Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Security IT Technology

Akamai Kicked Journalist Brian Krebs' Site Off Its Servers After He Was Hit By a Record Cyberattack (businessinsider.com) 212

An anonymous reader writes:Cloud hosting giant Akamai Technologies has dumped journalist Brian Krebs from its servers after his website came under a "record" cyberattack. "It's looking likely that KrebsOnSecurity will be offline for a while," Krebs tweeted Thursday. "Akamai's kicking me off their network tonight." Since Tuesday, Krebs' site has been under sustained distributed denial-of-service (DDoS), a crude method of flooding a website with traffic in order to deny legitimate users from being able to access it. The assault has flooded Krebs' site with more than 620 Gbps per second of traffic -- nearly double what Akamai has seen in the past.
This discussion has been archived. No new comments can be posted.

Akamai Kicked Journalist Brian Krebs' Site Off Its Servers After He Was Hit By a Record Cyberattack

Comments Filter:
  • by DavidRawling ( 864446 ) on Friday September 23, 2016 @10:06AM (#52946271)
    Seems to me the attackers win, at least in the short term, because the caching and CDN provider (who I expect was probably contracted and paid, although it's entirely up to Brian how he handles his business affairs, it does seem likely) takes the site off the air anyway. That being the case ... what's the point of having that contracted relationship, if they dump you anyway?
    • by sinij ( 911942 ) on Friday September 23, 2016 @10:08AM (#52946285)
      Yes, but not for technical reasons (DDoS succeeding in overwhelming ISP). Akami shamefully decided to dump Kerbs.
      • by Opportunist ( 166417 ) on Friday September 23, 2016 @10:32AM (#52946483)

        The reason is irrelevant. The message is clear: You want to silence your opposition? Conduct a DDoS until your enemy's hoster decides that you're more hassle than he is worth.

        • by Mal-2 ( 675116 )

          Unfortunately, this has always been the case. The whole point of a DDoS is the ability of the attacker to multiply its efforts enormously. The only possible defense against any and all DDoS attacks would be to own more than half the bandwidth of the network, which hopefully nobody ever will -- or at least more than any adversary or group of adversaries can ever point your way. Since the attackers are not paying for the bandwidth, and Akamai is, the attackers win by economic siege.

          Either Akamai can bow and t

          • Hopefully all their current and any future customers will tell Akamai to go fuck themselves and drive them out of business in a REAL "Denial of Service" attack...

            • by Mal-2 ( 675116 )

              What would that accomplish other than to make sure there are no players left in the market except for the really, really big ones? You know that if this topples Akamai, the attackers will take on another target and bring them down the same way, and so on, and so on... [youtube.com]

              • by mysidia ( 191772 )

                It would be better if Akamai survives, but is HURT by this choice of theirs, such that they revisit their policy.

              • So basically anyone someone decides to DDoS should be automatically dropped from the internet is your plan?

                NO

                • I think the best thing would be to treat internet access much like we do electromagnetic spectrum, and require those using it to have some kind of accountability in that if they participate in a ddos, willingly or not, then they have to have their access throttled to something like 128kbit, even if they switch ISPs, and they can only have it unthrottled once they decide to secure their devices or otherwise stop participating in ddos.

          • Unfortunately, this has always been the case. The whole point of a DDoS is the ability of the attacker to multiply its efforts enormously. The only possible defense against any and all DDoS attacks would be to own more than half the bandwidth of the network, which hopefully nobody ever will -- or at least more than any adversary or group of adversaries can ever point your way. Since the attackers are not paying for the bandwidth, and Akamai is, the attackers win by economic siege.

            Either Akamai can bow and take down Krebs, or they can let the whole ship go down in a symbolic gesture. Which one would you do, if you had a business to run?

            Has it been discussed before to modify either layer 1 or TCP standards to include a DDoS ICMP/other response upstream that indicates that there is a stream of unwanted, high-bandwidth data coming from a source IP of xxx.xxx.xxx.xxx, going all the way back to the source's downstream node in each case. If the traffic is confirmed, block traffic to the reporting IP. If not, don't. Simple standard (yes, many issues that can be exploited or abused, but those can be worked around simply).

            Not understanding why

            • by sjames ( 1099 ) on Friday September 23, 2016 @03:01PM (#52948423) Homepage Journal

              Alas, no. That would have been possible in the before time when a T1 was a lot of bandwidth and the threat was a DOS rather than a DDOS.

              In a DDOS, no one host is a big contributor, but there are a lot of hosts. Consider, you have 10,000 hosts (a SMALL attack) fetching valid URLs from your web server and sending them to /dev/null. Now, which of the 10100 hosts fetching pages from you do you want shot down? Keep in mind, your objective includes not letting the attacker win. To add to the "fun", those 10,000 hosts will rotate out and be replaced by others in a much larger pool fairly frequently.

              • You ask a very good and intelligent question there. I don't know what other people's thoughts are, but my method would have to be non-public, as that easily presents workarounds. Having said that, that isn't going to happen so I'll have to answer your question. I got a way into it before I deleted everything and typed this response. You'll see a response later this weekend. Drawing board time, literally.

              • There has to be something different in the TCP headers, the ordering of the packets, SOMETHING, that differentiates a browser and a standardized DDoS attack drones' packets.

                If that is researched and is NOT the case, I see the only way around it being a Human verification system, like CAPTCHA. Fail CAPTCHA > 3 times, block IP. But this IP blocking has to be done upstream and has to have a punishment system for sites that abuse it.

                Basically, there has to be a head controller of Internet comms (an organiz

                • by sjames ( 1099 )

                  Sorry, there's really no difference. An attacker can easily appear to be the browser of their choice.

                  Going to CAPTCHAs that would actually work would be as bad as shutting the routers off and going home. Are you really willing to solve a captcha every time a daemon on your system wants to do a DNS lookup of check in with a time server? Besides, they can actually be solved by putting up a porn site (solve the captcha, see the next image).

                  • Sorry, I didn't say that the CAPTCHA would cover a session, not an individual request. But, that would mean the whole concept of IP blocking after failure and all of the fallout would have to be tolerated or simplified. We know that's not going to happen. :(

            • by amorsen ( 7485 )

              The source IP of the traffic is spoofed. This would not be possible if all ISP's implemented BCP38, but some don't, so it is.

              • Why would you need to spoof IPs when you're using a botnet for a DDoS?

              • Agreed completely. I'm still thinking but your idea is one of the base must-dos. I have to think this through to make sure that I'm not saying it incorrectly, but my initial thought is that if the protocol is not being used, you're automatically rejected. This puts a big limit upfront and encourages companies and individuals to upgrade firmware/OS on all routers to be compliant. If not, fingers can be pointed at the individual devices and companies running those devices that refuse to comply. Consumer de

                • by amorsen ( 7485 )

                  You don't implement BCP38 and any new DDoS prevention and mitigation standards, you become the first to be blocked upstream

                  The only ones who can do that are the large backhaul providers. Why would they annoy their customers by enforcing a policy that means they have to move less data? That would be a daft business move.

                  • The more I've thought about this, there is always a dead end. You just mentioned one - customer satisfaction.
                    Unless DDoS attacks start ruining the online video viewing & Facebook addiction satisfaction of consumers, I don't see a solution in sight.
                    I came up with about 5 different solutions that could work, but every one of them involved the average consumer understanding its purpose and accepting it. That, as the intelligent know, means that it ain't gonna happen. In each of the solutions I came up wit

        • The reason is irrelevant. The message is clear: You want to silence your opposition? Conduct a DDoS until your enemy's hoster decides that you're more hassle than he is worth.

          Talk about encouragement for future activities...

          Butthead impression, if I may, from the 90's MTV series Beavis and Butthead:

          "WHOOOAAH. It really DOES work. Uuhuhuhuh huhuhuhuhuh."

      • by Anonymous Coward on Friday September 23, 2016 @12:40PM (#52947385)

        Before using terms like "shamefully", you really should know all the facts...

        Before everyone beats up on Akamai/Prolexic too much, they were providing me service pro bono. So, as I said, I don't fault them at all.

        — briankrebs (@briankrebs) September 23, 2016

      • by Sun ( 104778 )

        I believe that the reason Akamai kicked him out was because they didn't want to risk their entire network for one client, at least not without him paying considerably more than he does. At the end of the day, there is a limit to what even Akamai's network can take.

        Which is another way of saying that the attackers won.

        Shachar

        Disclaimer: I've worked for Akamai for a year and a half, up until two years ago, in a technical role. I do not speak for Akamai.

    • by Anonymous Coward on Friday September 23, 2016 @10:17AM (#52946351)

      Akamai were providing him service for free up to that point:

      https://twitter.com/briankrebs/status/779111614226239488

      So up to this point they had been eating the cost of hosting him and defending against attacks. This one just got too big for too long.

      • by Xest ( 935314 ) on Friday September 23, 2016 @11:00AM (#52946721)

        They weren't hosting him for free, there's no such thing as free.

        They were hosting him because it was good PR for them to be able to say "Yeah, we're capable of holding up this high value target's website just fine regardless of all the attacks he regularly comes under".

        This is a tacit admittance that Akamai's business model has changed from high end bulletproof host to just another host that will not keep your site up in the face of a DDOS. This is rather unfortunate for them, because such low end hosts are widely available, and at a far lower price point.

        I wish them luck with their new model as just another host chasing the low hanging fruit. They've sacrificed an incredibly important unique selling point for them - their reputation as a host that will keep you going no matter what.

        • This sums up my thoughts so much better than I could... and I totally agree... this is really a big black mark on Akamai.

        • Excellent summary of my thoughts Akamai's actions.

          He should consider using a .bit address with Zeronet.

          • Re: (Score:3, Interesting)

            by Anonymous Coward

            He should consider using a .bit address with Zeronet.

            He should publish his site on Freenet [freenetproject.org]. There's no such thing as a DDoS there, quite the opposite: the more requests there are for a specific URL, the more widely that content is propagated across the network, making it easier and faster for everyone to load. I say again, you cannot DDoS a Freenet site, there is no server to DDoS, as the content is distributed and hosted across the entire network. The only thing he'd lose is the comment section (Freenet's design is not conducive to interactive/dynamic stuff

            • He should consider using a .bit address with Zeronet.

              He should publish his site on Freenet [freenetproject.org]. There's no such thing as a DDoS there, quite the opposite: the more requests there are for a specific URL, the more widely that content is propagated across the network, making it easier and faster for everyone to load. I say again, you cannot DDoS a Freenet site, there is no server to DDoS, as the content is distributed and hosted across the entire network. The only thing he'd lose is the comment section (Freenet's design is not conducive to interactive/dynamic stuff like commenting).

              He'd lose his comment section, and his site's visibility to anyone who isn't running Freenet on their machine. Mentioning a fix isn't going to change peoples' ignorance of best-method and workaround solutions. Good idea, just not doable.

        • by Anonymous Coward on Friday September 23, 2016 @12:09PM (#52947189)

          From the right up on it, it was peaking at 665 gigabits/sec and was leveraging a massive botnet trying to make direct connections instead of using DNS reflection. They kept his site up during this and numerous other large scale attacks. Claiming that Akamai isn't a "bullet proof" host because they decided their support cost and impact to their customers outweighed the free-marketing/goodwill is just asinine. You're the same entitled person that uses free web services and then b*tches when they start charging or go under aren't you?

          • You're the same entitled person that uses free web services and then b*tches when they start charging or go under aren't you?

            I'm not a business person. If someone tells me that they have some "free" business plan that they claim will work, I can be skeptical, but it's not really on me when they are exposed as wrong. If you advertise a service as one thing and then pull a switcharoo, you should be called out. You call that "entitlement", I call it broken promises - though I'll also go along with "naive", since by now we should probably just ignore the promises of "free". Though here I am using gmail for going on a decade and a hal

            • by itwerx ( 165526 )

              Though here I am using gmail for going on a decade and a half...

              Gmail has never been free, it is paid for by advertising.

    • by mwvdlee ( 775178 ) on Friday September 23, 2016 @10:21AM (#52946397) Homepage

      I might be a conspiracy theorist here, but what might Akamai gain by blocking the guy who's taking down one of the largest criminal organizations providing the type of attacks that Akamai is being paid for to prevent?

    • by Doug Otto ( 2821601 ) on Friday September 23, 2016 @10:25AM (#52946439)
      I read somewhere that there was no contract but rather Akamai was providing the service pro-bono.

      If that's the case, and it was starting to impact paying customers, it's an understandable move.
      • Re: (Score:3, Interesting)

        by Opportunist ( 166417 )

        It's not that we don't understand it (frankly, people, who would act differently?), what is troublesome is the signal this broadcasts.

      • by klubar ( 591384 )

        It's always a problem with pro-bono clients or favors for friends client. If it was a top-paying client, they might have pulled out all the stops to prevent the attack.Every pro-bono and service provider (whether lawyer, ad agency, programmer, etc.) understands the dynamics. Full-freight clients come first and the top two or three clients come even before them. Discounted, best-efforts, pro-bono and clients of friends come below.

        Hopefully, the relationship is described and understood in advance.

    • They hosted him pro bono

      • ...so if he'd paid $20 a month he'd be ok ? (Or you'd be outraged?)
        • I would imagine if he paid them what it costs to mitigate that kind of onslaught for days and days he would be online. I am certain that his blog being offline for a few days or weeks till this stops isn't worth it to ANYONE to use the resources to keep it up.

        • Re: (Score:3, Interesting)

          by jofas ( 1081977 )
          You've obviously never seen an Akamai invoice...
    • by gweihir ( 88907 )

      Akamai was hosting him for free. Of couse, a smarter move would have been to say "We are Akamai, sites hosted by us do not go down" and exploit this for all its PR value. Of course, that takes management with a vision, MBA bean-counters do not need to apply.

  • by sinij ( 911942 ) on Friday September 23, 2016 @10:07AM (#52946275)
    From Kerbs on Security site:"The attack began around 8 p.m. ET on Sept. 20, and initial reports put it at approximately 665 Gigabits of traffic per second." .

    Akami were handling it as of yesterday, but it seems that they decided it was too expensive to stand by their client while he is under attack.

    Maybe a coincidence, but this started to happen after Kerbs exposed anti-DDoS 'protection' firm BackConnect use of BGP hijacking.
  • Not a surprise (Score:4, Insightful)

    by Anonymous Coward on Friday September 23, 2016 @10:11AM (#52946305)

    Akamai has a fiduciary responsibility to others on their network to ensure that they are not impacted by a single user. They were providing the service for free to Brian Krebs, he stated this. I do not work for Akamai(one of their competitors actually) but this is very, very common in this space.

  • So long... (Score:5, Insightful)

    by Daetrin ( 576516 ) on Friday September 23, 2016 @10:12AM (#52946313)
    So they booted him off because he was costing them a ton of money and wasn't paying anything. (I guess they were providing him service as a charity?)

    But does that mean that they'll kick their paying customers off as well if the costs of defending them against attacks exceed the revenue they're getting from that specific customer? If so that would mean you could put Akamai out of business just by targeting one customer at a time, moving on to a new one as each one was evicted from the service.
    • The web is asymmetric. A single host (or hosts in the case of a CDN like Akamai) sends files to thousands or millions of clients (web browsers).

      This seems like something a distributed symmetric system like bittorrent could fix. Each browser already caches files for the web sites it's visited. If they could also be made to serve those cached pages to other web browsers (with a checksum to allow the new recipient to detect and discard corrupted caches), that would solve server overloading. The more pop
    • So they booted him off because he was costing them a ton of money and wasn't paying anything. (I guess they were providing him service as a charity?)

      But does that mean that they'll kick their paying customers off as well if the costs of defending them against attacks exceed the revenue they're getting from that specific customer? If so that would mean you could put Akamai out of business just by targeting one customer at a time, moving on to a new one as each one was evicted from the service.

      Interesting question. Let's find out. Who wants to volunteer? ;)

  • Pro Bono (Score:5, Insightful)

    by hodagacz ( 948570 ) <citizendoe@g m a i l.com> on Friday September 23, 2016 @10:18AM (#52946365)

    I don't blame Akamai at all and it sounds like Krebs doesn't either. There were a ridiculous amount of resources used on the attack and that shit gets expensive to block.

  • Idiots (Score:5, Informative)

    by edibobb ( 113989 ) on Friday September 23, 2016 @10:28AM (#52946455) Homepage
    Akamai is throwing away a great marketing opportunity and turning it into a huge negative. Why would I move to Akamai, knowing that they'll kick me off their network if I ever have trouble? They're throwing away their primary competitive advantage with one stupid decision.
    • by HBI ( 604924 )

      I agree entirely. Can you say bad publicity? I knew you could.

    • Bad publicity is one thing. Being the target of the BY FAR biggest DDoS in history is another thing. They can have the best publicity on earth if they have to fold tomorrow because all their customers bail due to not being reachable because of the DDoS.

    • Conspiracy Theory! (Score:2, Interesting)

      by Kludge ( 13653 )

      Akamai does not like Krebs exposing out the DDoS attackers, because fear of DDoS is what brings Akamai business. This is a good excuse to try to get rid of Krebs.

      I have said it before, and I will say it again: Brian Krebs rocks.

      • by Anonymous Coward

        On the gripping hand, this is great publicity for the DDOS service behind the attack

      • by q4Fry ( 1322209 )

        Akamai does not like Krebs exposing out the DDoS attackers, because fear of DDoS is what brings Akamai business. This is a good excuse to try to get rid of Krebs.

        That doesn't make sense. Akamai can't convincingly say "We can help [you businesses] with this scary problem of DDoS attacks" when Akamai demonstrably couldn't protect Krebs from a DDoS attack. From a financial perspective (i.e. "This is costing us too much money"), their actions make sense. From a conspiratorial one? Not at all.

  • If they can't handle a DDOS, any DDOS competently then they just made it clear they are a minor player....

    Wonder if AWS, Azure or Google will pick him up as a PR move.

    • Any service can be taken down with a DDoS attack from a sufficiently large botnet. Are you contending there are no major players?

  • by smooth wombat ( 796938 ) on Friday September 23, 2016 @11:18AM (#52946815) Journal

    when you're honest. Krebs doesn't pull his punches and the whiners of the world (i.e. those he lambasted for having low quality products or game play) don't like it and now they're being petulant two year olds.

    Just goes to show the mentality of supposed adults. Especially the cowards who sit behind a keyboard and try to destroy the work of others because they didn't get their lollipop.

  • Cyber-terrorism gets you what you want apparently.

    Akamai Technologies should be dumped by everyone who uses them and should not get any new customers.

  • by Mal-2 ( 675116 ) on Friday September 23, 2016 @11:46AM (#52947013) Homepage Journal

    Here's an archive.is link [archive.is] for those not wanting to deal with BI's paywall.

  • by bad-badtz-maru ( 119524 ) on Friday September 23, 2016 @11:46AM (#52947015) Homepage

    Where's that Slashdotter from the thread last week who posted 5 easy steps to stopping a DDoS! Akamai needs your "expertise"!

  • I wonder how much more successful Krebs would be moving his site to a sites.google.com? Sure, he'd have to deal with the awful feature set there, but I'd like to see anybody DDOS google successfully. I don't think it's actually been done has it?
  • Since it'll be offline for a while, perhaps... Israeli Online Attack Service ‘vDOS’ Earned $600,000 in Two Years [archive.org].

    vDOS — a “booter” service that has earned in excess of $600,000 over the past two years helping customers coordinate more than 150,000 so-called distributed denial-of-service (DDoS) attacks designed to knock Web sites offline — has been massively hacked, spilling secrets about tens of thousands of paying customers and their targets.

    The vDOS database, obtained b

  • Maybe Krebs should talk to Google about getting on their Project Shield [withgoogle.com]

  • Has Akamai come right out and said that the DDoS is the cause of why they are discontinuing service? If that is the reason, well, it's a business decision, but it doesn't look good in their capability to stop DDoS. Another possibility is, did Krebs disclose confidential information that violated his contact with Akamai when he disclosed details? I don't know but that may be another viable reason why Akamai has discontinued services to him or it could be a viable excuse of how he violated his contract allowi

Even bytes get lonely for a little bit.

Working...