In-brief: A massive distributed denial of service attack has taken a crusading cybercrime journalist’s website offline and compromised cameras, broadband routers and other Internet of Things devices are playing a part in the attack.
Get the New 2017 SANS Research Report on 'Threat Hunting' -- Written by experts from the SANS Institute, the survey reveals a number of interesting data points about the challenges and benefits of threat hunting.
A massive distributed denial of service attack has taken a crusading cybercrime journalist’s website offline and compromised cameras, broadband routers and other Internet of Things devices are playing a part in the attack.
KrebsonSecurity.com, the web site of journalist Brian Krebs, has been offline since Tuesday, when a massive wave of bogus Internet traffic measured at more than 600 Gigabits per second overwhelmed the site’s web server and strained the network of Akamai, a content delivery network provider that had helped divert previous attacks on the site.
In recent years, Mr. Krebs has become a leading authority on the workings of the cyber underground. His website has exposed numerous cyber criminals and cyber criminal groups linked to large scale hacks at retailers like Target and Home Depot, hotel chains and restaurants.
That pioneering work has made Krebs and his site a target. Krebsonsecurity.com has been knocked off line many times as a result of denial of service attacks. Krebs has also been the victim of pranks like “SWATing,” in which hackers make calls to local police claiming that a crime is being committed at an address, resulting in a tactical (or SWAT) team being sent to the address. In July, Mir Islam, a New York man, was sentenced to 24 months in prison for his role in SWATing attacks on Krebs and other celebrities.
The latest attack on his site began on Tuesday, September 20, according to a report that Krebs issued on Wednesday. It was, reportedly, the largest such attack ever recorded, measuring in at more than 600 Gigabits per second and lasting for more than two days, according to a expert with direct knowledge of the incident.
So large and long-lived was the attack that Akamai, a content delivery network provider that works with most of the world’s leading web sites, was forced to stop hosting krebsonsecurity on Thursday. The company had offered to protect Mr. Krebs site on a pro bono basis in recent years, as attacks against the site stepped up.
A source with knowledge of the attack who asked not to be named because he did not have permission to discuss the matter said that the cost for Akamai to deflect such a large and sustained DDoS was substantial and untenable, given that Krebs was not a paying customer. For his part, Mr. Krebs used his Twitter account on Thursday to thank both Akamai and the firm Prolexic for their assistance and said he bore them no ill will.
In an email to Security Ledger, Mr. Krebs said that, after learning that Akamai would be dropping its protection of his site, and that he took steps to protect his web hosting provider from bearing the brunt of the massive attack, instructing them to route requests for his site to a non-routable (or null) Internet address.
Speaking to The Security Ledger, Akamai Chief Security Officer Andy Ellis said that the company is still researching the denial of service attack that hit Mr. Krebs site, but said that his was one of a small number of sites – most based in Europe – that were on the receiving end of the flood of traffic. Ellis said the attack was almost certainly larger than 600 Gbps. The previous high for a denial of service attack measured by Akamai was 363 Gbps in the second quarter of this year.
Many of the previous so-called “mega attacks” were generated by so called DNS reflection (or amplification) attacks, in which attackers exploit vulnerabilities in the Domain Name System to trick DNS servers to send traffic requests to victim sites.
In the case of the attack on Krebsonsecurity.com, however, the method of choice was a GET flood attack, in which compromised systems make “GET” requests directly from the victim web site, Ellis said. Such attacks are harder to defend against than reflection attacks, in which certain types of traffic can be blocked en masse.
“There’s more work defending against directed versus reflection attacks,” Ellis said. “You have to adapt your defenses.”
Ellis said that, while Akamai was still analyzing what systems were used to send the bogus requests, initial analysis suggests that some share of those systems are non-traditional endpoints including Internet connected cameras that have web clients used for remote management of the device. “Cameras have definitely come up in our discussions,” Ellis said. “Whether those numbers are significant, we’ll know in the coming days.”
Internet of Things devices are playing a greater role in botnets, according to Akamai and other firms that monitor the attacks. In its most recent State of the Internet/Connectivity Report, Akamai said that a malware variant of Kaiten malware was identified that specifically targets networking devices used in small office and home (SOHO) environments and Internet of ings (IoT) devices.
For his part, Mr. Krebs said in an email to Security Ledger that he is working on finding a new home for his web site that can stand up to the flood of traffic that will likely follow it. That may involve relying on the kindness of strangers, including huge tech firms like Google, which have the resources to deflect large denial of service attacks against their infrastructure. Barring that, the options available to the independent journalist are few. A source with knowledge of the industry said that DDoS protection against attacks of the scale of the one aimed at Mr. Krebs site cost banks, online retailers and others “seven figures” annually: a sum few small, independent firms can afford to pay.