Slashdot Mirror
Krebs Is Back Online Thanks To Google's Project Shield (krebsonsecurity.com)
"After the massive 600gbps DDOS attack on KrebsOnSecurity.com that forced Akamai to withdraw their (pro-bono) DDOS protection, krebsonsecurity.com is now back online, hosted by Google," reports Slashdot reader Gumbercules!!.
"I am happy to report that the site is back up -- this time under Project Shield, a free program run by Google to help protect journalists from online censorship," Brian Krebs wrote today, adding "The economics of mitigating large-scale DDoS attacks do not bode well for protecting the individual user, to say nothing of independent journalists...anyone with an axe to grind and the willingness to learn a bit about the technology can become an instant, self-appointed global censor." [T]he Internet can't route around censorship when the censorship is all-pervasive and armed with, for all practical purposes, near-infinite reach and capacity. I call this rather unwelcome and hostile development the "The Democratization of Censorship...." [E]vents of the past week have convinced me that one of the fastest-growing censorship threats on the Internet today comes not from nation-states, but from super-empowered individuals who have been quietly building extremely potent cyber weapons with transnational reach...
Akamai and its sister company Prolexic have stood by me through countless attacks over the past four years. It just so happened that this last siege was nearly twice the size of the next-largest attack they had ever seen before. Once it became evident that the assault was beginning to cause problems for the company's paying customers, they explained that the choice to let my site go was a business decision, pure and simple... In an interview with The Boston Globe, Akamai executives said the attack -- if sustained -- likely would have cost the company millions of dollars.
One site told Krebs that Akamai-style protection would cost him $150,000 a year. "Ask yourself how many independent journalists could possibly afford that kind of protection money?" He suspects the attack was a botnet of enslaved IoT devices -- mainly cameras, DVRs, and routers -- but says the situation is exacerbated by the failure of many ISPs to implement the BCP38 security standard to filter spoofed traffic, "allowing systems on their networks to be leveraged in large-scale DDoS attacks... the biggest offenders will continue to fly under the radar of public attention unless and until more pressure is applied by hardware and software makers, as well as ISPs that are doing the right thing... What appears to be missing is any sense of urgency to address the DDoS threat on a coordinated, global scale."
"I am happy to report that the site is back up -- this time under Project Shield, a free program run by Google to help protect journalists from online censorship," Brian Krebs wrote today, adding "The economics of mitigating large-scale DDoS attacks do not bode well for protecting the individual user, to say nothing of independent journalists...anyone with an axe to grind and the willingness to learn a bit about the technology can become an instant, self-appointed global censor." [T]he Internet can't route around censorship when the censorship is all-pervasive and armed with, for all practical purposes, near-infinite reach and capacity. I call this rather unwelcome and hostile development the "The Democratization of Censorship...." [E]vents of the past week have convinced me that one of the fastest-growing censorship threats on the Internet today comes not from nation-states, but from super-empowered individuals who have been quietly building extremely potent cyber weapons with transnational reach...
Akamai and its sister company Prolexic have stood by me through countless attacks over the past four years. It just so happened that this last siege was nearly twice the size of the next-largest attack they had ever seen before. Once it became evident that the assault was beginning to cause problems for the company's paying customers, they explained that the choice to let my site go was a business decision, pure and simple... In an interview with The Boston Globe, Akamai executives said the attack -- if sustained -- likely would have cost the company millions of dollars.
One site told Krebs that Akamai-style protection would cost him $150,000 a year. "Ask yourself how many independent journalists could possibly afford that kind of protection money?" He suspects the attack was a botnet of enslaved IoT devices -- mainly cameras, DVRs, and routers -- but says the situation is exacerbated by the failure of many ISPs to implement the BCP38 security standard to filter spoofed traffic, "allowing systems on their networks to be leveraged in large-scale DDoS attacks... the biggest offenders will continue to fly under the radar of public attention unless and until more pressure is applied by hardware and software makers, as well as ISPs that are doing the right thing... What appears to be missing is any sense of urgency to address the DDoS threat on a coordinated, global scale."
From Kreb's site:
Many readers have been asking whether this attack was in retaliation for my recent series on the takedown of the DDoS-for-hire service vDOS, which coincided with the arrests of two young men named in my original report as founders of the service.
How about the folks who provide DDOS for hire? For them it costs nothing (if they're just using spare capacity), since they own the botnets. And at the same time, they're sort of advertising their wares at the same time.
This sort of thing is just going to get worse when crappy / non-existant IoT security devices exposed themselves to the web via large-capacity fiber and cable connections. It's already bad enough with compromised routers and computers. Most people won't get protected. They'll just get knocked off the web at will by people like this.
Irony: Agile development has too much intertia to be abandoned now.
.
Funny, I don't know why, but facebook was never one of the ones I thought might do it.
Reading further in comments, I saw this comment from Krebs (emphasis mine):
Actually, the intel I’m gathering suggests it’s not routers at issue, but mostly DVRs and some IP cameras.
So, sounds like the Internet of Things is already biting us fairly hard these days. OS makers for computers and phones have made those platforms much harder to compromise than they used to be, and regularly patch known vulnerabilities. But I fear IoT manufacturers are going to make all the same, old mistakes that PCs went though over the past decade or so, instead of gleaming the hard-won knowledge of best security practices.
Irony: Agile development has too much intertia to be abandoned now.
I can't see Brian Krebs moving to Cloudflare under any circumstances. He's lain into them far too many times, and will likely continue to do so, over their support of various cybercrime operations like the vDOS stressor that his exposure of - and arrest of two suspects - likely lead to someone launching the DDoS that took him off line earlier this week. As Krebs sees it, Cloudflare are a major part of the problem and their activities are highly questionable since they directly benefit from people seeking protection from the very services Cloudflare are helping stay in operation; it just makes it easier to keep the moral highground if he's hosted elsewhere. Cloudflare's view is that because they are not actually hosting the sites themselves, just hosting a reverse proxy that redirects traffic to them, they are on firm legal ground and are doing nothing wrong.
Something to think about, if you're in the market for DDoS protection...
UNIX? They're not even circumcised! Savages!
"build on broken by design protocols" Seriously? The Internet is NOT broken-by-design in any way. The original scope of the design did not include the system ever being an open-to-the-public system that supports a large portion of today's civilization. It was never, in it's original scope, designed to have public web servers, financial transactions, video streaming, or such. The original purpose of ARPANET, that eventually metamorphosed into the current internet, was "to exploit new computer technologies to meet the needs of military command and control against nuclear threats, achieve survivable control of US nuclear forces, and improve military tactical and management decision making". The entire thing wasn't designed to allow non-trusted actors on it in the first place.
The design is solid. Your claim is like driving your car into a lake and then claiming the car is "broken by design" because it doesn't properly function as a water-going vehicle. Or that humans are "broken by design" because we can't breath a methane atmosphere.
"Business decision" meaning "we decided we don't want to go out of business". 600+ Gbps was enough to cause real stress on Akamai's network, so that their customers, who pay the bills, started to be affected. Increasing their costs while reducing their revenue due to losing customers is a recipe for Akamai to go bankrupt.
If Kreb's had been paying Akamai a retainer they would have some responsibility to provide services to him, if they were able to do so. They have no responsibility to put themselves out of business on a charity case.