17 comments

[ 3.1 ms ] story [ 39.5 ms ] thread
This is not the behavior I expect from a company (Akamai) that exists to mitigate DDoS. As @TelcoAg comments:

> I'd blame the insurance company if they dropped me the second I was diagnosed with cancer

Akamai will certainly tank 665Gbps if you actually pay them for it...

What kind of an insurance company would target likely victims anyway?

Is Akamai's DDoS protection tiered? That's not how it works for e.g. CloudFlare: you pay a flat fee and (they claim) they'll keep you up no matter the size or frequency of the attack. If Krebs simply wasn't signed up for a high enough tier than I guess Akamai did the right thing, but if they charge a flat fee for protection and make similar claims to CF then they deserve to be raked over the coals for this.
That's not how CF works either, they'll force you to a custom plan if you get hit enough.

If it wasn't clear, Krebs wasn't paying Akamai a penny. I'd assume their cheapest solutions start around 10k a month, hard to justify for a journo.

Ok, I did not see Krebs' latest tweet that he was getting free service (https://twitter.com/briankrebs/status/779111614226239488), that's a lot more justifiable. You'd think a netsec journalist would be the first to find it worth it to get on the paid plan.
>You'd think a netsec journalist would be the first to find it worth it to get on the paid plan.

How much do you think a solo netsec journalist with only a couple of ads on his site earns?

Krebs' reporting (now, after leaving the Washington Post under whatever circumstances -- cost cutting? -- on his own "blog"), has for years now shone a very useful, researched insight into various matters of important technological vulnerability.

He provides a real service. Which is probably why Akamai offered him their services for free, in the first place.

Krebs shines a light on shadows that very much don't want to be seen, much less outed. The years long level of escalating attacks against him and his site reflect this.

The "pro bono" part reads to me like Akamai offered him something he'd normally have to pay for for free, so he probably had a "paid plan" equivalent.

Still understandable that Akamai dropped that after while, despite the PR damage, especially if it affected their work for paying customers.

Fun fact: the suspicion right now is that this traffic is coming from compromised IoT devices. Just in case you needed another reason why the Internet of Things is the worst thing to happen to computing in a long while: it has handed attackers more ammo.
I happen to have a profile on LinkedIn. When I see someone with a "IoT Expert", I'm like "Dude, we live in Algeria. We didn't even make online payments and somehow there are more Internet of Things experts than Things of the Internet. Come on!".

It's a good selector for the kind of people who'd write "Mastery of C/C++" thinking they're the same thing.

They are from the same category as people who put 5 start of five on their resume. What does it mean? 5/5 for MS Office? Clicking, double clicking, getting, sending emails?

However I wound't blame IoT for all of it. What about uncountable number of vulnerable routers at home and small offices? As far as I know they may send legitimate (from ISP PoV) low traffic all day to some endpoints on internet.

>However I wound't blame IoT for all of it.

Personally, I think IoT is just a buzzword coming from I don't know where. IoT has existed the moment two things were connected over a network, and this was decades ago.

>What about uncountable number of vulnerable routers at home and small offices?

"Hypothetical" cases: devices of sensitive organizations just sitting there with default configuration. FTP servers of TV stations with a genius admin making a tutorial for staff with the goddamn credentials on the "intranet page" (you have the privileges of writing the news of tomorrow, literally). Teleconference system of major company that are broadcasting what's happening in the meeting room because why not. Readable and writable remote sensing devices that are broadcasting information that matters a great deal and you could just toy with it.

All this without even brute-force or exploiting a vulnerability. Basically within the reach of any monkey who could type admin-admin.

(comment deleted)
This is disgusting. It might be from @poodlecorp
You can read it on the Google cache to some extent. Here's the article on the DDOS

http://webcache.googleusercontent.com/search?q=cache:http://...

The fact that this is pure, raw packets and not using a DNS amplification method sounds to me like the attackers are advertising. "Hey, look at my capabilities. Look what I can do. Hire me for your next DDoS attacks." If these guys don't get caught or taken down, they could easily become the biggest players in the market. Twice the size of the last biggest DDoS, with no trickery. That's insane.