Krebs back online after DDoS attack

Respected cybersecurity journalist Brian Krebs was forced to take his website offline last week after it was hit by a record-shattering DDoS attack in what appears to be a retaliatory strike.

As of this morning, the website is back online.

The site, Krebs on Security, had been the target of a DDoS attack initially reported at 665 Gbps, at the time making it the “largest DDoS the internet has ever seen”, Krebs said on Twitter. Krebs is now bringing the site back online, but not before it had been taken down for several days.

An archived version of Krebs On Security’s report into the attack states that further analysis put the attack at closer to 620 Gbps, but this is still nearly twice the previous record 363 Gbps attack recorded by Akamai, which had been providing DDoS mitigation services for the site.

But while Prolexic, which was acquired by Akamai in 2014, had been providing the mitigation services for free, in the wake of the massive DDoS attack the company decided to end the relationship, Krebs announced.

“I can’t really fault Akamai for their decision. I likely cost them a ton of money today,” Krebs tweeted last week. “Before everyone beats up on Akamai/Prolexic too much, they were providing me service pro bono. So, as I said, I don’t fault them at all.”

But Krebs also told Ars Technica the DDoS attack served as a very effective form of censorship, because companies were unwilling to take on the financial burden of providing the required mitigation services.

Earlier this month, Krebs on Security published the results into an investigation of the hacked database of an Israeli online DDoS attack service, vDOS, that the site said was responsible for a significant majority of DDoS attacks clogging up the internet over the past few years.

The database, provided by an unnamed source, identified the alleged co-owners of the service, who were arrested in Israel hours after the report was published.

While Krebs said he couldn’t say for sure whether the DDoS attack was a retaliation for publishing the story, some of the POST requests that formed part of the attack have included the string “freeapplej4ck”. Applej4ck is one of the online nicknames of one of the alleged vDOS co-owners.

Another notable aspect of the attack is that it appeared to have been launched by a very large number of systems — possibly hundreds of thousands — which would represent a botnet with capabilities not yet seen before, according to Krebs. There are indications that the attack was launched using a botnet consisting of a large number of Internet of Things devices.

This would be consistent with recent research from Symantec demonstrating that IoT devices are increasingly being used to carry out DDoS attacks. Such devices, including home networks, routers and modems, are being compromised and used in zombie networks.

The lack of sophisticated security on consumer IoT devices is making them attractive targets for cybercriminals, Symantec said.

IoT malware also targets network attacked storage devices, web services, CCTV systems and industrial control systems, many of which lack advanced security features due to limitations in operating system and processing power. Because passwords are often left unchanged from their defaults, malware can use brute force methods to circumvent basic security systems.

Image: Brian Krebs