'm surprised that the Azure or Google Cloud teams aren't on top of this. They
want tech people to pay attention to their stacks, why not host a high profile
site like this to gain the respect of the industry?

~~~
tomlock
I feel like Brian Krebs is a public good at this point. Would love to see
Google foster a better web by hosting him!

~~~
toss1941
They should, and get agreements with CDN's / ISP's to forego charges in case
of a DDOS. If anyone could pioneer such an agreement, it would be Google.

~~~
nolok
You want them to push the idea that isp and other middle men networks should
not be dumb pipes, but charge a different pricing depending on traffic type
and intent?

Your comment may have the best of intentions, but that's how you take net
neutrality out the window.

------
xarope
Here's a "philosophical" question with regards to the internet, and perhaps
even it's future. Given that a currently anonymous attacker, and likely not a
"state" player (i.e. not a governmental entity with almost unlimited
resources) has managed to DDoS a single website, does this portend that unless
there are significant changes to the way the internet infrastructure works, we
are seeing the demise of the WWW?

Kind of like a reverse wild-wild-west evolution, where the previously
carefully cultivated academic and company site presence, gradually degenerates
into misclick-hell? And the non-technical, non-IT savvy masses, in a bid to
escape this all, end up in a facebook-style future where media is curated and
presented for consumption (or perhaps in future, facebook-type entities end up
with their own wild-wild-west hell)?

I have a strange feeling that we are seeing the decline of a
city/civilisation; once you used to feel safe walking out at night, knew
everybody in the neighbourhood, could leave your doors unlocked... and now,
you don't dare to go down the lane to the left in case you pick up a nasty
virus, and if you hear a knock on the door at night/email from DHL, you don't
dare to even look through the peephole/preview the JPG!

~~~
samplonius
You are not the first to come up with this idea. This same thought has been
posted every year for the past 20 or so years in mailing lists, forums or
Usenet (thought lately, not too often to Usenet).

I think prevention should be emphasized. If there wasn't so much garbage
plugged into the Internet, there wouldn't be huge botnets to send DDoSes.
There are few groups that scan the Internet for vulnerable systems, and rather
than compromise them, send notices to the ISPs. In Canada, the CCIRC does
this. But they only check IP blocks assigned to Canadian ISPs and enterprises.

Plus, why do so many ISPs still allow spoofing of IPs? It isn't 1999 anymore.

We should start a grass roots group to talk to everyone they meet, and get
people to update their OSes, devices, and get rid of crap.

~~~
kijin
The quickest way to do achieve that would be to hold ISPs legally responsible
for any damage caused by their failure to block spoofed traffic from their own
network.

I'm not sure how well this would work outside of the U.S. though. Not everyone
is as litigious as Americans are.

~~~
meanduck
Should not a router be able to this filtering ? Making Internet Exchange
Points do it would be even more quicker. Once big IXPs do it smaller would
follow suite for the fear being cut-off and eventually ISPs.

~~~
forgottenpass
Filtering can only be enforced at boundaries where an operator can say "Link N
will only/never have traffic for net range foo/16." And it isn't always
possible to make strong blanket statements like that.

Netadmins can make those kinds of statements about traffic originating from
with their own networks because they set the rules. But at an interconnection
the types of networks connecting, and the purpose of the connection might mean
there is little meaningful anti-spoofing protection that can be done.

For example: I send a packet to google, it passes from AS 123 through AS 456
to AS 789. How is AS 789 going to tell the difference between a packet from
me, and a forgery originating from AS 456?

~~~
meanduck
It cant. One solution would be blackholing AS 456 from AS 789 at the requrest
of its members. Hopefully this will teach 456 to stop misbehaving.

Though we do assume that AS wont itself misbehave and send a spoofed packet to
one of its member peer and most of time its true.

We have to worry about misbehaving ISPs for which previously mentioned
filtering works.

> Netadmins can make those kinds of statements about traffic originating from
> with their own networks because they set the rules. But at an
> interconnection the types of networks connecting, and the purpose of the
> connection might mean there is little meaningful anti-spoofing protection
> that can be done.

I dont think so. IXP can force peers to provide their IP Space even if its
whole internet. At least they wont be able to spoof IP outside of their space.
If they do spoof ddos from their own space the above solution would probably
suffice.

EDIT: I just realized peer already has to give destination ip ranges. So IXP
dont have to force anyone.

------
betaby
I would like to see stats from Tier1/Tier2/IX for that. Krebs claims it's
665Gbit/s
[https://twitter.com/briankrebs/status/778404352285405188](https://twitter.com/briankrebs/status/778404352285405188)
Such attack must be visible in many places, however not a single major ISP
reported that in mailing list. Previous smaller attacks were reported 'slowing
down' some regional ISPs. Perhaps ISPs got better.

~~~
morecoffee
In a world of 10 and 40 gigabit NICs, why is 665 considered big?

~~~
Jweb_Guru
Because you have to classify and filter out the spam packets before they reach
the intended host and content, which is really hard to do at line rate,
especially if you also plan to serve useful traffic.

~~~
tdy721
I really like this comment. I think you're saying that moving data is easy,
while computing the data hasn't kept up?

Then again, I could be reading into this too much, and the computing part has
always been a bottleneck at backbone level.

~~~
alkjshdkfjasdf
It seems to me that he's saying in order to move data at volume, you have to
compute on it.

Computation is tricky. Per-bit, if you can handle the network input, you're
probably able to fire packets up to the OS layer.

But when you need to run stats on the incoming data, e.g. an ML classifier of
"bad/not bad" or "stop/passthrough", you might be O(n^2) or worse. Moore's
can't hang.

~~~
dharma1
Interesting. What ML algos are used to classify packets against DDoS?

~~~
windowsworkstoo
None, really. It's mostly filters against common types of attacks at L3/L4,
then OODA. Variations from normal get looked at and custom filters applied as
appropriate.

And of course, there's lots of NOC to NOC back channel comms around this stuff
constantly to stay relatively on top of things.

------
panic
This recent talk about DDoS attacks is worth a watch if you're curious about
why it's a hard problem to solve:
[https://www.youtube.com/watch?v=79u7bURE6Ss](https://www.youtube.com/watch?v=79u7bURE6Ss)

~~~
dtnewman
Starting watching this and he gives a great explanation of the issue. Thanks
for sharing.

------
WhitneyLand
This is bad PR for Akamai and a tactical error for them to boot Krebs even if
they were providing free service.

To some, the implication would will be "they couldn't handle it" so why should
I trust the DDOS they are heavily promoting on their site?

At minimum they should comment on the situation, at best restore his service
and learn how deal with high profile clients.

~~~
cft
Even if they tried to mitigate and quietly _semi_ failed (like 30% packet
loss) the PR would have been better. It could be that such attack takes down
their entire network hard. Verisign said a year ago to us they could mitigate
2Tbps for comparison.

~~~
pbarnes_1
Akamai can easily mitigate this.

They just don't want to provide it for free.

And pretty much no one can afford to use their services @ 655Gb/s for that
long unless they had billions of $.

~~~
cft
Well a single 48 hr mitigation costs 12k/yr contact. Unlimited mitigations
probably cost about 130k/yr. Either this negative PR is worth 12-100k in
savings for them or they would drop any paying customer if the attack is over
a certain threshold?

~~~
4ad
They might bill you that money, but on average it costs them less to provide
that service to you, otherwise they wouldn't make any money.

Because we don't know the operating margins and the distribution of DDoS costs
per customer, we can't infer how much this particular attack would cost
Akamai.

------
owenversteeg
The first thing a lot of people are thinking (and saying) is "switch to
Cloudflare". But there's another name I think needs to be said - OVH. OVH can
withstand a Tbps scale attack as far as I know, and it provides this to pretty
much anyone. They have a pretty good interface and some of their plans are
extremely cheap. They're also great at standing up for free speech, which I
really appreciate.

~~~
driverdan
OVH got hit with record attacks yesterday too:
[https://twitter.com/olesovhcom/status/778019962036314112](https://twitter.com/olesovhcom/status/778019962036314112)

~~~
onestone
Also, they claim to (soon) be able to filter up to 5 Tbps attacks:
[https://twitter.com/olesovhcom/status/778831449206231041](https://twitter.com/olesovhcom/status/778831449206231041)

------
flashman
> “I likely cost them a ton of money today.”

But more specifically, whoever launched the attack cost them that money.

Also, ha:

PING krebsonsecurity.com (127.0.0.1): 56 data bytes

~~~
kijin
It might be more useful to return the IP address of whoever made the DNS
query.

This could trick the computers that make up the botnet to either attack
themselves on the public interface (more resource-intensive than trying to
DDoS your own loopback), or even better, their ISP's resolvers (it would force
the ISP to do something about it).

~~~
staticfloat
With the recursive nature of DNS, I imagine that could get a little hairy as
the DDoS'ers would then be targeting whichever DNS servers they were using.

------
reustle
It would be interesting to try out some of these new p2p website technologies
like IPFS/WebTorrent with these high profile sites who are frequently
attacked.

~~~
vmp
+1 for IPFS

Hosting static blogs is really easy on IPFS (and if you absolutely can't live
without comments: use disqus) but the URL's are cryptic and you either need a
public IPFS gateway to access the site - which could get DDoS'ed - or run your
own.

Another alternative is ZeroNet but you still need to run the client to access
the site.

~~~
whyrusleeping
IPFS team member here:

If the URLs are cryptic, you can use dns to make them look nicer. Take a look
at the TXT record for ipfs.io, as well as the TXT record for _dnslink.ipld.io

Both of those websites are hosted through ipfs and have A (or CNAME) records
pointing to our gateways. You can also access this locally if you happen to be
running an ipfs daemon at
[http://localhost:8080/ipns/ipfs.io](http://localhost:8080/ipns/ipfs.io)

~~~
phunehehe0
A little hard to find, but this is well described in
[https://github.com/ipfs/examples/blob/5d77470eb5ae944aa54093...](https://github.com/ipfs/examples/blob/5d77470eb5ae944aa540934e5eeb71a9d862877f/examples/websites/README.md).

~~~
vmp
That's awesome, not sure if this was around last time I tried but it is still
hard to find, thanks! :)

------
xarope
I tried to get to an article on Krebs' site from a Bruce Schneier blog post,
and couldn't, then bumped into this post in HN.

It's a pity Akamai booted him off; on the one hand, I can understand that it
would significantly impact on their SLAs to other customers, but on the other
hand it's a shame they don't have a lower impact network to re-host him on,
and use this as a learning lesson on how to better mitigate such DDoSs...

------
geofft
[https://twitter.com/briankrebs/status/779111614226239488](https://twitter.com/briankrebs/status/779111614226239488)

"Before everyone beats up on Akamai/Prolexic too much, they were providing me
service pro bono. So, as I said, I don't fault them at all."

------
josho
I'd love to learn more about these botnets. I wonder about things like What's
the average time that a compromised computer stays in this net. What is the
typical computer (grandmas old PC running XP). Do the ISPs ever get involved
to kill bots running on their networks?

~~~
yashinm92
This was a mixed traffic botnet. There are speculations that a large chunk was
from compromised IoT devices.

~~~
matt_wulfeck
How many IoT devices are out on the public internet at the moment?

and for the existing IOT devices, are they the same thing, or were different
exploits used for different devices?

~~~
yashinm92
How many on the public internet? Too many. Here are close to 100k IP cameras
on the public internet:
[https://www.shodan.io/search?query=ip+camera](https://www.shodan.io/search?query=ip+camera)

Again, the speculation that it is IoT devices is unfortunately just that.
However massive compromise of internet connected embedded device is not new:
[http://internetcensus2012.bitbucket.org/paper.html](http://internetcensus2012.bitbucket.org/paper.html)

------
ChuckMcM
Wow, I figured that everyone that had hired vDOS would be irritated but that
is pretty impressive. Still it says a lot for how effective he has been at
rooting out this stuff, not like the TierN infrastructure folks have managed
to track this stuff down with their resources.

------
mirekrusin
Isn't this whole thing a bit silly? I mean what's the point? They just spend
time on making him the best marketing, he'll double his audience/readers, no?

~~~
Arcsech
The point isn't to cost Krebs readers most likely. It's to show off how
awesome this bonnet is.

I'd guess the DDoSer is jumping with joy over this news actually, because now
the DDoSer can advertise his service with "I DDoSed Krebs so hard Akamai had
to drop him!"

------
VertexRed
These 'attackers' give Krebs' more publicity than he would ever be able to
generate himself.

It's also useful to point out that Krebs' hasn't been the only target as half
a dozen other large targets were attacked
[http://www.webhostingtalk.com/showthread.php?t=1599694](http://www.webhostingtalk.com/showthread.php?t=1599694)

------
zaidf
He should get a Facebook page and publish a copy of all his posts on it.

~~~
Jupe
Interesting idea, but probably doesn't go far enough...

Perhaps he should re-post his blog articles everywhere: Facebook, flickr,
tumbler, watpad, wordpress, various feedback forums, etc.

Combat a DDoS attack with a DPD (distributed publishing defense - just made
that up)

~~~
nikcub
That would harm his business model, which is advertising.

It could work with Facebook Instant Articles, he may even be better off using
it since they source the advertising and have been out trying to poach and
source quality content.

------
Futurebot
Something about the platform-centric world we're in now is that this sort of
attack doesn't have the blocking power it once did: you can mirror your
content on Twitter, FB, G+, etc. and cross-link so people can still read your
stuff. This makes the "denial" part pretty watered down; it's a wonder people
even bother with these sorts of attacks anymore for non-services (i.e., for
regular media material like text, photos, etc.)

Of course, maybe the goal is to deny someone ad revenue, but that seems
awfully low-status for such a high-profile attack: "Yeah, we really got 'em!
Denied 'em AD REVENUE for a whole week!"

------
ckdarby
The ddos attacks seem to be getting larger these days.

I've recently seen a ~200 Gbit/s hit us.

Does anyone have good resources around mitigation? I was looking at the BGP
flowspec but was hopefully that someone might have come across other tactics?

~~~
betaby
Yes, here is a very good described by OVH
[http://media.frnog.org/FRnOG_24/FRnOG_24-3.pdf](http://media.frnog.org/FRnOG_24/FRnOG_24-3.pdf)

------
dmix
If you're curious what the source of the DDOS attacks are from, here is a
recent one that hit OVH:

> This botnet with 145607 cameras/dvr (1-30Mbps per IP) is able to send
> >1.5Tbps DDoS. Type: tcp/ack, tcp/ack+psh, tcp/syn.

[https://twitter.com/olesovhcom/status/779297257199964160](https://twitter.com/olesovhcom/status/779297257199964160)

This is much higher than the Akamai attack on Krebs too. Welcome to the
wonderful side-effects of the totally insecure firmware of IoT...

------
redorb
Cloudflare should pick up the site for good advertising..

~~~
bdcravens
Cached version where Krebs paints picture of Cloudflare supporting DDoS:

[http://webcache.googleusercontent.com/search?q=cache:0uf9RIu...](http://webcache.googleusercontent.com/search?q=cache:0uf9RIu0ZswJ:krebsonsecurity.com/2015/01/spreading-
the-disease-and-selling-the-cure/&num=1&hl=en&gl=us&strip=1&vwsrc=0)

------
rabboRubble
Here's a link to the last post from his website. Google did not appear to have
this cached:

[https://archive.fo/t94ve](https://archive.fo/t94ve)

~~~
anotheryou
relevant quote from that: ››Many readers have been asking whether this attack
was in retaliation for my recent series on the takedown of the DDoS-for-hire
service vDOS, which coincided with the arrests of two young men named in my
original report as founders of the service. I can’t say for sure, but it seems
likely related: Some of the POST request attacks that came in last night as
part of this 620 Gbps attack included the string “freeapplej4ck,” a reference
to the nickname used by one of the vDOS co-owners.‹‹

~~~
24gttghh
I'd err on the side of caution and consider that string a Red Herring without
more evidence to corroborate the claim. It is a nice coincidence though...

~~~
anotheryou
I'm just here for the popcorn :)

------
desireco42
I understand that this is burning bandwidth for Akamai, but seriously, taking
into account what is at stake here, I think they need to do their share and
continue to support Brian.

------
marmot777
Brian Krebs is a hero. Are Akamai executives cowards for dumping him? I'd like
to add that law enforcement are heroes.

And it's honorable he wants to meet Fly in person, recognizing him as a human
being. I haven't read it yet but I'm assuming the reference to 12-step hints
that Fly's having some post alcohol binge regrets.

I'm sure alcohol makes it easier to hurt other human beings, which is why
violent people are often drunk. I'd be ashamed of myself if I woke up
realizing that I'd spent my life actively trying to harm other human beings
for money, feeling no remorse until Karma (here defined as law enforcement
officials) finally caught up with me.

~~~
marmot777
After looking into this more I see that even Krebs himself does not blame
Akamai for dumping him so I regret that part of my post.

------
sfifs
I'm wondering if the rising scale of these attacks & the seeming ease with
which sites can be taken down will ultimately result in an "authenticated"
internet - ie. you can't even connect without identity verification.

We already see publishing through FB Instant Articles etc. moving in that land
on top of the current internet, to combat these types of firehose attacks, the
only solution may be to take authentication one level deeper into the
connection level.

That of course sounds good to security agencies as that's the end of anonymity
online.

~~~
x1798DE
I doubt it. I think a lot of these attacks (though possibly not this one)
would not even be possible if ISPs did egress filtering of packets with
spoofed IPs, and yet ISPs don't seem to be implementing even this feature. It
seems unlikely that they would leap frog this and start requiring some sort of
identity verification, just to solve DDoS problems.

Additionally, in situations that don't make heavy use of amplification (where
egress filtering doesn't help much), the way it's usually accomplished is by
compromising a bunch of hosts - home computers, routers, etc, and assembling a
botnet. In those cases, if your device is compromised, it would authenticate
as you anyway, so such a scheme would solve nothing.

~~~
sfifs
>>In those cases, if your device is compromised, it would authenticate as you
anyway, so such a scheme would solve nothing.

But if you had authenticated access, you could find exactly which C&C server
controlled that botnet node and then who controlled that C&C server right? All
these attacks depend on some form if amplification - if only to go from C&C
servers to botnet. If just being on the network required authentication, you
could trace back network connections and ID the controller even if attack was
by a botnet.

~~~
x1798DE
I don't think the imperfect mapping between IP and user is the real problem
with tracking down botnet controllers. You have a network of compromised
hosts, and you can disguise yourself as one of them. There are lots of schemes
for this sort of thing when you have a whole bunch of compromised machines
under your control. For example, even if you made it illegal to run a Tor
node, you could still just have your compromised network of hosts start
running their own Tor (are you going to arrest all the people who just got a
virus that starts a Tor network?) and you deliver commands from a hidden
service. That's a huge effort on the part of society (banning Tor,
implementing that, etc) that's easily circumvented.

In any case, like I said, you can't even get ISPs to do _egress filtering of
spoofed IPs_ , so even if it _were_ going to solve DDoS, I don't think you'll
get them on board for all the complications of implementing the protocols
necessary and buying the equipment necessary to log all the traffic necessary
to track down botnet controllers (who may be in a country where knowing who
they are won't help you much anyway).

------
mirekrusin
It's funny how my mom after reading "record cyberattack" would be wondering
how many poor people died but what it means is that somebody was downloading
images from website many times.

------
jsjohnst
There are a number of factors that go into play (did the site use custom SSL,
what edge locations were they providing caching in, etc), but had Kreb been a
normal paying customer, this could easily have been a over a million dollar
bill (if it was sustained long enough to alter his 95th percentile bracket) in
the cheapest case. If things like custom SSL are in the mix (which Akamai
charges absurdly high prices for), or lots of traffic from more expensive
POPs, or lack of already having pricing commiserate with high volume traffic
commitments, the bill could've been 5-10x that amount or more.

------
atombath
It's kind of stupid to me that the massive and advanced cdn of akamai protect
something as non-important as a blog against such a major ddos attack. If they
were doing it pro-bono wouldn't the prudent action be to mitigate ddos's until
a certain treshold and then actually assess the value of what you are
protecting? A good lesson to have learned, I believe.

But no, they'll drop this client which had to have continually given good
referrals.

------
exolymph
It would be interesting if he started writing on Medium (not saying
technically advisable, just interesting). I wonder if he'd ever consider
trying that.

~~~
okwhatthe2
Why would it be interesting?

~~~
exolymph
To see how Medium would deal with massive DDoS attacks and whether they'd kick
Krebs off.

------
tuna-piano
Some are guessing the DDOS was because of this recent post of his, about a
large DDOS network.

[http://webcache.googleusercontent.com/search?q=cache:kaymYsb...](http://webcache.googleusercontent.com/search?q=cache:kaymYsbcGc8J:krebsonsecurity.com/2016/09/israeli-
online-attack-service-vdos-earned-600000-in-two-
years/+&cd=1&hl=en&ct=clnk&gl=us)

------
EGreg
Why don't we switch to a distributed network with a DHT like freenet? So many
benefits, including not being able to take down content via DDOS.

~~~
JamesLeonis
The DHT can still be attacked. Here's three methods:

1: Take out the bootstrap nodes. These are several nodes that bootstrap a new
client into the DHT system. BitTorrent, Inc. keeps a couple such nodes. On
first boot, the client registers it's DHT address and collects a few from the
bootstrapping node. The client could then can traverse the network itself. By
knocking out these nodes, newly started clients now have to browse the whole
IP space for possible DHT clients, which is not feasible.

2: Attack the peers themselves. A malicious program could traverse the network
searching for DHT peers in the same way. At first, it would only collect a
large number of DHT addresses and their corresponding nodes. Once a sufficient
mass is gained, each is targeted with a low level DDOS to knock them offline
to further requests. Most of these peers will be homes and local ISPs, which
can't effectively deal with DDOS traffic themselves. Others trying to connect
to a down client will eventually remove them from their own address space for
later queries.

3: Poison DHT peers. This is probably the hardest, but once complete could
poison an entire network with a switch. On each of your compromised Bot
machines, you make a valid DHT node. Make a LOT of these (like a Botnet). For
the most part, participate correctly with the DHT network. Collect as many
valid/real DHT user and content addresses as you can and host them in your
nodes. When it's time to attack, prevent these valid DHT addresses from
resolving on inquiry. Even better, make them go in the wrong direction and
infinitely pass around requests to other poisoned bots in your ring to prevent
resolution but not hang the process. This is especially useful for content
attacks because it attacks the content addresses themselves.

~~~
Dylan16807
1a. A system could be made for bootstrap links that have the addresses of a
few nodes in them.

1b. When you have 10 million nodes like torrents, you _can_ go searching
random IPs. As long as many nodes bind to the same ports.

2\. Sure, if you have comparable bandwidth to the entire network you can take
it down. But that's a lot harder than overwhelming a single target. Nobody can
send 20mbps each to millions of IPs.

3\. This is the method that takes the least resources, but pretty good
countermeasures can be made.

------
saganus
So if Akamai can't hold an attack of this size, who can?

Or is it that they actually can hold it off but it costs too much money?

~~~
jedisct1
Cloudflare and OVH (that got a 1.1 Tb attack around the same time, the biggest
in history) certainly have the capacity to hold attacks of that size.

Akamai may also have the capacity, but bandwidth is not free.

------
Igalze
Unbelievable, they enjoyed year of free publicity from association with him,
and this is how they repay him. Its bad enough that they couldn't handle the
attack, despite all the bragging about their multi-Tbps capacity...

------
nodesocket
Brian Krebs' wasn't a paying customer right? Akamai provided the service pro-
bono. Perfectly acceptable for them to suspend service if it becomes more than
trivial in terms of cost or it puts their paying customers at risk.

------
nodesocket
I've always wondered if your domain is under a http DDoS attack, couldn't you
in theory update your DNS A record to another ip and take other servers down
(maliciously)?

~~~
Jweb_Guru
Most DDOS attacks are launched directly against the IP, so it wouldn't really
help.

------
Globz
At this scale it must also cost a ton of money to carry out this attack, I
wonder if there's a vulnerability that we don't know about that let them do
this so easily?

~~~
toomuchtodo
> At this scale it must also cost a ton of money to carry out this attack

It doesn't; you're using compromised machines to initiate the attacks, which
is free to you.

~~~
derefr
You're almost never using machines _you_ compromised. Instead, you're using
someone _else 's_ compromised machines: a botnet-backed DDoS-ing service,
which you rented on the open (black) market, at the going rate. Bigger attacks
_still_ cost more in such setups—whether or not the botnet nodes were free to
acquire, the resulting network is still a scarce resource whose price rises
with demand.

(Of course, in the very special case of Krebs, the people he is reporting on
frequently _are_ the owners of the botnets, who can of course use their own
botnets freely.)

------
dragonbonheur
Are there web servers or software that blacklist IP addresses that disconnects
after a short time and redirects them to a static page?

~~~
samplonius
Yes, but they can be flooded as well. Every system is going to have a finite
capacity. And if the capacity is exceeded, the system will slow. If the
capacity is significantly exceeded, it will become unreachable itself.

So if the capacity of your system is X Gbps, then it will start to have
problems if the attacker sends X + 1 Gbps. And will probably be completely
unreachable if the attacker sends X * 2 Gbps.

------
snowy
krebsonsecurity.com is now resolving to localhost. I guess he doesn't want to
give the DDoSers a target.....

------
csomar
I'm really interested to read his blog now. Any way I can find a readable
version for his blog posts?

~~~
daveloyall
[https://web.archive.org/web/20160922124922/http://krebsonsec...](https://web.archive.org/web/20160922124922/http://krebsonsecurity.com/)

------
EJTH
Too bad, I had some nice reads on his website. Hopefully this will only be
temporarily...

------
shshhdhs
So the attackers win..

------
ttam
so long for using a CDN to protect from DDOS attacks...

~~~
brazzledazzle
This was prolexic, a ddos protection service purchased by Akamai.

------
known
Is it according to terms/conditions of Akamai?

~~~
Twirrim
Akamai were providing him hosting free of charge, but the size of the attack
will have had not insignificant financial impact on them, and on their
customers. It's completely understandable that they've chosen to terminate
their hosting agreement at this time.

[https://twitter.com/briankrebs/status/779111614226239488](https://twitter.com/briankrebs/status/779111614226239488)
[https://twitter.com/briankrebs/status/779062433902170112](https://twitter.com/briankrebs/status/779062433902170112)

------
hetfeld
You'll be redirected in... never redirected.

------
dragonbonheur
Who profits from this attack?

~~~
wmf
Someone's ego.

------
pitaj
tl;dr Akamai was hosting his site pro bono. His site was being DDOSed, which
cost Akamai a ton of money, so they kicked him off since they were literally
only losing money on the deal.

~~~
dingaling
> tl;dr Akamai was hosting his site pro bono

Let us not permit companies to co-opt language for their benefit.

If it was genuinely _pro bono_ ( lit: for the public good ) then they would
have taken all steps possible to keep the site online since the public good
was served more by having Mr Krebs online than not.

However, in this case they were hosting him free-of-charge because it was good
publicity for them. That's a very different scenario.

~~~
fastball
Krebs is the one who used the term "pro bono".

Besides, _pro bono_ isn't _literally_ "for the public good", it is _literally_
"for good".

Finally - that is a ridiculous standard to hold everything categorized as "pro
bono" to. Law firms oftentimes take on cases/clients that can't afford their
services, _pro bono_. Because they call it _pro bono_ , does that necessitate
that said law firm should continue to fight all _pro bono_ cases in court
until either A. they win or B. they go bankrupt? Of course not.

~~~
jamestnz
Well, to be fair to the parent poster (and without going deeper into the
merits of this side-argument), I'd note that the expression "pro bono" as
generally used in English is actually short for "pro bono publico" which
_does_ in fact mean "for the public good".

Law firms (and other professional services firms) call it "pro bono" when they
use their specific skill-set to provide their services to those (e.g. the
indigent) who couldn't otherwise afford them.

In that example, it's the fact that the indigent can get access to quality
legal representation which is itself considered the "public good".

~~~
fastball
I get that. My point about law firms is that most of them won't take pro bono
cases all the way to the supreme court (or equivalent). i.e. there is a limit
to how much manpower they are will to expend on a charity case.

In the same way, expecting Akamai to provide free service to Krebs until the
end of time because it was referred to as pro bono (even if it was them, which
it wasn't) would be silly.

tl;dr - Akamai provided a service that could be seen as publicly beneficial.
As long as they were providing free service to Krebs, they were doing
something that was arguably _pro bono_. Them no longer choosing to provide
that service does not retroactively detract from its public benefit.

------
yAnonymous
Time to use Github pages.

------
ninja-wannabe-7
Should've used CloudFlare.

------
rasz_pl
I think its time for some serious financial incentives for ISPs to start
getting serious about routing (or rather not routing) garbage. Financial fines
for every DOS originating from your AS, or blacklisting if you are a repeated
offender.

~~~
samplonius
There is an incentive: it is the cost of transit. However, there usually are
not a lot of zombies per single ISP for the access level ISP to even see any
abnormal traffic.

The best thing is that access ISPs need to implement BCP38
([https://tools.ietf.org/html/bcp38](https://tools.ietf.org/html/bcp38)). And
shutdown all open recursive DNS servers. It would be great if Microsoft didn't
ship such a retarded DNS server too. I would say that most ISPs do not do
this.

NTP really should be replaced with something better. There are still large
numbers of NTP amplification attacks going on. The big issue with NTP today,
is that by default ntpd in daemon mode, is also a NTP server and responds to
NTP requests. And so many of the two bit home routers run ntpd.

But the reality is, that no one is even reporting DDoSes right now. I work at
an ISP, and I haven't seen a DDoS report in the past year. We pro-actively
scan for open DNS and open NTP services. But many DDoS attacks just use
regular HTTP/HTTPS, are hard to detect at the individual network connection
level. Do you think Akamai sent out a single notice to any ISPs, saying "The
following X IPs are sending excessive traffic to site Y, and are suspected to
be part of a botnet"?

------
codedokode
Such attacks are possible because Internet is decentralized. There is no way
to tell peers that you don't want to get traffic from some AS.

And investigation is difficult because attacking nodes might be in different
countries, in some of which DDOS attacks are not illegal.

Maybe it is time to start building international firewalls to protect local
infrastructure?

~~~
24gttghh
That would be quite the Great Firewall...

