On Tuesday, September 20, the website of cyber security researcher Brian Krebs was hit with a massive distributed denial-of-service (DDoS) attack, perhaps the largest in history.
Its methods were advanced, its scale was unprecedented, its creator may never be known. And it could be the new norm.
Earlier in the month, Krebs had published a story about vDOS, a company that sold DDoS services to anyone willing to pay. The DDoS-for-hire company, which launched more than 150,000 such attacks, and brought in more than $618,000 in two years, had been hacked.
Krebs shared information from the leaked databases, and was promptly hit by a DDoS attack which reached almost 140 Gbps. Each attack packet came with the message ’godiefaggot,’ but the site remained online due to protection from Akamai/Prolexic.
Soon after Krebs published details about the company, two Israeli men suspected of running vDOS were arrested.
In what may be an act of retaliation, Krebs was then hit again with another attack. But this one, launched exactly two weeks after Krebs’ first post, was far larger.
The website KrebsOnSecurity suffered a 620 Gbps attack over the course of several days, which is thought to be the biggest DDoS attack yet. It was also different to most large scale attacks.
DDoS attacks of a similar size usually take the form of a DNS reflection and amplification attack, which spoofs look-up requests to domain name system (DNS) servers and turns a small DNS query into a significantly larger payload directed at the target network. This attack, however, did not make use of this common attack.
Early analysis suggests that most of the attack came as traffic designed to look like generic routing encapsulation (GRE) data packets, a communication protocol used to establish a direct, point-to-point connection between network nodes.
“Seeing that much attack coming from GRE is really unusual,” Martin McKeay, Akamai’s senior security advocate, told Krebs.
“We’ve only started seeing that recently, but seeing it at this volume is very new.”
GRE traffic and the other form of attack used - garbage Web attack methods that require a legitimate connection between the host and the target, including SYN, GET and POST floods - cannot be spoofed or faked as with DNS amplification. This means that it is likely that the perpetrators harnessed a huge system of hacked devices, quite possibly numbering in the hundreds of thousands.
“Someone has a botnet with capabilities we haven’t seen before,” McKeay said. “We looked at the traffic coming from the attacking systems, and they weren’t just from one region of the world or from a small subset of networks — they were everywhere.”
In fact, indications suggest that the botnet made use of Internet of Things devices, predominantly DVRs and IP cameras, to create the flood of traffic.
The attack ultimately proved too much for Akamai, which had offered Krebs free protection for the past four years. The company dropped him as a customer, giving the reporter two hours to get things in order.
“If this kind of thing is sustained, we’re definitely talking millions” of dollars in cyber security services,” Josh Shaul, Akamai’s VP of Web security, explained to The Boston Globe.
Akamai spokesman Jeff Young said: “We made a business decision to no longer keep this customer on our platform and prioritize our resources on our paying customers.”
Krebs said: “Let me be clear: I do not fault Akamai for their decision. I was a pro bono customer from the start, and Akamai and its sister company Prolexic have stood by me through countless attacks over the past four years. It just so happened that this last siege was nearly twice the size of the next-largest attack they had ever seen before. Once it became evident that the assault was beginning to cause problems for the company’s paying customers, they explained that the choice to let my site go was a business decision, pure and simple.”
After some downtime, Krebs moved to Project Shield, a free service offered by Alphabet’s Jigsaw (formerly Google Ideas) to nonprofits, media publications and human rights blogs. The site is now (mostly) back online, but the ramifications of the attack are far reaching.
“We expect this will be the new normal over the next 18 months,” Akamai’s CSO Andy Ellis told QZ. “We will probably see more IoT devices with larger botnets and with tight command-and-control, with blends of shaped and reflected traffic.”
Ellis added: “We’re pretty sure IoT is not a passing fad and many devices are unmaintainable. You can certainly update the firmware manually, but it’s not realistic for most consumers.”
IoT attacks are on the rise - earlier this month security company Sucuri disclosed a large DDoS attack that used botnets powered by CCTV cameras and home routers, while last week Symantec said that “IoT devices being increasingly used for DDoS attacks.”
The individual and the state
The growth of IoT devices comes at a time when the tools required to launch a DDoS attack are also spreading.
In early 2015, the Lizard Squad group released the source code of LizardStresser, its DDoS botnet. “LizardStresser is extremely simple to compile and run. We’ve observed samples compiled for various architectures such as x86, ARM, and MIPS – the most common platforms for IOT devices,” Arbor Networks research analyst Matthew Bing said in a blog post.
“Utilizing the cumulative bandwidth available to these IoT devices, one group of threat actors has been able to launch attacks as large as 400Gbps targeting gaming sites world-wide, Brazilian financial institutions, ISPs, and government institutions.”
Krebs said: “These weapons can be wielded by anyone — with any motivation — who’s willing to expend a modicum of time and effort to learn the most basic principles of its operation.”
Arbor Networks’ Roland Dobbins concurred, saying: “Today’s reality is that DDoS attacks have become the Great Equalizer between private actors & nation states.”
But nation states remain a cause for concern. Earlier this month, cyber security expert Bruce Schneier published an article titled ‘Someone Is Learning How to Take Down the Internet.’
He said: “Over the past year or two, someone has been probing the defenses of the companies that run critical pieces of the Internet. These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down. We don’t know who is doing this, but it feels like a large nation state. China or Russia would be my first guesses.”
He continued: “Recently, some of the major companies that provide the basic infrastructure that makes the Internet work have seen an increase in DDoS attacks against them. Moreover, they have seen a certain profile of attacks. These attacks are significantly larger than the ones they’re used to seeing. They last longer. They’re more sophisticated. And they look like probing. One week, the attack would start at a particular level of attack and slowly ramp up before stopping. The next week, it would start at that higher point and continue. And so on, along those lines, as if the attacker were looking for the exact point of failure.
“The attacks are also configured in such a way as to see what the company’s total defenses are. There are many different ways to launch a DDoS attack. The more attack vectors you employ simultaneously, the more different defenses the defender has to counter with. These companies are seeing more attacks using three or four different vectors. This means that the companies have to use everything they’ve got to defend themselves. They can’t hold anything back. They’re forced to demonstrate their defense capabilities for the attacker.”
Schneier added that the data suggested China was behind the probes, but that nothing was certain.
On the ThreatPost podcast, Schneier said: “Normally you see DDoS attacks done by hackers who want to annoy somebody or take down a site or fool around. These are probing attacks.”
He continued: “The companies this is happening to are the big Internet infrastructure companies, the companies that manage the backbone, manage the DNS, manage all of the systems we rely on. So taking them down would be taking down much of the Internet temporarily.”
In its quarterly DDoS report, Verisign said: “In Q2 2016, Verisign observed a growing trend of low-volume application layer, also known as Layer 7, attacks that probe for vulnerabilities in application code, employing various techniques to use HTTP/S field headers within request packets in order to disable the application. These attacks are frequently coupled with highvolume UDP flood attacks to distract the victim from the Layer 7 attack component.”
It continued: “Layer 7 attacks are some of the most difficult attacks to mitigate because they mimic normal user behavior and are harder to identify. The application layer (per the Open Systems Interconnection model) consists of protocols that focus on process-to-process communication across an IP network and is the only layer that directly interacts with the end user. A sophisticated Layer 7 attack may target specific areas of a website, making it even more difficult to separate from normal traffic.”
The security company noted the rapid rise in DDoS attacks, the increase in their complexity and sophistication, and the need for businesses to have an effective DDoS strategy.
It said: “Every organization is at risk.”