Akamai Kicked Journalist Brian Krebs' Site Off Its Servers After He Was Hit By a Record Cyberattack (businessinsider.com) 212
An anonymous reader writes:Cloud hosting giant Akamai Technologies has dumped journalist Brian Krebs from its servers after his website came under a "record" cyberattack. "It's looking likely that KrebsOnSecurity will be offline for a while," Krebs tweeted Thursday. "Akamai's kicking me off their network tonight." Since Tuesday, Krebs' site has been under sustained distributed denial-of-service (DDoS), a crude method of flooding a website with traffic in order to deny legitimate users from being able to access it. The assault has flooded Krebs' site with more than 620 Gbps per second of traffic -- nearly double what Akamai has seen in the past.
So basically ... the attack wins? (Score:5, Informative)
Re:So basically ... the attack wins? (Score:4, Insightful)
Re:So basically ... the attack wins? (Score:5, Insightful)
The reason is irrelevant. The message is clear: You want to silence your opposition? Conduct a DDoS until your enemy's hoster decides that you're more hassle than he is worth.
Re: (Score:3)
Unfortunately, this has always been the case. The whole point of a DDoS is the ability of the attacker to multiply its efforts enormously. The only possible defense against any and all DDoS attacks would be to own more than half the bandwidth of the network, which hopefully nobody ever will -- or at least more than any adversary or group of adversaries can ever point your way. Since the attackers are not paying for the bandwidth, and Akamai is, the attackers win by economic siege.
Either Akamai can bow and t
Re: (Score:2)
Hopefully all their current and any future customers will tell Akamai to go fuck themselves and drive them out of business in a REAL "Denial of Service" attack...
Re: (Score:2)
What would that accomplish other than to make sure there are no players left in the market except for the really, really big ones? You know that if this topples Akamai, the attackers will take on another target and bring them down the same way, and so on, and so on... [youtube.com]
Re: (Score:2)
It would be better if Akamai survives, but is HURT by this choice of theirs, such that they revisit their policy.
Re: (Score:2)
So basically anyone someone decides to DDoS should be automatically dropped from the internet is your plan?
NO
Re: So basically ... the attack wins? (Score:3)
I think the best thing would be to treat internet access much like we do electromagnetic spectrum, and require those using it to have some kind of accountability in that if they participate in a ddos, willingly or not, then they have to have their access throttled to something like 128kbit, even if they switch ISPs, and they can only have it unthrottled once they decide to secure their devices or otherwise stop participating in ddos.
Re: (Score:3)
Unfortunately, this has always been the case. The whole point of a DDoS is the ability of the attacker to multiply its efforts enormously. The only possible defense against any and all DDoS attacks would be to own more than half the bandwidth of the network, which hopefully nobody ever will -- or at least more than any adversary or group of adversaries can ever point your way. Since the attackers are not paying for the bandwidth, and Akamai is, the attackers win by economic siege.
Either Akamai can bow and take down Krebs, or they can let the whole ship go down in a symbolic gesture. Which one would you do, if you had a business to run?
Has it been discussed before to modify either layer 1 or TCP standards to include a DDoS ICMP/other response upstream that indicates that there is a stream of unwanted, high-bandwidth data coming from a source IP of xxx.xxx.xxx.xxx, going all the way back to the source's downstream node in each case. If the traffic is confirmed, block traffic to the reporting IP. If not, don't. Simple standard (yes, many issues that can be exploited or abused, but those can be worked around simply).
Not understanding why
Re:So basically ... the attack wins? (Score:5, Insightful)
Alas, no. That would have been possible in the before time when a T1 was a lot of bandwidth and the threat was a DOS rather than a DDOS.
In a DDOS, no one host is a big contributor, but there are a lot of hosts. Consider, you have 10,000 hosts (a SMALL attack) fetching valid URLs from your web server and sending them to /dev/null. Now, which of the 10100 hosts fetching pages from you do you want shot down? Keep in mind, your objective includes not letting the attacker win. To add to the "fun", those 10,000 hosts will rotate out and be replaced by others in a much larger pool fairly frequently.
Re: So basically ... the attack wins? (Score:2)
You ask a very good and intelligent question there. I don't know what other people's thoughts are, but my method would have to be non-public, as that easily presents workarounds. Having said that, that isn't going to happen so I'll have to answer your question. I got a way into it before I deleted everything and typed this response. You'll see a response later this weekend. Drawing board time, literally.
Re: (Score:2)
See https://slashdot.org/comments.... [slashdot.org]
Re: (Score:2)
There has to be something different in the TCP headers, the ordering of the packets, SOMETHING, that differentiates a browser and a standardized DDoS attack drones' packets.
If that is researched and is NOT the case, I see the only way around it being a Human verification system, like CAPTCHA. Fail CAPTCHA > 3 times, block IP. But this IP blocking has to be done upstream and has to have a punishment system for sites that abuse it.
Basically, there has to be a head controller of Internet comms (an organiz
Re: (Score:2)
Sorry, there's really no difference. An attacker can easily appear to be the browser of their choice.
Going to CAPTCHAs that would actually work would be as bad as shutting the routers off and going home. Are you really willing to solve a captcha every time a daemon on your system wants to do a DNS lookup of check in with a time server? Besides, they can actually be solved by putting up a porn site (solve the captcha, see the next image).
Re: So basically ... the attack wins? (Score:2)
Sorry, I didn't say that the CAPTCHA would cover a session, not an individual request. But, that would mean the whole concept of IP blocking after failure and all of the fallout would have to be tolerated or simplified. We know that's not going to happen. :(
Re: (Score:2)
The source IP of the traffic is spoofed. This would not be possible if all ISP's implemented BCP38, but some don't, so it is.
Re: (Score:2)
Why would you need to spoof IPs when you're using a botnet for a DDoS?
Re: (Score:2)
To make it even harder to stop.
Re: So basically ... the attack wins? (Score:2)
Agreed completely. I'm still thinking but your idea is one of the base must-dos. I have to think this through to make sure that I'm not saying it incorrectly, but my initial thought is that if the protocol is not being used, you're automatically rejected. This puts a big limit upfront and encourages companies and individuals to upgrade firmware/OS on all routers to be compliant. If not, fingers can be pointed at the individual devices and companies running those devices that refuse to comply. Consumer de
Re: (Score:2)
You don't implement BCP38 and any new DDoS prevention and mitigation standards, you become the first to be blocked upstream
The only ones who can do that are the large backhaul providers. Why would they annoy their customers by enforcing a policy that means they have to move less data? That would be a daft business move.
Re: So basically ... the attack wins? (Score:2)
The more I've thought about this, there is always a dead end. You just mentioned one - customer satisfaction.
Unless DDoS attacks start ruining the online video viewing & Facebook addiction satisfaction of consumers, I don't see a solution in sight.
I came up with about 5 different solutions that could work, but every one of them involved the average consumer understanding its purpose and accepting it. That, as the intelligent know, means that it ain't gonna happen. In each of the solutions I came up wit
Re: (Score:2)
> Without Russian, China, and India going along with it, it would probably fail.
Why, any non-participating countries can just be throttled as the source country is known and participation in the DDoS is known (if it isn't, the agreement is useless anyway).
Re: (Score:2)
The reason is irrelevant. The message is clear: You want to silence your opposition? Conduct a DDoS until your enemy's hoster decides that you're more hassle than he is worth.
Talk about encouragement for future activities...
Butthead impression, if I may, from the 90's MTV series Beavis and Butthead:
"WHOOOAAH. It really DOES work. Uuhuhuhuh huhuhuhuhuh."
Re:So basically ... the attack wins? (Score:5, Informative)
Before using terms like "shamefully", you really should know all the facts...
Re: (Score:2)
I believe that the reason Akamai kicked him out was because they didn't want to risk their entire network for one client, at least not without him paying considerably more than he does. At the end of the day, there is a limit to what even Akamai's network can take.
Which is another way of saying that the attackers won.
Shachar
Disclaimer: I've worked for Akamai for a year and a half, up until two years ago, in a technical role. I do not speak for Akamai.
Re: (Score:2)
Akamai cached sites don't move between IPs. They are hosted on all of them. Anycast is used to direct your request to the DNS server nearest you, which then goes on to direct your actual HTTP request to the server nearest you. If the attacking computers are geographically located in a certain area, that area will suffer gravely, but other areas won't be affected at all.
As such, ANY Akamai hosted site is DDoS protected by nature. A few years ago, an iOS update was slugish to arrive. Afterwards, we were tol
Re: So basically ... the attack wins? (Score:5, Informative)
Akamai were providing him service for free up to that point:
https://twitter.com/briankrebs/status/779111614226239488
So up to this point they had been eating the cost of hosting him and defending against attacks. This one just got too big for too long.
Re: So basically ... the attack wins? (Score:5, Insightful)
They weren't hosting him for free, there's no such thing as free.
They were hosting him because it was good PR for them to be able to say "Yeah, we're capable of holding up this high value target's website just fine regardless of all the attacks he regularly comes under".
This is a tacit admittance that Akamai's business model has changed from high end bulletproof host to just another host that will not keep your site up in the face of a DDOS. This is rather unfortunate for them, because such low end hosts are widely available, and at a far lower price point.
I wish them luck with their new model as just another host chasing the low hanging fruit. They've sacrificed an incredibly important unique selling point for them - their reputation as a host that will keep you going no matter what.
Re: (Score:2)
This sums up my thoughts so much better than I could... and I totally agree... this is really a big black mark on Akamai.
Re: (Score:2)
Excellent summary of my thoughts Akamai's actions.
He should consider using a .bit address with Zeronet.
Re: (Score:3, Interesting)
He should consider using a .bit address with Zeronet.
He should publish his site on Freenet [freenetproject.org]. There's no such thing as a DDoS there, quite the opposite: the more requests there are for a specific URL, the more widely that content is propagated across the network, making it easier and faster for everyone to load. I say again, you cannot DDoS a Freenet site, there is no server to DDoS, as the content is distributed and hosted across the entire network. The only thing he'd lose is the comment section (Freenet's design is not conducive to interactive/dynamic stuff
Re: (Score:2)
He should consider using a .bit address with Zeronet.
He should publish his site on Freenet [freenetproject.org]. There's no such thing as a DDoS there, quite the opposite: the more requests there are for a specific URL, the more widely that content is propagated across the network, making it easier and faster for everyone to load. I say again, you cannot DDoS a Freenet site, there is no server to DDoS, as the content is distributed and hosted across the entire network. The only thing he'd lose is the comment section (Freenet's design is not conducive to interactive/dynamic stuff like commenting).
He'd lose his comment section, and his site's visibility to anyone who isn't running Freenet on their machine. Mentioning a fix isn't going to change peoples' ignorance of best-method and workaround solutions. Good idea, just not doable.
This was one hell of an attack (Score:4, Interesting)
From the right up on it, it was peaking at 665 gigabits/sec and was leveraging a massive botnet trying to make direct connections instead of using DNS reflection. They kept his site up during this and numerous other large scale attacks. Claiming that Akamai isn't a "bullet proof" host because they decided their support cost and impact to their customers outweighed the free-marketing/goodwill is just asinine. You're the same entitled person that uses free web services and then b*tches when they start charging or go under aren't you?
Re: (Score:3)
You're the same entitled person that uses free web services and then b*tches when they start charging or go under aren't you?
I'm not a business person. If someone tells me that they have some "free" business plan that they claim will work, I can be skeptical, but it's not really on me when they are exposed as wrong. If you advertise a service as one thing and then pull a switcharoo, you should be called out. You call that "entitlement", I call it broken promises - though I'll also go along with "naive", since by now we should probably just ignore the promises of "free". Though here I am using gmail for going on a decade and a hal
Re: (Score:3)
Though here I am using gmail for going on a decade and a half...
Gmail has never been free, it is paid for by advertising.
Re: (Score:2)
When I came to Slashdot, they promised a pedant-free experience.
Re:So basically ... the attack wins? (Score:5, Insightful)
I might be a conspiracy theorist here, but what might Akamai gain by blocking the guy who's taking down one of the largest criminal organizations providing the type of attacks that Akamai is being paid for to prevent?
Re: (Score:3)
Umm... NIMBY. As in "yes, we like what he does, but he should be hosted somewhere else".
Re:So basically ... the attack wins? (Score:5, Insightful)
If that's the case, and it was starting to impact paying customers, it's an understandable move.
Re: (Score:3, Interesting)
It's not that we don't understand it (frankly, people, who would act differently?), what is troublesome is the signal this broadcasts.
Re:So basically ... the attack wins? (Score:5, Funny)
* Largest DDoS attack mitigated to date: 321 Gbps, 71.5 Mpps
Lol. Looks like we're gonna need a bigger boat.
Re: (Score:3)
It's always a problem with pro-bono clients or favors for friends client. If it was a top-paying client, they might have pulled out all the stops to prevent the attack.Every pro-bono and service provider (whether lawyer, ad agency, programmer, etc.) understands the dynamics. Full-freight clients come first and the top two or three clients come even before them. Discounted, best-efforts, pro-bono and clients of friends come below.
Hopefully, the relationship is described and understood in advance.
Re: (Score:2)
They hosted him pro bono
Re: (Score:2)
Re: (Score:3)
I would imagine if he paid them what it costs to mitigate that kind of onslaught for days and days he would be online. I am certain that his blog being offline for a few days or weeks till this stops isn't worth it to ANYONE to use the resources to keep it up.
Re: (Score:3, Interesting)
Re: (Score:2)
Akamai was hosting him for free. Of couse, a smarter move would have been to say "We are Akamai, sites hosted by us do not go down" and exploit this for all its PR value. Of course, that takes management with a vision, MBA bean-counters do not need to apply.
Re: So basically ... the attack wins? (Score:5, Insightful)
Re: (Score:2)
There is no defense against a DDoS except bandwidth
Sure there are.
- intelligent routing of the inbound traffic
- intelligent handling and dropping of the inbound traffic
- controlled service degradation
- legal action
- the criminal justice system
- a B2 bomber improving its fuel efficiency by discarding excess baggage on the Cypriot dacha of the cunt behind it
I'm not even a security or network expert so I'm sure I've missed a few.
Re: So basically ... the attack wins? (Score:2)
Re: (Score:2)
Even this DDoS attack is still drastically smaller than Akamai's purported bandwidth. The whole point in their network is that they're supposed to be so distributed, with so much bandwidth that withstanding even this should be trivial - they claim to serve upto 30% of the world's daily requests, their network has a capacity of 30 Tbps and they're bottling it in the face of a 0.6 Tbps DDoS attack.
This was really always Akamai's selling point - precisely that they do have far more bandwidth than any DDoS will
Re: (Score:2)
Akami folded, Kerbs is down (Score:5, Interesting)
Akami were handling it as of yesterday, but it seems that they decided it was too expensive to stand by their client while he is under attack.
Maybe a coincidence, but this started to happen after Kerbs exposed anti-DDoS 'protection' firm BackConnect use of BGP hijacking.
Re: Akami folded, Kerbs is down (Score:4, Interesting)
It's more than likely that BackConnect has DDoS'ers on staff...a quick look at their employees and their past guarantees it.
The ultimate business model! DDoS a site, then come to them saying you'll help.
Re: (Score:3)
Indeed that seems to be the case, but the information is out there. If they want to shut Krebs up, they will need to take down faceplant and twaddle as well.
Re:Akami folded, Kerbs is down (Score:5, Informative)
too expensive to stand by their client
He wasn't their (paying) client. He is a benefit to the infosec society, and was provided pro bono service in appreciation of and to assist his work.
This attack probably cost Akamai a significant amount of money, so it's reasonable that they'd cut it off for a while.
Not a surprise (Score:4, Insightful)
Akamai has a fiduciary responsibility to others on their network to ensure that they are not impacted by a single user. They were providing the service for free to Brian Krebs, he stated this. I do not work for Akamai(one of their competitors actually) but this is very, very common in this space.
So long... (Score:5, Insightful)
But does that mean that they'll kick their paying customers off as well if the costs of defending them against attacks exceed the revenue they're getting from that specific customer? If so that would mean you could put Akamai out of business just by targeting one customer at a time, moving on to a new one as each one was evicted from the service.
Seems to me this is a design flaw of the web (Score:2)
This seems like something a distributed symmetric system like bittorrent could fix. Each browser already caches files for the web sites it's visited. If they could also be made to serve those cached pages to other web browsers (with a checksum to allow the new recipient to detect and discard corrupted caches), that would solve server overloading. The more pop
Re: (Score:2)
So they booted him off because he was costing them a ton of money and wasn't paying anything. (I guess they were providing him service as a charity?)
But does that mean that they'll kick their paying customers off as well if the costs of defending them against attacks exceed the revenue they're getting from that specific customer? If so that would mean you could put Akamai out of business just by targeting one customer at a time, moving on to a new one as each one was evicted from the service.
Interesting question. Let's find out. Who wants to volunteer? ;)
Re: (Score:3)
I'd speculate that's exactly what they're talking about. Building and maintaining that infrastructure isn't free. If you have one guy using up X% of it, it's pretty reasonable to start thinking that the cost of serving that one guy is X% of your ongoing infrastructure costs.
So, did Krebs personally cost them a ton of money? Probably not. Would he if they committed to keep serving him AND that sort of traffic load c
Pro Bono (Score:5, Insightful)
I don't blame Akamai at all and it sounds like Krebs doesn't either. There were a ridiculous amount of resources used on the attack and that shit gets expensive to block.
Re: (Score:2, Interesting)
If blacklisting IPs used in DDOSs could be reliably automated, it wouldn't be a problem.
Re: (Score:2)
This appears to have been an action by a very, very large botnet. Blacklisting the IPs would mean identifying them, separating Joe who just wants to read what Krebs has to say from Jim who's part of a botnet.
Re: (Score:3)
Proper egress filtering by consumer ISPs would stop most of the DNS/NTP/etc amplification attacks overnight. There's absolutely no reason any packets should be leaving, say, Comcast's network with an Akamai source IP on them. But this isn't an amplification attack, at least according to the previous article. This is apparently the old style DDoS, think LOIC, many thousands of hosts making "legitimate" (as far as the TCP transaction is concerned) connections, exhausting resources, sending giant requests, etc
Re: (Score:2)
Exactly (Score:2, Insightful)
Blocking DDos is bread and butter basics to a content delivery network, so why are they delivering 620Gbps of data on a DDOS attack?
I would consider it to be good practice, for when a more important customer gets attacked. At the very least I would consider it BAD practice to show that DDos can work easily against an Akamai site.
Akamai need to do an about turn, politely tackle the DDos and sack the idiot that decided they'd fold to a simple distributed denial of service attack.
Re: Pro Bono (Score:5, Insightful)
If I was in Akamai's shoes that is what I would have done - get it off the network for a while, let anger, hot waves, hormones, or whatever other human emotion is fueling it cool off for a while. (And btw, never get a connected car because of this, especially one you need to start with your cellphone)
Short of dropping the network completely off the BGP table in order to stop this at the source or the closest network to the source that speaks BGP cost will always be accrued. And it doesn't help that these days most network aggregate announces to
Been there, done that 12-14 years ago. Much hasn't changed, only the numbers - 65 to 650 Mbps back then, 650Gbps now.
Oh, I miss the days when someone on a 19.9Kbps modem could generate a 2+Mbps flood due to ppp compression.
Re: (Score:2)
It's already happening with IP cameras and IoT. https://twitter.com/olesovhcom... [twitter.com]
Idiots (Score:5, Informative)
Re: (Score:2)
Re: (Score:3)
Bad publicity is one thing. Being the target of the BY FAR biggest DDoS in history is another thing. They can have the best publicity on earth if they have to fold tomorrow because all their customers bail due to not being reachable because of the DDoS.
Conspiracy Theory! (Score:2, Interesting)
Akamai does not like Krebs exposing out the DDoS attackers, because fear of DDoS is what brings Akamai business. This is a good excuse to try to get rid of Krebs.
I have said it before, and I will say it again: Brian Krebs rocks.
Re: Conspiracy Theory! (Score:2, Interesting)
On the gripping hand, this is great publicity for the DDOS service behind the attack
Re: (Score:2)
Akamai does not like Krebs exposing out the DDoS attackers, because fear of DDoS is what brings Akamai business. This is a good excuse to try to get rid of Krebs.
That doesn't make sense. Akamai can't convincingly say "We can help [you businesses] with this scary problem of DDoS attacks" when Akamai demonstrably couldn't protect Krebs from a DDoS attack. From a financial perspective (i.e. "This is costing us too much money"), their actions make sense. From a conspiratorial one? Not at all.
Re: (Score:2)
So much for Akamai... (Score:2)
If they can't handle a DDOS, any DDOS competently then they just made it clear they are a minor player....
Wonder if AWS, Azure or Google will pick him up as a PR move.
Re: (Score:2)
Any service can be taken down with a DDoS attack from a sufficiently large botnet. Are you contending there are no major players?
This is what happens. . . (Score:4, Interesting)
when you're honest. Krebs doesn't pull his punches and the whiners of the world (i.e. those he lambasted for having low quality products or game play) don't like it and now they're being petulant two year olds.
Just goes to show the mentality of supposed adults. Especially the cowards who sit behind a keyboard and try to destroy the work of others because they didn't get their lollipop.
So the lesson is: (Score:2)
Cyber-terrorism gets you what you want apparently.
Akamai Technologies should be dumped by everyone who uses them and should not get any new customers.
archive.is link. (Score:3)
Here's an archive.is link [archive.is] for those not wanting to deal with BI's paywall.
Where's that guy from the thread a few days ago! (Score:3, Funny)
Where's that Slashdotter from the thread last week who posted 5 easy steps to stopping a DDoS! Akamai needs your "expertise"!
Google Sites (Score:2)
WayBack link to his site, with lead of recent post (Score:2)
Since it'll be offline for a while, perhaps... Israeli Online Attack Service ‘vDOS’ Earned $600,000 in Two Years [archive.org].
Maybe Krebs should talk to Google (Score:2)
Maybe Krebs should talk to Google about getting on their Project Shield [withgoogle.com]
Akamai Technologies can't protect you against DDoS (Score:2)
Was the DDoS why Akamai discontinued service? (Score:2)
Re: 620 Gbps per second (Score:5, Funny)
Yup. Twice the redundancy per second per second.
Re: (Score:2)
Are you here to provide a sample of what kind of spam the DDoS traffic consisted of or what's that got to do with the story?
Re: (Score:2)
I wouldn;t say that - the size of the attack is beyond anything seen before. They are reporting 665 Gbps. Let the sheer size of that number sink in for a while.
Re: (Score:3)
Re: (Score:3)
Re: (Score:2)
Actually, the summary says 620gbpsps. Even worse!
Re: (Score:3)
It's "kapakahi".
http://wehewehe.org/gsdl2.85/c... [wehewehe.org]
vs. One-sided, crooked, lopsided, sideways; bent, askew; biased, partial to one side; to show favoritism. Lit., one side. Cf. lawe kapakahi. K kapakahi ka l ma Wai-anae (saying), the sun appears lopsided at Wai-anae [said by the goddess Hiiaka while her lover was dallying with someone else, hence said of any unlawful dallying].
"kapakai" is very different:
http://wehewehe.org/gsdl2.85/c... [wehewehe.org]
vs. To wait for. Rare.
Re: (Score:2)
Just trying to help the haole :)
I'll bet you think it's called "Harry Karry" too :) Or "Karry okie" :)
Re: (Score:2)
Um, it's "kapakahi" in pidgin too. Not sure what school yard you were in when you heard "kapakahi", but if you missed the "h", it's your hearing that's off, or they had a speech impediment.
Your cite is from a haole :)
Try Peppo's: http://www.aloha-hawaii.com/cu... [aloha-hawaii.com]
"CHOP SUEY
Kapakahi; all mixed up."
But go ahead, tell me more about what a local boy you were, and how haoles taught you how to speak pidgin :)
Re:This is a very real threat to free speech. (Score:4, Insightful)
The reason that this DDos is able to generate so much force is they aren't just using malware-infected PCs. They are also using security cameras and other devices that connect to the internet. Thanks to all the companies who don't give two shits about securing their devices.
Re: (Score:3)
Re: (Score:2)
Or, you know - blame ISP's for not shutting down DDOS nodes. I assume the biggest problem is that we don't have a DDOS early-warning system for flagging and cutting abusers from the upstream pro-actively.