Attack On Krebs
Brian Krebs is a well-known and respected reporter who covers many different topics in the security industry, often involving data breaches and ATM skimmers. However, Krebs has always been unpopular among the financial and cyber criminals of the world given his uncanny ability to uncover the dirt on how they perform their criminal operations. He is also the author of the NYT Best Seller Spam Nation, a book detailing the operations of cyber criminals who use spam emails to make money as well as their wars with competing spammers. Check out this video below for a great talk by Krebs regarding his book.
Over the past week, Kreb’s website, KrebsOnSecurity was under a remarkably severe DDoS attack. Attacks at this scale have never really been seen before (read further below for details). As a result it’s important that the security industry develop some method to provide protection to journalists like Krebs against attacks that in the past would have been classified as a nation state capability.
What Is A DDoS Attack?
If you are not familiar with the term, DDoS stands for Distributed Denial of Service attack. The idea behind the attack is simple, but to understand it you need to have a basic understanding of computer networks. This is a simplified explanation but it should get the following point across.
When two computers want to communicate on the internet, they send each other messages called “packets”. These packets contain all the information needed to allow communication between the two systems. When a computer receives a packet, it must allocate some CPU and network processing time to determine the contents of the packet. Normally the computer performs these tasks so fast that they are not noticed by the user.
When a website is hosted on a server, it needs to be able to respond to multiple visitors quickly and efficiently. As such, servers are given a very high ceiling in bandwidth so they can scale to a very large amount of requests. Think of bandwidth as a pipeline, the bigger it is the more data can flow from one end to the other, but ultimately there is a finite limit (the size of the pipe).
A DDoS attack preys on this property and attempts to fill, or use up, the server’s available bandwidth. When this happens, the server is unable to respond to legitimate visitors and the website ends up appearing as offline. These attacks can be devastating for websites because they are difficult to stop and can be launched simultaneously from all over the world. Often times, the senders of these DDoS attacks are compromised computers or smart devices which are being controlled from some centralized Command & Control infrastructure operated by the actual attacker.
The Internet Of Shit
This is one of the reasons why IoT (Internet of Things) is such a stupid idea. These devices are basically never updated and even when they are shipped to users, they are buggy and have lots of security issues. IoT is basically a free distributed infrastructure being built for DDoS attackers.
Back To Krebs
The attacks against Krebs started after he revealed the operations of vDOS a botnet for hire company run by two Israeli teenagers. It is alleged that they made over $600, 000 in two years by offering their DDoS service to take down websites.
Two weeks after the article was published, a DDoS attack at an unprecedented scale was launched against KrebsOnSecurity. It is reported by ArsTechnica that the site was sent over 620 Gigabits of data per second. It should be noted that this is one of, if not the, largest attacks to ever take place on the internet! Initially Akamai, a popular CDN (content delivery network), was able to shield Krebs from the attacks but after a few hours, around 4PM that day they notified Krebs that they would not be able to continue supporting his site and he had two hours before they stopped shielding his website. Krebs opted to shut down the site while attempting to work out a solution for this attack. For the sake of brevity I don’t want to go over the rest of the details of the attack as it is already covered in the ArsTechnica article. If you are interested in more details about the attack, I suggest you read it as well as these two posts by Krebs.
What Does This Attack Mean For Journalists?
The dystopian cyberpunk future is here.
The scary thing about this attack is that a journalist had his website shut down by someone who didn’t like the content. What is even more concerning is it means there are single actors out there that can carry out attacks which a few years ago would have been considered the realm of powerful governments. This all means that journalists will need to take even more precautions when determining how they want to share their content. It’s clear that not even a powerful CDN like Akamai can protect them from determined attackers.
Now, more than ever, journalists need to be given protection from the growing threats of internet warfare. If we want to continue to be able to exercise our rights of free speech then we need to develop products and practices that can be used to mitigate these targeted attacks.
What are these specific products or practices? I am not sure of any silver bullet solution, as DDoS attacks are difficult to deal with. The only way (I know of) to determine if a packet was sent by an adversary is to perform some analysis on it, which means having to spend time checking its contents. If an attack is large enough, this becomes difficult to perform at scale and causes a huge increase in costs. Krebs solved this issue by registering for Google’s Project Shield, which is Google’s attempt to protect journalists from DDoS attacks. It remains to be seen if the site will stay up for the coming weeks but projects like this are definitely a good thing.
Ultimately, one thing is clear to me: while attacks at this scale are rare right now, they will likely become much more common in the coming years. As a result it is imperative that we find some definite way to protect websites and journalists from these attacks.
