Akamai Kicked Journalist Brian Krebs' Site Off Its Servers After He Was Hit By a Record Cyberattack (businessinsider.com)

← Back to Stories (view on slashdot.org)

Akamai Kicked Journalist Brian Krebs' Site Off Its Servers After He Was Hit By a Record Cyberattack (businessinsider.com)

Posted by msmash on Friday September 23, 2016 @02:00AM from the pushing-the-limits dept.

An anonymous reader writes:Cloud hosting giant Akamai Technologies has dumped journalist Brian Krebs from its servers after his website came under a "record" cyberattack. "It's looking likely that KrebsOnSecurity will be offline for a while," Krebs tweeted Thursday. "Akamai's kicking me off their network tonight." Since Tuesday, Krebs' site has been under sustained distributed denial-of-service (DDoS), a crude method of flooding a website with traffic in order to deny legitimate users from being able to access it. The assault has flooded Krebs' site with more than 620 Gbps per second of traffic -- nearly double what Akamai has seen in the past.

49 of 212 comments (clear)

Min score:

Reason:

Sort:

So basically ... the attack wins? by DavidRawling · 2016-09-23 02:06 · Score: 5, Informative

Seems to me the attackers win, at least in the short term, because the caching and CDN provider (who I expect was probably contracted and paid, although it's entirely up to Brian how he handles his business affairs, it does seem likely) takes the site off the air anyway. That being the case ... what's the point of having that contracted relationship, if they dump you anyway?
1. Re:So basically ... the attack wins? by sinij · 2016-09-23 02:08 · Score: 3, Insightful
  
  Yes, but not for technical reasons (DDoS succeeding in overwhelming ISP). Akami shamefully decided to dump Kerbs.
2. Re: So basically ... the attack wins? by Anonymous Coward · 2016-09-23 02:17 · Score: 5, Informative
  
  Akamai were providing him service for free up to that point:
  https://twitter.com/briankrebs/status/779111614226239488
  So up to this point they had been eating the cost of hosting him and defending against attacks. This one just got too big for too long.
3. Re:So basically ... the attack wins? by mwvdlee · 2016-09-23 02:21 · Score: 4, Insightful
  
  I might be a conspiracy theorist here, but what might Akamai gain by blocking the guy who's taking down one of the largest criminal organizations providing the type of attacks that Akamai is being paid for to prevent?
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
4. Re:So basically ... the attack wins? by DougOtto · 2016-09-23 02:25 · Score: 4, Insightful
  
  I read somewhere that there was no contract but rather Akamai was providing the service pro-bono.
  
  If that's the case, and it was starting to impact paying customers, it's an understandable move.
  
  --
  Solving Unix problems since 1989...
5. Re:So basically ... the attack wins? by Opportunist · 2016-09-23 02:32 · Score: 5, Insightful
  
  The reason is irrelevant. The message is clear: You want to silence your opposition? Conduct a DDoS until your enemy's hoster decides that you're more hassle than he is worth.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
6. Re:So basically ... the attack wins? by Opportunist · 2016-09-23 02:34 · Score: 2
  
  Umm... NIMBY. As in "yes, we like what he does, but he should be hosted somewhere else".
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
7. Re:So basically ... the attack wins? by Opportunist · 2016-09-23 02:34 · Score: 2, Interesting
  
  It's not that we don't understand it (frankly, people, who would act differently?), what is troublesome is the signal this broadcasts.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
8. Re:So basically ... the attack wins? by Horus1664 · 2016-09-23 02:47 · Score: 2
  
  ...so if he'd paid $20 a month he'd be ok ? (Or you'd be outraged?)
9. Re: So basically ... the attack wins? by Xest · 2016-09-23 03:00 · Score: 5, Insightful
  
  They weren't hosting him for free, there's no such thing as free.
  They were hosting him because it was good PR for them to be able to say "Yeah, we're capable of holding up this high value target's website just fine regardless of all the attacks he regularly comes under".
  This is a tacit admittance that Akamai's business model has changed from high end bulletproof host to just another host that will not keep your site up in the face of a DDOS. This is rather unfortunate for them, because such low end hosts are widely available, and at a far lower price point.
  I wish them luck with their new model as just another host chasing the low hanging fruit. They've sacrificed an incredibly important unique selling point for them - their reputation as a host that will keep you going no matter what.
10. Re:So basically ... the attack wins? by Mal-2 · 2016-09-23 03:24 · Score: 2
  
  Unfortunately, this has always been the case. The whole point of a DDoS is the ability of the attacker to multiply its efforts enormously. The only possible defense against any and all DDoS attacks would be to own more than half the bandwidth of the network, which hopefully nobody ever will -- or at least more than any adversary or group of adversaries can ever point your way. Since the attackers are not paying for the bandwidth, and Akamai is, the attackers win by economic siege.
  Either Akamai can bow and take down Krebs, or they can let the whole ship go down in a symbolic gesture. Which one would you do, if you had a business to run?
  
  --
  How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
11. Re:So basically ... the attack wins? by Impy+the+Impiuos+Imp · 2016-09-23 03:40 · Score: 4, Funny
  
  * Largest DDoS attack mitigated to date: 321 Gbps, 71.5 Mpps
  Lol. Looks like we're gonna need a bigger boat.
  
  --
  (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
12. Re:So basically ... the attack wins? by koreanbabykilla · 2016-09-23 03:51 · Score: 2
  
  I would imagine if he paid them what it costs to mitigate that kind of onslaught for days and days he would be online. I am certain that his blog being offline for a few days or weeks till this stops isn't worth it to ANYONE to use the resources to keep it up.
13. Re:So basically ... the attack wins? by jofas · 2016-09-23 03:53 · Score: 3, Interesting
  
  You've obviously never seen an Akamai invoice...
14. Re: So basically ... the attack wins? by Anonymous Coward · 2016-09-23 04:19 · Score: 3, Interesting
  
  He should consider using a .bit address with Zeronet.
  He should publish his site on Freenet. There's no such thing as a DDoS there, quite the opposite: the more requests there are for a specific URL, the more widely that content is propagated across the network, making it easier and faster for everyone to load. I say again, you cannot DDoS a Freenet site, there is no server to DDoS, as the content is distributed and hosted across the entire network. The only thing he'd lose is the comment section (Freenet's design is not conducive to interactive/dynamic stuff like commenting).
15. Re: So basically ... the attack wins? by Aristos+Mazer · 2016-09-23 04:40 · Score: 4, Insightful
  
  They are incapable of dealing with the largest DDoS they've ever seen, double the previous record. There is no defense against a DDoS except bandwidth, so there's an upper bound that will take down *any* provider. Akamai is a high-end defender, but in this space, attackers have the clear upper hand.
16. Re:So basically ... the attack wins? by Anonymous Coward · 2016-09-23 04:40 · Score: 5, Informative
  
  Before using terms like "shamefully", you really should know all the facts...
  
  Before everyone beats up on Akamai/Prolexic too much, they were providing me service pro bono. So, as I said, I don't fault them at all.
  — briankrebs (@briankrebs) September 23, 2016
17. Re: So basically ... the attack wins? by ArmoredDragon · 2016-09-23 05:54 · Score: 2
  
  I think the best thing would be to treat internet access much like we do electromagnetic spectrum, and require those using it to have some kind of accountability in that if they participate in a ddos, willingly or not, then they have to have their access throttled to something like 128kbit, even if they switch ISPs, and they can only have it unthrottled once they decide to secure their devices or otherwise stop participating in ddos.
18. Re:So basically ... the attack wins? by poofmeisterp · 2016-09-23 06:09 · Score: 2
  
  Unfortunately, this has always been the case. The whole point of a DDoS is the ability of the attacker to multiply its efforts enormously. The only possible defense against any and all DDoS attacks would be to own more than half the bandwidth of the network, which hopefully nobody ever will -- or at least more than any adversary or group of adversaries can ever point your way. Since the attackers are not paying for the bandwidth, and Akamai is, the attackers win by economic siege.
  Either Akamai can bow and take down Krebs, or they can let the whole ship go down in a symbolic gesture. Which one would you do, if you had a business to run?
  Has it been discussed before to modify either layer 1 or TCP standards to include a DDoS ICMP/other response upstream that indicates that there is a stream of unwanted, high-bandwidth data coming from a source IP of xxx.xxx.xxx.xxx, going all the way back to the source's downstream node in each case. If the traffic is confirmed, block traffic to the reporting IP. If not, don't. Simple standard (yes, many issues that can be exploited or abused, but those can be worked around simply).
  Not understanding why DDoS is still such a problem if it's stoppable.
19. Re:So basically ... the attack wins? by sjames · 2016-09-23 07:01 · Score: 4, Insightful
  
  Alas, no. That would have been possible in the before time when a T1 was a lot of bandwidth and the threat was a DOS rather than a DDOS.
  In a DDOS, no one host is a big contributor, but there are a lot of hosts. Consider, you have 10,000 hosts (a SMALL attack) fetching valid URLs from your web server and sending them to /dev/null. Now, which of the 10100 hosts fetching pages from you do you want shot down? Keep in mind, your objective includes not letting the attacker win. To add to the "fun", those 10,000 hosts will rotate out and be replaced by others in a much larger pool fairly frequently.
20. Re:So basically ... the attack wins? by klubar · 2016-09-23 08:45 · Score: 2
  
  It's always a problem with pro-bono clients or favors for friends client. If it was a top-paying client, they might have pulled out all the stops to prevent the attack.Every pro-bono and service provider (whether lawyer, ad agency, programmer, etc.) understands the dynamics. Full-freight clients come first and the top two or three clients come even before them. Discounted, best-efforts, pro-bono and clients of friends come below.
  Hopefully, the relationship is described and understood in advance.
Akami folded, Kerbs is down by sinij · 2016-09-23 02:07 · Score: 4, Interesting

From Kerbs on Security site:"The attack began around 8 p.m. ET on Sept. 20, and initial reports put it at approximately 665 Gigabits of traffic per second." .

Akami were handling it as of yesterday, but it seems that they decided it was too expensive to stand by their client while he is under attack.

Maybe a coincidence, but this started to happen after Kerbs exposed anti-DDoS 'protection' firm BackConnect use of BGP hijacking.
1. Re: Akami folded, Kerbs is down by Anonymous Coward · 2016-09-23 02:15 · Score: 4, Interesting
  
  It's more than likely that BackConnect has DDoS'ers on staff...a quick look at their employees and their past guarantees it.
  The ultimate business model! DDoS a site, then come to them saying you'll help.
2. Re:Akami folded, Kerbs is down by Sarten-X · 2016-09-23 02:32 · Score: 4, Informative
  
  too expensive to stand by their client
  He wasn't their (paying) client. He is a benefit to the infosec society, and was provided pro bono service in appreciation of and to assist his work.
  This attack probably cost Akamai a significant amount of money, so it's reasonable that they'd cut it off for a while.
  
  --
  You do not have a moral or legal right to do absolutely anything you want.
3. Re: Akami folded, Kerbs is down by toonces33 · 2016-09-23 03:12 · Score: 2
  
  Indeed that seems to be the case, but the information is out there. If they want to shut Krebs up, they will need to take down faceplant and twaddle as well.
Not a surprise by Anonymous Coward · 2016-09-23 02:11 · Score: 4, Insightful

Akamai has a fiduciary responsibility to others on their network to ensure that they are not impacted by a single user. They were providing the service for free to Brian Krebs, he stated this. I do not work for Akamai(one of their competitors actually) but this is very, very common in this space.
So long... by Daetrin · 2016-09-23 02:12 · Score: 4, Insightful

So they booted him off because he was costing them a ton of money and wasn't paying anything. (I guess they were providing him service as a charity?)

But does that mean that they'll kick their paying customers off as well if the costs of defending them against attacks exceed the revenue they're getting from that specific customer? If so that would mean you could put Akamai out of business just by targeting one customer at a time, moving on to a new one as each one was evicted from the service.

--
This Space Intentionally Left Blank
1. Re:So long... by SecurityGuy · 2016-09-23 05:12 · Score: 2
  
  Akamai is present at practically every internet exchange, and peers with basically anyone.
  I'd speculate that's exactly what they're talking about. Building and maintaining that infrastructure isn't free. If you have one guy using up X% of it, it's pretty reasonable to start thinking that the cost of serving that one guy is X% of your ongoing infrastructure costs.
  So, did Krebs personally cost them a ton of money? Probably not. Would he if they committed to keep serving him AND that sort of traffic load continued? Yes.
Pro Bono by hodagacz · 2016-09-23 02:18 · Score: 5, Insightful

I don't blame Akamai at all and it sounds like Krebs doesn't either. There were a ridiculous amount of resources used on the attack and that shit gets expensive to block.
1. Re: Pro Bono by Anonymous Coward · 2016-09-23 02:30 · Score: 2, Interesting
  
  If blacklisting IPs used in DDOSs could be reliably automated, it wouldn't be a problem.
2. Re: Pro Bono by I4ko · 2016-09-23 05:16 · Score: 4, Insightful
  
  Are you serious? Blocking traffic at high packet rate is expensive - CPU cycles, even with null routing even with FPGAs. It gets expensive as electrical cost at this level - extra heating, extra cooling, extra power. Even if your upstream has provided you with a blacklist community in their BGP announce policy, that traffic is blocked by something. Spend too many CPU cycles on blocking traffic, you miss on a few routing table updates, the tables expire and all that is there behind that router is gone. Your upstream may not like that. This is 650Gbps, think about that for a second - if this is TCP handshake you are looking at something like 20Gpps. Let that sink for a second, actually no, let it sink for a minute.
  
  If I was in Akamai's shoes that is what I would have done - get it off the network for a while, let anger, hot waves, hormones, or whatever other human emotion is fueling it cool off for a while. (And btw, never get a connected car because of this, especially one you need to start with your cellphone)
  
  Short of dropping the network completely off the BGP table in order to stop this at the source or the closest network to the source that speaks BGP cost will always be accrued. And it doesn't help that these days most network aggregate announces to /17 or /16 and don't accept/transmit to peers smaller ones. If I was Akamai I would ask that he moves his DNS to one special /16 that I keep unannounced, but that is a whole lot of IP space wasted. Even if Akamai has agreements to be able to keep /24 granularity of announces to all their peers, and have Krebs's site in some of their big pops where there are larger blocks, it takes time to move other customers out of that block and into other blocks, so they can drop the block off the network for a while without affecting others, even though most of the traffic will reach Akamai's upstreams (from the traffic point of view).
  
  Been there, done that 12-14 years ago. Much hasn't changed, only the numbers - 65 to 650 Mbps back then, 650Gbps now.
  Oh, I miss the days when someone on a 19.9Kbps modem could generate a 2+Mbps flood due to ppp compression.
Re: 620 Gbps per second by Sneeka2 · 2016-09-23 02:23 · Score: 5, Funny

Yup. Twice the redundancy per second per second.

--
Bitten Apples are still better than dirty Windows...
Idiots by edibobb · 2016-09-23 02:28 · Score: 5, Informative

Akamai is throwing away a great marketing opportunity and turning it into a huge negative. Why would I move to Akamai, knowing that they'll kick me off their network if I ever have trouble? They're throwing away their primary competitive advantage with one stupid decision.
1. Re:Idiots by Opportunist · 2016-09-23 02:39 · Score: 2
  
  Bad publicity is one thing. Being the target of the BY FAR biggest DDoS in history is another thing. They can have the best publicity on earth if they have to fold tomorrow because all their customers bail due to not being reachable because of the DDoS.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Exactly by Anonymous Coward · 2016-09-23 02:47 · Score: 2, Insightful

Blocking DDos is bread and butter basics to a content delivery network, so why are they delivering 620Gbps of data on a DDOS attack?
I would consider it to be good practice, for when a more important customer gets attacked. At the very least I would consider it BAD practice to show that DDos can work easily against an Akamai site.
Akamai need to do an about turn, politely tackle the DDos and sack the idiot that decided they'd fold to a simple distributed denial of service attack.
This is what happens. . . by smooth+wombat · 2016-09-23 03:18 · Score: 4, Interesting

when you're honest. Krebs doesn't pull his punches and the whiners of the world (i.e. those he lambasted for having low quality products or game play) don't like it and now they're being petulant two year olds.
Just goes to show the mentality of supposed adults. Especially the cowards who sit behind a keyboard and try to destroy the work of others because they didn't get their lollipop.

--
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
Re:This is a very real threat to free speech. by Anonymous Coward · 2016-09-23 03:23 · Score: 4, Insightful

The reason that this DDos is able to generate so much force is they aren't just using malware-infected PCs. They are also using security cameras and other devices that connect to the internet. Thanks to all the companies who don't give two shits about securing their devices.
Re:Haha Akamai is Kapakai by Zocalo · 2016-09-23 03:35 · Score: 2

Actually, that's not the case, despite a lot of the coverage claiming it is. It's the largest seen by by Akamai, but OVH reported a DDoS peaking at 800Gb/s earlier the same day - although there are no indications of a connection (yet?). What's perhaps more interesting about the DDoS on Krebs isn't the size of it so much that it apparently wasn't a UDP amplification attack, which is the norm for DDoS these days, but TCP/GRE - the botnet used was generating all that traffic on its own Both attacks are far larger than any one group was thought capable of doing (until now) and might be an indication that the number of botnet operators might not be as large as suspected, but instead consists of a smaller number of operators with multiple botnets under their control.

--
UNIX? They're not even circumcised! Savages!
Re:Haha Akamai is Kapakai by hsthompson69 · 2016-09-23 03:37 · Score: 2

It's "kapakahi".
http://wehewehe.org/gsdl2.85/c...
vs. One-sided, crooked, lopsided, sideways; bent, askew; biased, partial to one side; to show favoritism. Lit., one side. Cf. lawe kapakahi. K kapakahi ka l ma Wai-anae (saying), the sun appears lopsided at Wai-anae [said by the goddess Hiiaka while her lover was dallying with someone else, hence said of any unlawful dallying].
"kapakai" is very different:
http://wehewehe.org/gsdl2.85/c...
vs. To wait for. Rare.
Re:This is a very real threat to free speech. by Luthair · 2016-09-23 03:40 · Score: 2

Recently botnets haven't really been the issue, they've mostly been reflection attacks which use DNS, NTP, etc. to amplify the size of the requests. If networks started to drop UDP packets with spoofed addresses that would reduce the problem significantly (so would convincing a huge number of people to fix their DNS or NTP servers, but that is harder).
archive.is link. by Mal-2 · 2016-09-23 03:46 · Score: 2

Here's an archive.is link for those not wanting to deal with BI's paywall.

--
How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
Where's that guy from the thread a few days ago! by bad-badtz-maru · 2016-09-23 03:46 · Score: 3, Funny

Where's that Slashdotter from the thread last week who posted 5 easy steps to stopping a DDoS! Akamai needs your "expertise"!
Re: Conspiracy Theory! by Anonymous Coward · 2016-09-23 03:58 · Score: 2, Interesting

On the gripping hand, this is great publicity for the DDOS service behind the attack
This was one hell of an attack by Anonymous Coward · 2016-09-23 04:09 · Score: 4, Interesting

From the right up on it, it was peaking at 665 gigabits/sec and was leveraging a massive botnet trying to make direct connections instead of using DNS reflection. They kept his site up during this and numerous other large scale attacks. Claiming that Akamai isn't a "bullet proof" host because they decided their support cost and impact to their customers outweighed the free-marketing/goodwill is just asinine. You're the same entitled person that uses free web services and then b*tches when they start charging or go under aren't you?
1. Re:This was one hell of an attack by MightyYar · 2016-09-23 04:16 · Score: 2
  
  You're the same entitled person that uses free web services and then b*tches when they start charging or go under aren't you?
  I'm not a business person. If someone tells me that they have some "free" business plan that they claim will work, I can be skeptical, but it's not really on me when they are exposed as wrong. If you advertise a service as one thing and then pull a switcharoo, you should be called out. You call that "entitlement", I call it broken promises - though I'll also go along with "naive", since by now we should probably just ignore the promises of "free". Though here I am using gmail for going on a decade and a half...
  
  --
  W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
2. Re:This was one hell of an attack by itwerx · 2016-09-23 08:25 · Score: 2
  
  Though here I am using gmail for going on a decade and a half...
  Gmail has never been free, it is paid for by advertising.
Re:Haha Akamai is Kapakai by I4ko · 2016-09-23 04:43 · Score: 2

At that size I am sending employees on planes with jackhammers and bobcats to start cutting fibre near the source.
Re:Null route automation is possible... apk by TroII · 2016-09-23 04:46 · Score: 2

Proper egress filtering by consumer ISPs would stop most of the DNS/NTP/etc amplification attacks overnight. There's absolutely no reason any packets should be leaving, say, Comcast's network with an Akamai source IP on them. But this isn't an amplification attack, at least according to the previous article. This is apparently the old style DDoS, think LOIC, many thousands of hosts making "legitimate" (as far as the TCP transaction is concerned) connections, exhausting resources, sending giant requests, etc.

--
"If there was a gay Afro-Puertorican Linux distribution, I'd give it a try" ~lucm
Re:Conspiracy Theory! by ole_timer · 2016-09-23 06:40 · Score: 2

i would pay akamai to kick off freeloaders so i'm protected. win-win for me. not so much for krebs.

--
nothing to see here - move along