Slashdot Mirror
Krebs Is Back Online Thanks To Google's Project Shield (krebsonsecurity.com)
"After the massive 600gbps DDOS attack on KrebsOnSecurity.com that forced Akamai to withdraw their (pro-bono) DDOS protection, krebsonsecurity.com is now back online, hosted by Google," reports Slashdot reader Gumbercules!!.
"I am happy to report that the site is back up -- this time under Project Shield, a free program run by Google to help protect journalists from online censorship," Brian Krebs wrote today, adding "The economics of mitigating large-scale DDoS attacks do not bode well for protecting the individual user, to say nothing of independent journalists...anyone with an axe to grind and the willingness to learn a bit about the technology can become an instant, self-appointed global censor." [T]he Internet can't route around censorship when the censorship is all-pervasive and armed with, for all practical purposes, near-infinite reach and capacity. I call this rather unwelcome and hostile development the "The Democratization of Censorship...." [E]vents of the past week have convinced me that one of the fastest-growing censorship threats on the Internet today comes not from nation-states, but from super-empowered individuals who have been quietly building extremely potent cyber weapons with transnational reach...
Akamai and its sister company Prolexic have stood by me through countless attacks over the past four years. It just so happened that this last siege was nearly twice the size of the next-largest attack they had ever seen before. Once it became evident that the assault was beginning to cause problems for the company's paying customers, they explained that the choice to let my site go was a business decision, pure and simple... In an interview with The Boston Globe, Akamai executives said the attack -- if sustained -- likely would have cost the company millions of dollars.
One site told Krebs that Akamai-style protection would cost him $150,000 a year. "Ask yourself how many independent journalists could possibly afford that kind of protection money?" He suspects the attack was a botnet of enslaved IoT devices -- mainly cameras, DVRs, and routers -- but says the situation is exacerbated by the failure of many ISPs to implement the BCP38 security standard to filter spoofed traffic, "allowing systems on their networks to be leveraged in large-scale DDoS attacks... the biggest offenders will continue to fly under the radar of public attention unless and until more pressure is applied by hardware and software makers, as well as ISPs that are doing the right thing... What appears to be missing is any sense of urgency to address the DDoS threat on a coordinated, global scale."
"I am happy to report that the site is back up -- this time under Project Shield, a free program run by Google to help protect journalists from online censorship," Brian Krebs wrote today, adding "The economics of mitigating large-scale DDoS attacks do not bode well for protecting the individual user, to say nothing of independent journalists...anyone with an axe to grind and the willingness to learn a bit about the technology can become an instant, self-appointed global censor." [T]he Internet can't route around censorship when the censorship is all-pervasive and armed with, for all practical purposes, near-infinite reach and capacity. I call this rather unwelcome and hostile development the "The Democratization of Censorship...." [E]vents of the past week have convinced me that one of the fastest-growing censorship threats on the Internet today comes not from nation-states, but from super-empowered individuals who have been quietly building extremely potent cyber weapons with transnational reach...
Akamai and its sister company Prolexic have stood by me through countless attacks over the past four years. It just so happened that this last siege was nearly twice the size of the next-largest attack they had ever seen before. Once it became evident that the assault was beginning to cause problems for the company's paying customers, they explained that the choice to let my site go was a business decision, pure and simple... In an interview with The Boston Globe, Akamai executives said the attack -- if sustained -- likely would have cost the company millions of dollars.
One site told Krebs that Akamai-style protection would cost him $150,000 a year. "Ask yourself how many independent journalists could possibly afford that kind of protection money?" He suspects the attack was a botnet of enslaved IoT devices -- mainly cameras, DVRs, and routers -- but says the situation is exacerbated by the failure of many ISPs to implement the BCP38 security standard to filter spoofed traffic, "allowing systems on their networks to be leveraged in large-scale DDoS attacks... the biggest offenders will continue to fly under the radar of public attention unless and until more pressure is applied by hardware and software makers, as well as ISPs that are doing the right thing... What appears to be missing is any sense of urgency to address the DDoS threat on a coordinated, global scale."
The Krebsonline DDoS was 600gbits+, not megabits.
"...Sleep comes like a drug in God's country Sad eyes, crooked crosses in God's country..."
665 Gigabits per second.
600gbits+ is a huge volume of traffic. I bet it was not cheap to get it done. I wonder who would have the motive and the money to do such a thing.
Krebs quoted his mentor as saying this:
"DDoS attacks have become the Great Equalizer between private actors and nation-states."
Doesn't seem "up" to me...
the hackers saying "challenge accepted".
they turned akamai into mush and destroyed their reputation (why the fuck would anyone choose them for ddos mitigation now?).
with a near-infinite source of greedy, moronic "IoT" manufacturers and the gear they produce, google shall soon fall.
too bad krebs didn't just start posting his blog to facebook instead.
Just use email to send stories to people who are interested. No web server needed. Problem solved. New subscribers from word of mouth. Cheap, easy, effective.
Useless. Without the ability for someone to link to the story it can't get large-scale play - going viral can't really happen via e-mail these days.
A thousand pounds of wood moving at 300 feet per minute. Don't get in the way.
.
Funny, I don't know why, but facebook was never one of the ones I thought might do it.
the situation is exacerbated by the failure of many ISPs to implement the BCP38 security standard to filter spoofed traffic,
Nothing like sticking your finger in the eyes of those who keep claiming they need to restrict bandwidth to their paying users while at the same time delivering slow speeds for exorbitant prices.
Apparently those hundreds of millions of free dollars generated every month by Comcast/Verizon/et al can't be used for anything useful such as implementing security filtering to slow/prevent this situation.
We will bankrupt ourselves in the vain search for absolute security. -- Dwight D. Eisenhower
You are not allowed to go on the road with your badly maintained, unsafe car. Not because we care about you, but because you may hurt others.
Why then is it perfectly legal to connect your badly maintained, unsafe computers to the internet?
I am not talking draconian measures here, just sensible regulations. Like force ISP's to disconnect zombies until their customers has their act together again, and fine them if they neglect this duty.
They would fare by using cloudflare instead.
Anyone can forward an email, or have you forgotten that? It's even easier that cut-n-pasting a link.
As for the stupidity of going viral, maybe it's time to end that pointless metric of relevance.
About the only important stories going viral are about Hillary's emails :-)
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
I just tried the two top links and get:
Firefox can't establish a connection to the server at krebsonsecurity.com.
The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer's network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.
Like a good neighbor, fsck is there
You cannot forward an email on twitter.
Facebook you'd have to cut & paste the entire wall of text.
Email has a place but without a direct link you well be less read.
Krebs, a little less drink.
Just use email to send stories to people who are interested. No web server needed. Problem solved. New subscribers from word of mouth. Cheap, easy, effective.
Useless. Without the ability for someone to link to the story it can't get large-scale play - going viral can't really happen via e-mail these days.
My crazy uncle's inbox would beg to differ.
(Score: -1, Stupid)
Google's Project Shield is excellent, and will save a lot of independent journalists.
However, we probably need an alternative Project Shield for journalists that discuss topics Google wouldn't want to support (or be safe supporting).
Dunno if that could ever possibly happen, but consider the following scenario
1. A poorly administered ISP ignores the fact that it's infested with zombie DDOS proxies.
2. Google starts returning a static web page stating "Your internet provider is unable to reach Google, please contact your Internet provider for support." message, instead of their home page, for queries from that ISP's IP address ranges.
Probably just a pipe dream for a lazy Sunday afternoon.
All those people who agitate against an improved internet because they fear nebulous control and because it wouldn't be "trust" based are creating a situation where the real internet will become a bunch of centrally managed corporate networks which CAN block DDOS's. Whereas the open internet build on broken by design protocols and broken by design inter-connection contracts will wither and die.
The current internet isn't build on trust, it's build on quicksand. The current internet is inherently untrustworthy, you'd have to be insane to maintain it's build on trust.
We need a new internet fast, one build to be able to prevent DDOS's by design. Inter-connection contracts which require proper ingress filtering at customer edges and on request blocking at sources of malicious traffic, including large ranges if necessary. Any ISP which can't handle that can stay on the old "trust" based internet, the broken one. It will happen, either fully controlled by corporations, or in a community with an explicit social contract.
I mean, what better opportunity to demonstrate the power of your solution and with free reporting on it as well? Nobody likes the DDoS terrorists (and yes, that is what they are for all practical purposes, because they are attacking critical infrastructure), so this can only go well.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
The only way to get BCP38 filtering widespread is to hold ISPs liable for spoofed traffic originating on and exiting their network.
Let's take a relatively smart, but also relatively ignorant, common man whose router, pvr, smart tv, etc have been compromised.
And if one or some of one's devices are partly responsible for this:
How would he know?
What steps can he take to find out if he's part of the problem?
And, perhaps as importantly, if he finds out he is, what can he do* to fix the problem and prevent it happening again?
There's no prize for good advice, but a detailed and thorough answer would be of use I'm sure :-).
*Yep, I can think of a few things: reset / re-flash / update; use a border firewall; ... but, if your devices have been 'pwned' before, if they're inherently vulnerable, what then?
What computer related site would not carry Free articles from Krebs hosted on their own site?
Sig Battery depleted. Reverting to safe mode.
But the timing of the two stories, yesterday and today, sure comes across to me like something that's been obviously stage-managed.
#DeleteChrome
What we need is a peer-to-peer web.
That way, having browsed the content we can decide to share it, helping to mitigate these DDoSes.
Which democracy ever came with each citizen getting control of a million strong botnet of insecure products?
This person is a tool to serve the narrative that it is a good thing in any way that Google is the one and only distributor of effective censorship 'protection' on the internet. What a racket. Literally.
That's kind of like the Italian Army stating that they made the business decision to withdraw from cities in bad standing with the Mafia.
There are just some business decisions you don't take because they lead nowhere good.
As if we had a network of store-and-forward servers that can disperse email-like messages over the world, scalable as every server serves only local clients. Such messages could then be archived or expired based on a configurable policy. It might be less usable during a September, but since the Eternal one has ended, we can somehow wait these five days :p
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
If everything was done via email, so would twitter. Same with facebook. Or are you unclear of the concept of email?
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
bout time... Congrats Mr. Krebs
One that wanted to stay online i suspect...
Painting that target on your site would be an existential risk for most. Moral high ground is cold comfort if you don't make payroll.
Goog to the rescue. Give them their props.
--- Mercutio was right.
Are you unclear on the fact that people generally don't use email for the majority of their online communication? Case in point, we're not communicating via email right now.
Maxim: People cannot follow directions.
Increases in truth directly with the length of time spent explaining them
> If everything was done via email, so would twitter.
If I had a trunk, I'd be an elephant*. I do not in fact have a trunk, and I'm not an elephant. Twitter is not an email listserv.
* I started to say "if Hill had a dick, she'd be Bill", but somehow that analogy just doesn't work the same when talking to you. :)
"Business decision" meaning "we decided we don't want to go out of business". 600+ Gbps was enough to cause real stress on Akamai's network, so that their customers, who pay the bills, started to be affected. Increasing their costs while reducing their revenue due to losing customers is a recipe for Akamai to go bankrupt.
If Kreb's had been paying Akamai a retainer they would have some responsibility to provide services to him, if they were able to do so. They have no responsibility to put themselves out of business on a charity case.
Are you unclear with the fact that people used to use email for the majority of their online communication? Just because we're doing things in an easy-to-DOS way now doesn't mean we have to.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Yes as the main social media sites get patrolled by "volunteers" making uploaded content harder to fund, find or even keep online.
People then have to stop their US protected free speech or find other more creative ways of getting round big multinationals and their new global "safe" branding.
Email, direct apps are just one of many great ways to totally circumvent brand management and the control of free speech on emerging social media.
The fine print about new community standards and volunteers who enforce such efforts can be very chilling with an offer of free support.
Domestic spying is now "Benign Information Gathering"
It's gleaning, not gleaming!
Must be a bad attack, seems like the site is still down.
What happens when Brian comes across some nefarious shenanigans that Google has pulled? A moment of hesitation - even subconsciously?
The long term solution is a realtime tripwire and blacklist for zombie machines and an uncompromising policy like Spamhaus applies to junk email.
If somebody allows their machine to be rooted and compromised then they are not an innocent victim they are an accompliance, the same is true for ISP that tolerate this.
ISP should cut them off, if the ISP fails to do so, upsteam ISPs and backbones should do it.
If Google cut off all the ISPs hosting botnets, they would quickly disappear, b
In my 'p.s.' section of this post https://it.slashdot.org/comments.pl?sid=9692843&cid=52949935/
APK
P.S.=> Bit "fishy" imo as well - & "Project Shield" is just an imitation of what Microsoft & Google have done for years vs. DDoS http://yro.slashdot.org/comments.pl?sid=4755487&cid=46161879/ reverse-proxy routing & cdn distribution of parts + detection & block of attackers... apk
If everything was done via email, so would twitter. Same with facebook. Or are you unclear of the concept of email?
If you think email cannot be DDOSed then what's clear is that you have no idea how email works.
Kind of hard to DOS a private email server that you don't even know exists. Or are you unclear of the concept. As for DOSing Facebook or Twitter, you have my blessing :-)
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Sorry to ruin your zeal but I'm not nearly smart enough to work for Google. I make my living as a lowly "business application" developer.
It looks like Google Fiber offers a theoretical max of 1Gbps for both upload and download. So in theory this could be done with about 600ish PC's with that kind of ISP connection, right (assuming there was no overhead - so worst case maybe 1000 or so required???)
I fail to see your point. You seem to be saying that things would be better if we went back to the good old days when people used email for their online communications. It may be true, but I don't see that it's relevant to what should be done now.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
What I'm saying is that private email servers only known to the users are much more easily hidden than a web sit with a dns entry. Can't DOS what you don't know exists. Much more or dark than the so-called darknet. How many ip6 addresses are they going to have to portscan to find one?
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Do you not know how email works? If I know your email address, I know your mail server.
All I have to do is--
c:>nslookup
default server: google-public-dns-a.google.com
address: 8.8.8.8
>set q=mx
>target-domain.com
default server: google-public-dns-a.google.com
address: 8.8.8.8
Non-authoritative answer:
target-domain.com MX preference = 0 mail exchanger = mailserver.target-domain.com
Of course, you don't HAVE to have a DNS MX record pointing to your mail server. You only need one of those if you want people to be able to SEND YOU MAIL.
"Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016
You can operate a mail server, an ftp server, even a web server without a DNS entry. Without a DNS entry they would have to have the actual IP. nslookup is useless in such cases.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
What if they're using a 3rd party mail filtering service, like Trend Micro? Then their MX record would be Trend Micro, not their server.
Running a mail server without a DNS entry is normally dumb. Filters tend to reject email from such a server, and users have been told to distrust such.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Whitelists. Anyone using such a setup should have a modicum of ability to follow directions on how to do so. And if they don't, their machine is most likely going to be part of a bot at some point or infected or whatever, so ... self-selecting safe group to communicate with.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
See subject: Pissed off I handed you YOUR ASS on MS & Amazon handling DDoS easily? Yes -> https://it.slashdot.org/commen...
* LMAO!
(You're WEAK...)
APK
P.S.=> This is EXACTLY HOW I know I've gotten the best of dolts like you - you start "gossiping" behind my back like I'm not around to see it which only PROJECTS you're "butthurt" over the fact I pointed out what MS & Amazon have done for YEARS now vs. DDoS/DoS (along w/ other valid measures I pointed out to protect vs. it)... apk
Since I neither launched the DDoS nor had any suggestions as to how to mitigate it, how did you "hand me my ass" and "get the best of me"? I offered nothing.
See subject: By comparison I offered nearly every possible defense vs. small-to-large scale DDoS there is https://yro.slashdot.org/comments.pl?sid=4755487&cid=46161879/ which I was upmodded for as well - see subject.
* Additionally see the fact you're PISSED OFF trying to "talk behind my back" like most incompetents I trash with technical data on /. always do-> https://it.slashdot.org/comments.pl?sid=9707709&cid=52976239/
APK
P.S.=> See that subject - THAT is YOUR problem (vs. myself offering tons of valid defenses vs. that attack that actually work (MS & Amazon prove it + HAVE fielded attacks by the likes of Anonymous of huge size easily due to it)... apk
See subject - says all I need to say... which was MORE than you offered by FAR!
APK
I mean, everything you've been saying is true from a technical perspective. But the burden of IT overhead that would be placed on individuals in your scenario is unlikely to result in success. For a bunch of hobbyist nerds who want to pass ezines around, fine.
And for every nerd, there are at least a dozen "nermals" that they provide free tech support in return for beer and pizza.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
I haven't HAD to be ANYONE's "wageslave" for nearly a decade & I run my own successful business instead (my monies work for ME - NOT the other way around).
* Don't even TRY tell ME what to do until you've done more, better, & EARLIER in the art & science of computing (which I am certain you haven't nor will you ever).
APK
P.S.=> Would you like to compare notes on that account? E.G. - when YOU can show you've done code that produced a FINALIST in the HARDEST CATEGORY @ Ms TechEd 2000-2002 as I have, for 2++ yrs. in a row no less there, in commercially sold code to this very day from a certified MS partner as I did? Then, you can talk )& that's only a SINGLE 1 I can produce of many of roughly the same quality from a small list of my favorites only - blowhard! apk