Akamai takes Brian Krebs’ site off its servers after ‘record’ cyberattack

Quite impressive. You know your blog is good when folks will try to take down a CDN to supress what&#x27;s on it. He&#x27;s also had heroin mailed to him in combination with a swatting attempt before: <a href="http:&#x2F;&#x2F;webcache.googleusercontent.com&#x2F;search?q=cache:gEjqPfcbtlgJ:krebsonsecurity.com&#x2F;2015&#x2F;10&#x2F;hacker-who-sent-me-heroin-faces-charges-in-u-s&#x2F;&amp;num=1&amp;hl=en&amp;gl=us&amp;strip=1&amp;vwsrc=0" rel="nofollow">http:&#x2F;&#x2F;webcache.googleusercontent.com&#x2F;search?q=cache:gEjqPfc...</a>

Still not a good move for Akamai, though.<p>I get him speaking out for them about the hosting having been free, but Akamai is now the CDN that got bullied into kicking someone of their service against their own will.<p>Terrible PR, and that mud will stick in tech circles. Akamai folds under pressure.<p>I know it&#x27;s a crude comparison, but we don&#x27;t negotiate with terrorists for a reason.

Isn&#x27;t this the point at which Cloudflare is supposed to gain a handful of PR points for putting him back online, pro bono, and then doing a write up on how effortlessly they handled the bandwidth with eBPF?

Here&#x27;s a &quot;philosophical&quot; question with regards to the internet, and perhaps even it&#x27;s future. Given that a currently anonymous attacker, and likely not a &quot;state&quot; player (i.e. not a governmental entity with almost unlimited resources) has managed to DDoS a single website, does this portend that unless there are significant changes to the way the internet infrastructure works, we are seeing the demise of the WWW?<p>Kind of like a reverse wild-wild-west evolution, where the previously carefully cultivated academic and company site presence, gradually degenerates into misclick-hell? And the non-technical, non-IT savvy masses, in a bid to escape this all, end up in a facebook-style future where media is curated and presented for consumption (or perhaps in future, facebook-type entities end up with their own wild-wild-west hell)?<p>I have a strange feeling that we are seeing the decline of a city&#x2F;civilisation; once you used to feel safe walking out at night, knew everybody in the neighbourhood, could leave your doors unlocked... and now, you don&#x27;t dare to go down the lane to the left in case you pick up a nasty virus, and if you hear a knock on the door at night&#x2F;email from DHL, you don&#x27;t dare to even look through the peephole&#x2F;preview the JPG!

I would like to see stats from Tier1&#x2F;Tier2&#x2F;IX for that. Krebs claims it&#x27;s 665Gbit&#x2F;s <a href="https:&#x2F;&#x2F;twitter.com&#x2F;briankrebs&#x2F;status&#x2F;778404352285405188" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;briankrebs&#x2F;status&#x2F;778404352285405188</a> Such attack must be visible in many places, however not a single major ISP reported that in mailing list. Previous smaller attacks were reported &#x27;slowing down&#x27; some regional ISPs. Perhaps ISPs got better.

This recent talk about DDoS attacks is worth a watch if you&#x27;re curious about why it&#x27;s a hard problem to solve: <a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=79u7bURE6Ss" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=79u7bURE6Ss</a>

This is bad PR for Akamai and a tactical error for them to boot Krebs even if they were providing free service.<p>To some, the implication would will be &quot;they couldn&#x27;t handle it&quot; so why should I trust the DDOS they are heavily promoting on their site?<p>At minimum they should comment on the situation, at best restore his service and learn how deal with high profile clients.

The first thing a lot of people are thinking (and saying) is &quot;switch to Cloudflare&quot;. But there&#x27;s another name I think needs to be said - OVH. OVH can withstand a Tbps scale attack as far as I know, and it provides this to pretty much anyone. They have a pretty good interface and some of their plans are extremely cheap. They&#x27;re also great at standing up for free speech, which I really appreciate.

&gt; “I likely cost them a ton of money today.”<p>But more specifically, whoever launched the attack cost them that money.<p>Also, ha:<p>PING krebsonsecurity.com (127.0.0.1): 56 data bytes

It would be interesting to try out some of these new p2p website technologies like IPFS&#x2F;WebTorrent with these high profile sites who are frequently attacked.

I tried to get to an article on Krebs&#x27; site from a Bruce Schneier blog post, and couldn&#x27;t, then bumped into this post in HN.<p>It&#x27;s a pity Akamai booted him off; on the one hand, I can understand that it would significantly impact on their SLAs to other customers, but on the other hand it&#x27;s a shame they don&#x27;t have a lower impact network to re-host him on, and use this as a learning lesson on how to better mitigate such DDoSs...

<a href="https:&#x2F;&#x2F;twitter.com&#x2F;briankrebs&#x2F;status&#x2F;779111614226239488" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;briankrebs&#x2F;status&#x2F;779111614226239488</a><p>&quot;Before everyone beats up on Akamai&#x2F;Prolexic too much, they were providing me service pro bono. So, as I said, I don&#x27;t fault them at all.&quot;

I&#x27;d love to learn more about these botnets. I wonder about things like What&#x27;s the average time that a compromised computer stays in this net. What is the typical computer (grandmas old PC running XP). Do the ISPs ever get involved to kill bots running on their networks?

Wow, I figured that everyone that had hired vDOS would be irritated but that is pretty impressive. Still it says a lot for how effective he has been at rooting out this stuff, not like the TierN infrastructure folks have managed to track this stuff down with their resources.

Isn&#x27;t this whole thing a bit silly? I mean what&#x27;s the point? They just spend time on making him the best marketing, he&#x27;ll double his audience&#x2F;readers, no?

These &#x27;attackers&#x27; give Krebs&#x27; more publicity than he would ever be able to generate himself.<p>It&#x27;s also useful to point out that Krebs&#x27; hasn&#x27;t been the only target as half a dozen other large targets were attacked <a href="http:&#x2F;&#x2F;www.webhostingtalk.com&#x2F;showthread.php?t=1599694" rel="nofollow">http:&#x2F;&#x2F;www.webhostingtalk.com&#x2F;showthread.php?t=1599694</a>

He should get a Facebook page and publish a copy of all his posts on it.

Something about the platform-centric world we&#x27;re in now is that this sort of attack doesn&#x27;t have the blocking power it once did: you can mirror your content on Twitter, FB, G+, etc. and cross-link so people can still read your stuff. This makes the &quot;denial&quot; part pretty watered down; it&#x27;s a wonder people even bother with these sorts of attacks anymore for non-services (i.e., for regular media material like text, photos, etc.)<p>Of course, maybe the goal is to deny someone ad revenue, but that seems awfully low-status for such a high-profile attack: &quot;Yeah, we really got &#x27;em! Denied &#x27;em AD REVENUE for a whole week!&quot;

The ddos attacks seem to be getting larger these days.<p>I&#x27;ve recently seen a ~200 Gbit&#x2F;s hit us.<p>Does anyone have good resources around mitigation? I was looking at the BGP flowspec but was hopefully that someone might have come across other tactics?

If you&#x27;re curious what the source of the DDOS attacks are from, here is a recent one that hit OVH:<p>&gt; This botnet with 145607 cameras&#x2F;dvr (1-30Mbps per IP) is able to send &gt;1.5Tbps DDoS. Type: tcp&#x2F;ack, tcp&#x2F;ack+psh, tcp&#x2F;syn.<p><a href="https:&#x2F;&#x2F;twitter.com&#x2F;olesovhcom&#x2F;status&#x2F;779297257199964160" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;olesovhcom&#x2F;status&#x2F;779297257199964160</a><p>This is much higher than the Akamai attack on Krebs too. Welcome to the wonderful side-effects of the totally insecure firmware of IoT...

Cloudflare should pick up the site for good advertising..

Here&#x27;s a link to the last post from his website. Google did not appear to have this cached:<p><a href="https:&#x2F;&#x2F;archive.fo&#x2F;t94ve" rel="nofollow">https:&#x2F;&#x2F;archive.fo&#x2F;t94ve</a>

I understand that this is burning bandwidth for Akamai, but seriously, taking into account what is at stake here, I think they need to do their share and continue to support Brian.

Brian Krebs is a hero. Are Akamai executives cowards for dumping him? I&#x27;d like to add that law enforcement are heroes.<p>And it&#x27;s honorable he wants to meet Fly in person, recognizing him as a human being. I haven&#x27;t read it yet but I&#x27;m assuming the reference to 12-step hints that Fly&#x27;s having some post alcohol binge regrets.<p>I&#x27;m sure alcohol makes it easier to hurt other human beings, which is why violent people are often drunk. I&#x27;d be ashamed of myself if I woke up realizing that I&#x27;d spent my life actively trying to harm other human beings for money, feeling no remorse until Karma (here defined as law enforcement officials) finally caught up with me.

I&#x27;m wondering if the rising scale of these attacks &amp; the seeming ease with which sites can be taken down will ultimately result in an &quot;authenticated&quot; internet - ie. you can&#x27;t even connect without identity verification.<p>We already see publishing through FB Instant Articles etc. moving in that land on top of the current internet, to combat these types of firehose attacks, the only solution may be to take authentication one level deeper into the connection level.<p>That of course sounds good to security agencies as that&#x27;s the end of anonymity online.

It&#x27;s funny how my mom after reading &quot;record cyberattack&quot; would be wondering how many poor people died but what it means is that somebody was downloading images from website many times.

There are a number of factors that go into play (did the site use custom SSL, what edge locations were they providing caching in, etc), but had Kreb been a normal paying customer, this could easily have been a over a million dollar bill (if it was sustained long enough to alter his 95th percentile bracket) in the cheapest case. If things like custom SSL are in the mix (which Akamai charges absurdly high prices for), or lots of traffic from more expensive POPs, or lack of already having pricing commiserate with high volume traffic commitments, the bill could&#x27;ve been 5-10x that amount or more.

It&#x27;s kind of stupid to me that the massive and advanced cdn of akamai protect something as non-important as a blog against such a major ddos attack. If they were doing it pro-bono wouldn&#x27;t the prudent action be to mitigate ddos&#x27;s until a certain treshold and then actually assess the value of what you are protecting? A good lesson to have learned, I believe.<p>But no, they&#x27;ll drop this client which had to have continually given good referrals.

It would be interesting if he started writing on Medium (not saying technically advisable, just interesting). I wonder if he&#x27;d ever consider trying that.

Some are guessing the DDOS was because of this recent post of his, about a large DDOS network.<p><a href="http:&#x2F;&#x2F;webcache.googleusercontent.com&#x2F;search?q=cache:kaymYsbcGc8J:krebsonsecurity.com&#x2F;2016&#x2F;09&#x2F;israeli-online-attack-service-vdos-earned-600000-in-two-years&#x2F;+&amp;cd=1&amp;hl=en&amp;ct=clnk&amp;gl=us" rel="nofollow">http:&#x2F;&#x2F;webcache.googleusercontent.com&#x2F;search?q=cache:kaymYsb...</a>

Why don&#x27;t we switch to a distributed network with a DHT like freenet? So many benefits, including not being able to take down content via DDOS.

So if Akamai can&#x27;t hold an attack of this size, who can?<p>Or is it that they actually can hold it off but it costs too much money?

Unbelievable, they enjoyed year of free publicity from association with him, and this is how they repay him. Its bad enough that they couldn&#x27;t handle the attack, despite all the bragging about their multi-Tbps capacity...

Brian Krebs&#x27; wasn&#x27;t a paying customer right? Akamai provided the service pro-bono. Perfectly acceptable for them to suspend service if it becomes more than trivial in terms of cost or it puts their paying customers at risk.

I&#x27;ve always wondered if your domain is under a http DDoS attack, couldn&#x27;t you in theory update your DNS A record to another ip and take other servers down (maliciously)?

At this scale it must also cost a ton of money to carry out this attack, I wonder if there&#x27;s a vulnerability that we don&#x27;t know about that let them do this so easily?

Are there web servers or software that blacklist IP addresses that disconnects after a short time and redirects them to a static page?

krebsonsecurity.com is now resolving to localhost. I guess he doesn&#x27;t want to give the DDoSers a target.....

I&#x27;m really interested to read his blog now. Any way I can find a readable version for his blog posts?

Too bad, I had some nice reads on his website. Hopefully this will only be temporarily...

So the attackers win..

so long for using a CDN to protect from DDOS attacks...

Is it according to terms&#x2F;conditions of Akamai?

You&#x27;ll be redirected in... never redirected.

Who profits from this attack?

tl;dr Akamai was hosting his site pro bono. His site was being DDOSed, which cost Akamai a ton of money, so they kicked him off since they were literally only losing money on the deal.

Time to use Github pages.

Should&#x27;ve used CloudFlare.

I think its time for some serious financial incentives for ISPs to start getting serious about routing (or rather not routing) garbage. Financial fines for every DOS originating from your AS, or blacklisting if you are a repeated offender.

Such attacks are possible because Internet is decentralized. There is no way to tell peers that you don&#x27;t want to get traffic from some AS.<p>And investigation is difficult because attacking nodes might be in different countries, in some of which DDOS attacks are not illegal.<p>Maybe it is time to start building international firewalls to protect local infrastructure?