Why the Silencing of KrebsOnSecurity Opens a Troubling Chapter For the Internet

An anonymous reader quotes a report from Ars Technica: For the better part of a day, KrebsOnSecurity, arguably the world's most intrepid source of security news, has been silenced, presumably by a handful of individuals who didn't like a recent series of exposes reporter Brian Krebs wrote. The incident, and the record-breaking data assault that brought it on, open a troubling new chapter in the short history of the Internet. The crippling distributed denial-of-service attacks started shortly after Krebs published stories stemming from the hack of a DDoS-for-hire service known as vDOS. The first article analyzed leaked data that identified some of the previously anonymous people closely tied to vDOS. It documented how they took in more than $600,000 in two years by knocking other sites offline. A few days later, Krebs ran a follow-up piece detailing the arrests of two men who allegedly ran the service. A third post in the series is here. On Thursday morning, exactly two weeks after Krebs published his first post, he reported that a sustained attack was bombarding his site with as much as 620 gigabits per second of junk data. That staggering amount of data is among the biggest ever recorded. Krebs was able to stay online thanks to the generosity of Akamai, a network provider that supplied DDoS mitigation services to him for free. The attack showed no signs of waning as the day wore on. Some indications suggest it may have grown stronger. At 4 pm, Akamai gave Krebs two hours' notice that it would no longer assume the considerable cost of defending KrebsOnSecurity. Krebs opted to shut down the site to prevent collateral damage hitting his service provider and its customers. The assault against KrebsOnSecurity represents a much greater threat for at least two reasons. First, it's twice the size. Second and more significant, unlike the Spamhaus attacks, the staggering volume of bandwidth doesn't rely on misconfigured domain name system servers which, in the big picture, can be remedied with relative ease. The attackers used Internet-of-things devices since they're always-connected and easy to "remotely commandeer by people who turn them into digital cannons that spray the internet with shrapnel." "The biggest threats as far as I'm concerned in terms of censorship come from these ginormous weapons these guys are building," Krebs said. "The idea that tools that used to be exclusively in the hands of nation states are now in the hands of individual actors, it's kind of like the specter of a James Bond movie." While Krebs could retain a DDoS mitigation service, it would cost him between $100,000 and $200,000 per year for the type of protection he needs, which is more than he can afford. What's especially troubling is that this attack can happen to many other websites, not just KrebsOnSecurity.

Re: We need a new secure internet

That will be abused to cut off ISPs that tolerate piracy, and we can't let that happen. According to Slashdot users, piracy is a basic human right that nobody should be allowed to infringe upon.

Re:Internet of Things?

[AJWM]

It's not just refrigerators and light switches.

It's also light bulbs (Philips stupid mood thingie), thermostats (Nest, etc), nannycams (every manufacturer and his brother), (in)security systems, even fricking doorbells, et bloody cetera.

And I'm sure I've left out some major categories.

Re:Wait a minute..

No, it needs a technical solution. Making ISP's liable for outbound traffic that doesn't originate from within their address range would deal with this.

The rest can then be tackled by holding the source to blame - if you have an device that's spamming, well it's up to you to shut it down or pay up.

The issue at present is that source IP spoofing is far too easy because the ISP's are routing traffic that can't legitimately be coming from inside their network.

Great idea! Articles could be categorized and dist

[raymorris]

> articles go out from a seed source and are quickly seeded throughout the world.

That's a wonderful idea. We'd need a new protocol for distributing these "articles". We could call it Network News Transfer Protocol or something. You could tag your article according to categories andsubcategories, and people could subscribe to these different news groups. We could use ssl/tls for authentication of peers.

It probably wouldn't take too long to develop such a protocol; I bet we could have it done by 1986.

Re: Distributed websites

That's been tried with freenet. It is slow as shit, you don't pick the content you download and seed, and it is full of child porn. So basically your computer will be full of child porn and you won't even know it, and the websites you try to access won't load.

Re:We tried to tell people

[Oligonicella]

*Some* of us tried to tell people it was a terrible idea. A lot of /.ers thought it was just a peachy thing and volubly heckled us about it, laying out in great detail how beneficial it was to have your refrigerator keep your grocery list for you to check as you shopped, be able to automatically turn you lights on and off as you went to and from work, etc.

Re:Story's Not Over

[Bruce+Perens]

OK. The folks who run Project Shield have been informed!