LOUISVILLE, KY – This weekend Salted Hash is at DerbyCon, and we’ll be posting a few updates from the show, but some recent events have generated buzz, and they’re worth discussing. Namely, Brian Krebs is being censored, and that sets a bad precedent for everyone.
Earlier this month, Krebs published a story on vDOS, a DDoS service that’s likely responsible for a number of attacks on the Web over the last few years. Earlier this week, on Tuesday, Krebs detailed how two of the people behind vDOS were arrested. Hours later, Krebs’ website was hit, smashed with a 620 Gbps DDoS, representing the largest attack of this kind in history – something even the most prepared anti-DDoS vendors would struggle with.
Yet, Akamai (though Prolexic) was able to fight it off and keep Krebs online, until they decided not to.
Akamai purchased Prolexic officially in 2014. They offered anti-DDoS protection to Krebs pro bono, which is a PR boon for them as they get kudos for protecting one of the industry’s most influential journalists. When he is attacked, as he has been many times before, they get live examples of how they can help keep websites online.
However, free has limits, and free protection will only go so far. The attack against Krebs’s domain showed no sign of slowing, and after a day of constant fighting Akamai gave him two hours’ notice that his protection against was about be suspended.
Akamai had had enough. They were throwing in the towel.
Krebs says he has no hard feelings for Akamai, and doesn’t fault them for making the decision to end his protection. He made the tough call to null route his website in order to keep his webhost from taking the brunt of the attack, which would not only hurt Krebs, but all of the host’s clients as well.
One of the scary aspects of the attack itself is its origins
The attack on Krebs as well as Cogent, OVH, Blizzard Games, and Riot Games can likely be traced to hacked home routers, webcams, DVRs, and other Internet of Things devices that have flooded the consumer market.
The technology powering these devices has placed tremendous power into the hands of serious criminals and kids with a grudge, who target organizations they don’t like, as well as journalists they disagree with.
As the Krebs saga unfolded, a recent pitch concerning IoT devices and DDoS attacks published by Symantec stands out.
“The current IoT threat landscape shows that it does not require much to exploit an embedded device,” Symantec wrote.
“DDoS attacks remain the main purpose of IoT malware. With the rapid growth of IoT, increased processing power in devices may prompt a change of tactics in future, with attackers branching out into cryptocurrency mining, information stealing, and network reconnaissance.”
But none of this helps Krebs, who has been effectively censored by attackers who didn’t like his reporting. While he plans to get his website back online this weekend (based on his statements on Twitter), the damage has already been done.
Those who attacked him now know that anti-DDoS vendors will fold if pushed hard enough, and they know that if they disagree with something that’s published, they can simply force the website offline.
Krebs got his protection from Akamai for free, but the hard choice on their end to give-up the fight leaves some speculating. Several people at DerbyCon pointed to a blog post by Nick Selby, who said that Akamai’s threshold has been identified.
“The substantially much larger precedent it has set has been that Akamai – a company that has bragged that it handles about 30% of the Internet’s traffic every day; delivering more than 30 Terabits per second, and delivering the pipe through which users conduct nearly 3 trillion Internet interactions each day, enabling, it claims, more than $250 billion in annual e-commerce for its online retail customers – Akamai has now announced to the world that if your site is getting attacked at a rate of 620 gigabits per second of traffic, then you’re on your own.”
It’s possible – even likely – that those with a paid contract though Prolexic (Akamai) wouldn’t be pushed aside and ditched. Akamai had to make a hard choice, and that choice sucks. It sucks that they couldn’t protect him and keep his website online. It also sucks to see them essentially throw in the towel.
Akamai dominates the Internet, so to see someone walk in to their house and kick them around is a harsh reality check.
Protecting Krebs was costly, and the costs likely outweighed any marketing value or goodwill in the industry. Paid protection can run north of $100,000, and while Krebs is great at what he does, it’s unlikely he has the budget to burn for anti-DDoS coverage.
So Akamai was damned if they do, damned if they don’t. There was no winning this game. Krebs is fighting to get his website restored, Akamai is dealing with the fallout over their choices, and the public is faced with a demon of their own – DDoS can cripple an organization, as well as an individual.