Akamai stops hosting known security blog after large-scale DDO attack
Akamai took the KrebsOnSecurity website offline after the site was hit by a repeated ddos that was almost twice the size of what Akamai has ever experienced in its existence. The site belongs to security expert Brian Krebs.
Business Insider writes this in response to a tweet by Krebs from Friday with the text: “Akamai’s kicking me off their network tonight”, or ‘Akamai is kicking me off his network tonight’. Krebs will add to that soon please that he got the webhosting for free from Akamai/Prolexic and he understands the decision well, if only because it ‘should cost them a lot of money per day’ cost to turn down the ddos’.
At the height of the attack, Krebs’ site was processing more than 620Gbit/s of data, almost double the previous largest attack Akamai ever faced. That was about 363Gbit/s, Krebs writes on his site, a copy of which can be found on Archive.org.
However, there seems to be a difference between the 363Gbit/s attack and the average 620Gbit/s attack on Krebs’ site, namely the type of botnet. The former would have been generated by a fairly standard botnet that uses misconfigured DNS servers to amplify the attack. However, the attack on Krebs’ site seems to come directly from a very large botnet of hacked devices. The difference with an amplified or amplified ddos and the attack on Krebs’ site is that the connections established to the site use methods that require a real connection between the attacking host and the target, such as syn, get and post.
Akamai’s Martin McKeay explained to Krebs that this is a very unusual form of attack and that this type of attack has only started to show up recently. According to McKeay, the volume that the Krebs site had to endure was very new.
The traffic used was generated in a way that resembled generic routing encapsulation or gre. McKeay further explains on Kreb’s site that gre traffic cannot be spoofed or faked in the same way as an attack via dns reflection. According to McKeay, it seemed as if the attack came from systems around the world. There are also indications that the botnet was using hacked internet-of-things devices, such as routers and IP cameras. Security firm Symantec warned this week of a rising number of DDoS attacks using these types of devices.
It is suspected that these kinds of monster attacks will become the ‘new normal’, Krebs writes at the end of his blog post. He further suspects that the attacks are related to a recent series of stories about a hiring DDOs service vDOS in which the Israeli police arrested two men who were named as founders of the service in Krebs’ initial report. The CEO of Cloudflare has now turned his help to Krebs offered.
Photo: Twitter