Brian Krebs site hit with 665 Gbps DDoS attack; Largest Internet has ever seen


  1. Tomi Engdahl says:

    Brian Krebs’ Blog Hit by 665 Gbps DDoS Attack

    nvestigative cybercrime journalist Brian Krebs reported on Tuesday that his website,, was hit by a massive distributed denial-of-service (DDoS) attack that could be the largest in history.

    According to Krebs, his site was targeted with various types of DDoS attacks, including SYN and HTTP floods. The attack peaked at 665 Gbps and 143 Mpps (million packets per second), but it was successfully mitigated by Akamai, the company that provides DDoS protection services for KrebsOnSecurity.

    Krebs believes that the botnet used to target his blog mostly consists of Internet of Things (IoT) devices, such as webcams and routers, that have default or weak credentials.

    Akamai told Krebs that this attack was nearly twice the size of the largest attack they had previously encountered. It’s worth noting that Arbor Networks reported in January that some of its customers had been hit by attacks that peaked at 500, 450 and 425 Gbps.

  2. Tomi Engdahl says:

    That largest DDoS attack got just topped against this week according to this article that also provides some information on attack on Brian Krebs web site:

    Hosting Provider OVH Hit by 1 Tbps DDoS Attack

    OVH, one of the world’s largest hosting companies, reported on Thursday that its systems were hit by distributed denial-of-service (DDoS) attacks that reached nearly one terabit per second (Tbps).

    Earlier this week, investigative cybercrime journalist Brian Krebs said his blog,, had been targeted in an attack that peaked at 665 Gbps.

    Krebs said the attack on his website appears to have been powered almost exclusively by a very large botnet of compromised IoT devices, such as webcams and routers, and no amplification has been used. The expert suggested the same “cannon” has also been tested against OVH and other organizations.

  3. Tomi Engdahl says:

    Akamai kicked journalist Brian Krebs’ site off its servers after he was hit by a ‘record’ cyberattack

    The cloud-hosting giant Akamai Technologies has dumped the website run by journalist Brian Krebs from its servers after the site came under a “record” cyberattack.

    “It’s looking likely that KrebsOnSecurity will be offline for a while,” Krebs tweeted Thursday. “Akamai’s kicking me off their network tonight.”

    Since Tuesday, Krebs’ site has been under sustained distributed denial-of-service, or DDoS, a crude method of flooding a website with traffic to deny legitimate users from being able to access it. The assault has flooded Krebs’ site with more than 620 gigabits per second of traffic — nearly double what Akamai has seen in the past.

    Websites targeted by this type of attack typically go down for a short period and then come back online. And for hosts, the attacks mean shifting resources to different servers to mitigate the damage.

    “I can’t really fault Akamai for their decision,” Krebs added. “I likely cost them a ton of money today.”

    The attack may be related to Krebs’ recent reporting on a website called vDOS, a service allegedly created by two Israeli men that would carry out cyberattacks on behalf of paying customers.

  4. Tomi Engdahl says:

    Akamai solves the Brian Krebs DDoS problem by dropping it
    620Gpbs wallop was too hot to handle

    HEY, REMEMBER when Akamai, a provider of cloud services, web security and media delivery, was helping Brian Krebs fight off a huge denial-of-service attack the like of which it had never seen? Well, forget it. That was yesterday.

    Today Akamai is not helping Krebs do anything. The firm has pulled the pro bono service out from underneath the KrebsOnSecurity website and left it floating in the wild.

    The good news is that the site remains online in a form, and that Akamai will save a ton of cash and can get back to mitigating problems for its other customers

    Krebs is bound to have some enemies out there, so we expect that sooner or later someone will take the credit for ruining the pathway to his pages.

    “The attack began around 8pm ET on September 20, and initial reports put it at approximately 665Gbps,” Krebs said in a blog post while he was briefly back in control of everything.

    “Additional analysis on the attack traffic suggests the assault was closer to 620Gbps in size, but in any case this is many orders of magnitude more traffic than is typically needed to knock most sites offline.”

  5. Tomi Engdahl says:

    Krebs Website Offline After Akamai Withdraws DDoS Protection

    “It’s looking likely that KrebsOnSecurity will be offline for a while. Akamai’s kicking me off their network tonight,” he tweeted.

    Akamai’s Second Quarter 2016 State of the Internet Security Report revealed a 129% increase in DDoS attacks in Q2 2016 from the same quarter a year earlier. It was this quarter that saw the previous biggest DDoS attack, while a further 12 attacks exceeding 100 Gbps and two clocking in at over 300 Gbps were recorded.

  6. Tomi Engdahl says:

    Massive web attack hits security blogger

    One of the biggest web attacks ever seen has been aimed at a security blogger after he exposed hackers who carry out such attacks for cash.

    The distributed denial of service (DDoS) attack was aimed at the website of industry expert Brian Krebs.

    At its peak, the attack aimed 620 gigabits of data a second at the site.

    Web protest

    In a blogpost, Mr Krebs detailed the attack, which began late on Tuesday night and quickly ramped up to its peak attack rate.

    DDoS attacks are typically carried out to knock a site offline – but Mr Krebs’ site stayed online thanks to work by security engineers, who said the amount of data used was nearly twice the size of the largest attack they had ever seen.

    “It was among the biggest assaults the internet has ever witnessed,” added Mr Krebs.

    Security firm Akamai said the attack generated such a huge volume of data by exploiting weak or default passwords in widely used net-connected cameras, routers and digital video recorders. Once in control of these “smart” devices the attackers used them to swamp the site with data requests.

    “These new internet-accessible devices can bring great benefits, but they are also an increasingly easy and lucrative targets for cybercriminals,” said Nick Shaw from security firm Symantec.

    The security firm has carried out research which shows swift growth in the number of malware families scouring the net for vulnerable devices. Typically, said Mr Shaw, malicious hackers who take over gadgets are not interested in stealing personal data.

    “Cybercriminals are interested in cheap bandwidth to enable bigger attacks,” he said.

  7. Tomi Engdahl says:

    Journalist Hit By Record DDoS Attack: ‘I’m Kind of Like Plutonium Right Now’

    On September 20, the news website belonging to security journalist and former Washington Post staffer Brian Krebs started suffering one of the highest DDoS attacks ever measured.

    After two days of defending against the attack, the content delivery network that hosted had to pull the plug. Akamai hosted Krebs’s website pro bono, but the costs of diverting server resources to keep KrebsOnSecurity online during the record attack, which topped out at 665 Gbps, proved too costly, and the company gave Krebs a few hours warning before shutting down the site.

    The attack is almost certainly linked to a DDoS-for-hire service called vDOS.

    MOTHERBOARD: Hi Brian. Were you expecting this to happen? What is your next move?

    Brian Krebs: No, I wasn’t expecting this to happen. I was expecting attacks to happen, but I wasn’t expecting them to be that large. I don’t think anybody was. As I said in my tweets, Akamai/Prolexic has been protecting me pro bono for several years now, and has protected my site through I can’t even count how many attacks, and I guess this one just kind of broke the banks for them a little bit. According to them, it was almost twice as big as the biggest one they’ve seen previously, and I’m sure it cost them a lot of money. The challenge now is finding another setup that won’t so quickly be similarly exhausted.

    Have you thought about hosting your website elsewhere?

    Yeah, but, I’m kind of like plutonium right now. I don’t know. To me, it’s very interesting. I’m working on a story that tries to explore this a little more deeply.

    Who is?

    Well I think DDoS is the great equaliser between private actors and nation states. So it’s a little confusing at the moment in that respect.

    Has the attack had a psychological impact on you? I can imagine it must be pretty stressful.

    Sure, it’s been stressful.

  8. Tomi Engdahl says:

    So this has happened on this case big time:

    In the Future, Hackers Will Build Zombie Armies from Internet-Connected Toasters

    Cybercriminals are finally leveraging the thousands or millions of insecure devices in the so-called Internet of Things to launch cyberattacks.

    Earlier this week, someone used a botnet made of more than 25,000 hacked CCTV cameras to launch a massive cyberattack on a jewelry store’s website.

    Just two days later, a security firm revealed that another group of cybercriminals had taken over more than 1,000 internet-connected cameras and turned them into a zombie army, launching attacks against three US gaming companies and some other targets in Brazil, including banks, telecom companies, and government agencies.

  9. Tomi Engdahl says:

    OVH hosting hit by 1Tbps DDoS attack, the largest one ever seen

    The hosting company OVH was the victim of a 1 Tbps DDoS attack that hit its servers, this is the largest one ever seen on the Internet.
    The hosting provider OVH faced 1Tbps DDoS attack last week, likely the largest offensive ever seen.

    The OVH founder and CTO Octave Klaba reported the 1Tbps DDoS attack on Twitter sharing an image that lists the multiple sources of the attack.

    Klaba explained that the servers of its company were hit by multiple attacks exceeding 100 Gbps simultaneously concurring at 1 Tbps DDoS attack. The severest single attack that was documented by OVH reached 93 MMps and 799 Gbps.

    Unfortunately, this is not a novelty, in June 2016 security experts from Sucuri firm have discovered a large botnet of compromised CCTV devices used by crooks to launch DDoS attacks in the wild.

    IoT devices, including CCTV, often lack proper configuration, it is easy for hackers to locate on the Internet systems with weak or default login credentials.

    Recently security experts reported several Linux malware targeting IoT devices such as Luabot and Bashlite.

    Earlier September, experts from Level 3 and Flashpoint confirmed the overall number of devices infected by the BASHLITE malware is more than 1 million.

    The number includes compromised devices belonging to several botnets, according to the experts, almost every infected device are digital video recorders (DVRs) or cameras (95%), the remaining is composed of routers (4%), and Linux servers (1%).

  10. Tomi Engdahl says:

    The Democratization of Censorship

    John Gilmore, an American entrepreneur and civil libertarian, once famously quipped that “the Internet interprets censorship as damage and routes around it.” This notion undoubtedly rings true for those who see national governments as the principal threats to free speech.

    However, events of the past week have convinced me that one of the fastest-growing censorship threats on the Internet today comes not from nation-states, but from super-empowered individuals who have been quietly building extremely potent cyber weapons with transnational reach.

    “Censorship can in fact route around the Internet.” The Internet can’t route around censorship when the censorship is all-pervasive and armed with, for all practical purposes, near-infinite reach and capacity. I call this rather unwelcome and hostile development the “The Democratization of Censorship.”

    DDoS protection provider Akamai chose to unmoor my site from its protective harbor.

    Let me be clear: I do not fault Akamai for their decision. I was a pro bono customer from the start, and Akamai and its sister company Prolexic have stood by me through countless attacks over the past four years.

    making sure my hosting provider wasn’t going to bear the brunt of the attack when the shields fell. To ensure that absolutely would not happen, I asked Akamai to redirect my site to — effectively relegating all traffic destined for into a giant black hole.

    Today, I am happy to report that the site is back up — this time under Project Shield, a free program run by Google to help protect journalists from online censorship. And make no mistake, DDoS attacks — particularly those the size of the assault that hit my site this week — are uniquely effective weapons for stomping on free speech, for reasons I’ll explore in this post.

    Why do I speak of DDoS attacks as a form of censorship? Quite simply because the economics of mitigating large-scale DDoS attacks do not bode well for protecting the individual user, to say nothing of independent journalists.

    I spoke with multiple DDoS mitigation firms. One offered to host KrebsOnSecurity for two weeks at no charge, but after that they said the same kind of protection I had under Akamai would cost between $150,000 and $200,000 per year.

    Ask yourself how many independent journalists could possibly afford that kind of protection money? A number of other providers offered to help, but it was clear that they did not have the muscle to be able to withstand such massive attacks.

    I’ve been toying with the idea of forming a 501(c)3 non-profit organization — ‘The Center for the Defense of Internet Journalism’,


    Earlier this month, noted cryptologist and security blogger Bruce Schneier penned an unusually alarmist column titled, “Someone Is Learning How to Take Down the Internet.” Citing unnamed sources, Schneier warned that there was strong evidence indicating that nation-state actors were actively and aggressively probing the Internet for weak spots that could allow them to bring the entire Web to a virtual standstill.

    “Someone is extensively testing the core defensive capabilities of the companies that provide critical Internet services,” Schneier wrote. “Who would do this? It doesn’t seem like something an activist, criminal, or researcher would do. Profiling core infrastructure is common practice in espionage and intelligence gathering. It’s not normal for companies to do that.”

    “Today’s reality is that DDoS attacks have become the Great Equalizer between private actors & nation-states,” Dobbins quipped.

    What exactly was it that generated the record-smashing DDoS of 620 Gbps against my site this week?

    There is every indication that this attack was launched with the help of a botnet that has enslaved a large number of hacked so-called “Internet of Things,” (IoT) devices — mainly routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords. Most of these devices are available for sale on retail store shelves for less than $100, or — in the case of routers — are shipped by ISPs to their customers.

    The reality is that there are currently millions — if not tens of millions — of insecure or poorly secured IoT devices that are ripe for being enlisted in these attacks at any given time. And we’re adding millions more each year.

    The problem of DDoS conscripts goes well beyond the millions of IoT devices that are shipped insecure by default: Countless hosting providers and ISPs do nothing to prevent devices on their networks from being used by miscreants to “spoof” the source of DDoS attacks.

    BCP38 is designed to filter such spoofed traffic, so that it never even traverses the network of an ISP that’s adopted the anti-spoofing measures. However, there are non-trivial economic reasons that many ISPs fail to adopt this best practice

    To address the threat from the mass-proliferation of hardware devices such as Internet routers, DVRs and IP cameras that ship with default-insecure settings, we probably need an industry security association, with published standards that all members adhere to and are audited against periodically.

    The wholesalers and retailers of these devices might then be encouraged to shift their focus toward buying and promoting connected devices which have this industry security association seal of approval. Consumers also would need to be educated to look for that seal of approval. Something like Underwriters Laboratories (UL), but for the Internet, perhaps.

    As much as I believe such efforts could help dramatically limit the firepower available to today’s attackers, I’m not holding my breath that such a coalition will materialize anytime soon.

    The traffic hurled at my site in that massive attack included the text string “freeapplej4ck,” a reference to the hacker nickname used by one of vDOS’s alleged co-founders.

    Most of the time, ne’er-do-wells like Applej4ck and others are content to use their huge DDoS armies to attack gaming sites and services. But the crooks maintaining these large crime machines haven’t just been targeting gaming sites. OVH, a major Web hosting provider based in France, said in a post on Twitter this week that it was recently the victim of an even more massive attack than hit my site. According to a Tweet from OVH founder Octave Klaba, that attack was launched by a botnet consisting of more than 145,000 compromised IP cameras and DVRs.

    I don’t know what it will take to wake the larger Internet community out of its slumber to address this growing threat to free speech and ecommerce. My guess is it will take an attack that endangers human lives, shuts down critical national infrastructure systems, or disrupts national elections.

    The sad truth these days is that it’s a lot easier to censor the digital media on the Internet than it is to censor printed books and newspapers in the physical world.

    Project Shield

    Network Ingress Filtering:
    Defeating Denial of Service Attacks which employ IP Source Address Spoofing

  11. Tomi Engdahl says:

    Criticize Donald Trump, get your site smashed offline from Russia
    Newsweek Cuban connection story enrages miscreants

    It has been an odd day for Newsweek – its main site was taken offline after it published a story claiming a company owned by Republican presidential candidate Donald Trump broke an embargo against doing deals with Cuba.

    The magazine first thought that the sheer volume of interest in its scoop was the cause for the outage, but quickly realized that something more sinister was afoot.

    The site was being bombarded by junk traffic from servers all around the world, but the majority came from Russia, the editor in chief Jim Impoco has now said.

    Newsweek Website Attacked After Report On Trump, Cuban Embargo

    The editor-in-chief of Newsweek confirmed Friday that the magazine’s website was on the receiving end of a denial-of-service attack Thursday night, following the publication of a story accusing one of Donald Trump’s companies of violating the Cuban trade embargo.

    Editor-In-Chief Jim Impoco noted that the attack came as the story earned national attention.

    Later Friday afternoon, Impoco emailed TPM that in an initial investigation, the “main” IP addresses linked to the attack were found to be Russian. It should be noted that it is possible to fake an IP address.

    “As with any DDoS attack, there are lots of IP addresses, but the main ones are Russian, though that in itself does not prove anything,” he wrote. “We are still investigating.”

    A DoS attack makes sites completely unavailable to their intended users. Many noted that Newsweek’s website was down last night, initially assuming that it was due to high traffic on the Cuba piece. But Eichenwald tweeted Friday morning that the actual issue was an attack on the magazine’s website

    Denial-of-service attacks may be considered a federal crime under the Computer Fraud and Abuse Act.

  12. Tomi Engdahl says:

    Source Code for IoT Botnet ‘Mirai’ Released

    The source code that powers the “Internet of Things” (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices.

    The leak of the source code was announced Friday on the English-language hacking community Hackforums. The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords.

    Vulnerable devices are then seeded with malicious software that turns them into “bots,” forcing them to report to a central control server that can be used as a staging ground for launching powerful DDoS attacks designed to knock Web sites offline.

    In the days since the record 620 Gbps DDoS on, this author has been able to confirm that the attack was launched by a Mirai botnet. As I wrote last month, preliminary analysis of the attack traffic suggested that perhaps the biggest chunk of the attack came in the form of traffic designed to look like it was generic routing encapsulation (GRE) data packets, a communication protocol used to establish a direct, point-to-point connection between network nodes. GRE lets two peers share data they wouldn’t be able to share over the public network itself.

    One security expert who asked to remain anonymous said he examined the Mirai source code following its publication online and confirmed that it includes a section responsible for coordinating GRE attacks.

    On the not-so-cheerful side, there are plenty of new, default-insecure IoT devices being plugged into the Internet each day. Gartner Inc. forecasts that 6.4 billion connected things will be in use worldwide in 2016, up 30 percent from 2015, and will reach 20.8 billion by 2020. In 2016, 5.5 million new things will get connected each day, Gartner estimates.

  13. Tomi Engdahl says:

    Brian Krebs / Krebs on Security:
    Dahua’s IoT devices, largely responsible for Krebs DDoS attack, have default passwords hardcoded in firmware; EU is working on IoT device security regulations

    Europe to Push New Security Rules Amid IoT Mess

    The European Commission is drafting new cybersecurity requirements to beef up security around so-called Internet of Things (IoT) devices such as Web-connected security cameras, routers and digital video recorders (DVRs). News of the expected proposal comes as security firms are warning that a great many IoT devices are equipped with little or no security protections.

    According to a report at, the Commission is planning the new IoT rules as part of a new plan to overhaul the European Union’s telecommunications laws. “The Commission would encourage companies to come up with a labeling system for internet-connected devices that are approved and secure,”

    In last week’s piece, “Who Makes the IoT Things Under Attack?,” I looked at which companies are responsible for IoT products being sought out by Mirai — malware that scans the Internet for devices running default usernames and passwords and then forces vulnerable devices to participate in extremely powerful attacks designed to knock Web sites offline.

    One of those default passwords — username: root and password: xc3511 — is in a broad array of white-labeled DVR and IP camera electronics boards made by a Chinese company called XiongMai Technologies. These components are sold downstream to vendors who then use it in their own products.

    “The issue with these particular devices is that a user cannot feasibly change this password,” said Flashpoint’s Zach Wikholm. “The password is hardcoded into the firmware, and the tools necessary to disable it are not present.

    Flashpoint says the majority of media coverage surrounding the Mirai attacks on KrebsOnSecurity and other targets has outed products made by Chinese hi-tech vendor Dahua as a primary source of compromised devices. Indeed, Dahua’s products were heavily represented in the analysis I published last week.

    For its part, Dahua appears to be downplaying the problem.

    Dahua said the company’s investigation determined the devices that became part of the DDoS attack had one or more of these characteristics:

    -The devices were using firmware dating prior to January 2015.
    -The devices were using the default user name and password.
    -The devices were exposed to the internet without the protection of an effective network firewall.

    Dahua also said that to the best of the company’s knowledge, DDoS [distributed denial-of-service attacks] threats have not affected any Dahua-branded devices deployed or sold in North America.

    Flashpoint’s Wikholm said his analysis of the Mirai infected nodes found differently, that in the United States Dahua makes up about 65% of the attacking sources (~3,000 Internet addresses in the US out of approximately 400,000 addresses total).

    Dahau’s statement that devices which were enslaved as part of the DDoS botnet were likely operating under the default password is duplicitous, given that threats like Mirai spread via Telnet and because the default password can’t effectively be changed.

    Dahua and other IoT makers who have gotten a free pass on security for years are about to discover that building virtually no security into their products is going to have consequences. It’s a fair bet that the European Commission’s promised IoT regulations will cost a handful of IoT hardware vendors plenty.

    Also, in the past week I’ve heard from two different attorneys who are weighing whether to launch class-action lawsuits against IoT vendors who have been paying lip service to security over the years and have now created a massive security headache for the rest of the Internet.

    Commission plans cybersecurity rules for internet-connected machines

  14. Tomi Engdahl says:

    Study: Attack on KrebsOnSecurity Cost IoT Device Owners $323K

    A monster distributed denial-of-service attack (DDoS) against in 2016 knocked this site offline for nearly four days. The attack was executed through a network of hacked “Internet of Things” (IoT) devices such as Internet routers, security cameras and digital video recorders. A new study that tries to measure the direct cost of that one attack for IoT device users whose machines were swept up in the assault found that it may have cost device owners a total of $323,973.75 in excess power and added bandwidth consumption.

    My bad.

    But really, none of it was my fault at all. It was mostly the fault of IoT makers for shipping cheap, poorly designed products (insecure by default), and the fault of customers who bought these IoT things and plugged them onto the Internet without changing the things’ factory settings (passwords at least.)

    The botnet that hit my site in Sept. 2016 was powered by the first version of Mirai


Leave a Comment

Your email address will not be published. Required fields are marked *