Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security The Internet Communications Network Networking Privacy The Almighty Buck News Technology

Why the Silencing of KrebsOnSecurity Opens a Troubling Chapter For the Internet (arstechnica.com) 207

An anonymous reader quotes a report from Ars Technica: For the better part of a day, KrebsOnSecurity, arguably the world's most intrepid source of security news, has been silenced, presumably by a handful of individuals who didn't like a recent series of exposes reporter Brian Krebs wrote. The incident, and the record-breaking data assault that brought it on, open a troubling new chapter in the short history of the Internet. The crippling distributed denial-of-service attacks started shortly after Krebs published stories stemming from the hack of a DDoS-for-hire service known as vDOS. The first article analyzed leaked data that identified some of the previously anonymous people closely tied to vDOS. It documented how they took in more than $600,000 in two years by knocking other sites offline. A few days later, Krebs ran a follow-up piece detailing the arrests of two men who allegedly ran the service. A third post in the series is here. On Thursday morning, exactly two weeks after Krebs published his first post, he reported that a sustained attack was bombarding his site with as much as 620 gigabits per second of junk data. That staggering amount of data is among the biggest ever recorded. Krebs was able to stay online thanks to the generosity of Akamai, a network provider that supplied DDoS mitigation services to him for free. The attack showed no signs of waning as the day wore on. Some indications suggest it may have grown stronger. At 4 pm, Akamai gave Krebs two hours' notice that it would no longer assume the considerable cost of defending KrebsOnSecurity. Krebs opted to shut down the site to prevent collateral damage hitting his service provider and its customers. The assault against KrebsOnSecurity represents a much greater threat for at least two reasons. First, it's twice the size. Second and more significant, unlike the Spamhaus attacks, the staggering volume of bandwidth doesn't rely on misconfigured domain name system servers which, in the big picture, can be remedied with relative ease. The attackers used Internet-of-things devices since they're always-connected and easy to "remotely commandeer by people who turn them into digital cannons that spray the internet with shrapnel." "The biggest threats as far as I'm concerned in terms of censorship come from these ginormous weapons these guys are building," Krebs said. "The idea that tools that used to be exclusively in the hands of nation states are now in the hands of individual actors, it's kind of like the specter of a James Bond movie." While Krebs could retain a DDoS mitigation service, it would cost him between $100,000 and $200,000 per year for the type of protection he needs, which is more than he can afford. What's especially troubling is that this attack can happen to many other websites, not just KrebsOnSecurity.
This discussion has been archived. No new comments can be posted.

Why the Silencing of KrebsOnSecurity Opens a Troubling Chapter For the Internet

Comments Filter:
  • I thought the "internet of things" was a .. "diegetic prototype", ie a fantasy. how many net-addressable refrigerators and automatic light switches are there, that they can mount a DDOS of this scale? -- if all you have is a bow, every problem looks like a skeleton
    • by AJWM ( 19027 ) on Friday September 23, 2016 @11:02PM (#52951525) Homepage

      It's not just refrigerators and light switches.

      It's also light bulbs (Philips stupid mood thingie), thermostats (Nest, etc), nannycams (every manufacturer and his brother), (in)security systems, even fricking doorbells, et bloody cetera.

      And I'm sure I've left out some major categories.

      • by AJWM ( 19027 ) on Friday September 23, 2016 @11:14PM (#52951549) Homepage

        And I'm sure I've left out some major categories.

        Oh yeah, sex toys [arstechnica.com].

        • by Anonymous Coward on Saturday September 24, 2016 @02:49AM (#52952197)

          Are you talking about a distributed denial of cervix?

          • by WallyL ( 4154209 )

            Yeah, some have installed one of the various "Religion" DLCs available. Some have entirely unpatched systems, which might give you malware if you connect. Exclusive provider contracts seem to be one of the most reliable ways to ensure continued and safe service. If you use more than once service provider, they both start denying service. Be sure to clear your cookies! Watch out for "free" upgrades that come with their own expensive expansion packs.

    • by Anonymous Coward

      how many net-addressable refrigerators and automatic light switches are there, that they can mount a DDOS of this scale?

      I have this feeling that many ISPs have persecuted server operators, and used some handwaving justification that net-addressability has anything to do with further enabling DDOS botnets. I.e. net-addressability is the defining requirement of server operation. Wheras to send spam, being behind a NAT really isn't an impediment.

    • Yeah, I'm not sure I buy blaming IoT devices either. Yes they're all vulnerable, but you have to be nearby to exploit.
      • Yes they're all vulnerable, but you have to be nearby to exploit.

        No, you don't, and that's the whole point. Someone 1,000 miles away can fiddle with your IoT gear, own it, or use it maliciously.

  • by s.petry ( 762400 ) on Friday September 23, 2016 @10:38PM (#52951425)

    They don't care that IoT is a horrible idea, and they ignore countless other security practices to increase their own pocket wads. Power holders want to track your every move and dig every loose penny they can find out of _your_ pocket in the process.

    Stop connecting every damn thing to the Internet, and start securing what you have to have connected. This is not a mentally challenging thought process, so if you don't "get it" that makes you...

    • by Oligonicella ( 659917 ) on Saturday September 24, 2016 @01:11AM (#52951955)

      *Some* of us tried to tell people it was a terrible idea. A lot of /.ers thought it was just a peachy thing and volubly heckled us about it, laying out in great detail how beneficial it was to have your refrigerator keep your grocery list for you to check as you shopped, be able to automatically turn you lights on and off as you went to and from work, etc.

    • Stop lumping all things that are on the internet with IoT paranoia. There are very good internet enabled things that have nothing to do with silly consumer gadgets, and they use high security as well (not the weak wifi stuff).

    • They don't care that IoT is a horrible idea, and they ignore countless other security practices to increase their own pocket wads.

      If the internet is vulnerable to such attacks, then we have already lost. And of course, it is, so we have.

      Stop connecting every damn thing to the Internet, and start securing what you have to have connected.

      How about we add some security to the actual network? No amount of security will protect you from a DDoS.

    • by ThatsMyNick ( 2004126 ) on Saturday September 24, 2016 @07:37AM (#52952775)

      The thing is you werent telling the right thing. IoT is not a bad idea at all (much less a horrible idea). You come off as a luddite when you say that. What you should have said is security is important IoT or no IoT. It seems obvious but apparently not to some people. May be if you had been pro-security rather than anti-IoT, you would have taken more seriously. Just my 2 cents.

  • by Anonymous Coward on Friday September 23, 2016 @10:43PM (#52951453)

    There is no fucking reason for the internet to be this much of a clusterfuck. Spoofed routing updates, IP spoofing, none of this should be possible by design.

    With a non retarded internet DDOS attacks could simply be blocked at the source by certified ISPs. Any ISP who abused that ability, or ISPs which repeatedly allowed spoofed traffic to originate from their network could simply be banned from the internet. Problem fucking solved.

    Stop patching up this shit and give us a next generation internet, I'm sick of this shit.

    • by Anonymous Coward

      That will be abused to cut off ISPs that tolerate piracy, and we can't let that happen. According to Slashdot users, piracy is a basic human right that nobody should be allowed to infringe upon.

      • Unlikely, torrent no work so good with spoofed address. Plenty of upload but the down is painfully slow.

    • by Anonymous Coward

      Any ISP who abused that ability, or ISPs which repeatedly allowed spoofed traffic to originate from their network could simply be banned from the internet.

      Right. Companies who make billions of dollars a year as ISPs (Comcast, Charter-Time Warner, etc) are going to allow you to ban them from the internet.

      Please get out of your mom's basement and learn how the world really works.

      • Re: (Score:1, Insightful)

        by Anonymous Coward
        In a normal country, you can setup things called "laws" that companies need to adhere to.... I know it's a foreign concept but it does actually happen in some places!
        • by Anonymous Coward on Friday September 23, 2016 @11:25PM (#52951617)

          In a normal country, you can setup things called "laws" that companies need to adhere to.... I know it's a foreign concept but it does actually happen in some places!

          Just not anywhere of importance. Tell us again: how many Goldman-Sachs bankers are in jail? How about HSBC bankers? How much competition does Microsoft have in the PC OS space? How many people at Sony landed in jail after the rootkits?

    • by Anonymous Coward

      You wouldn't be reading this webpage if traffic that didn't originate in a given ISPs network wasn't forwarded. The packets that constitute your HTTP requests travel through several different networks between your home router and a server hosting a website. If any of those networks blocked packets that did not originate in their network you wouldn't be reading these comments.

      Learn how routing works....

    • There is no fucking reason for the internet to be this much of a clusterfuck.

      There isn't much daylight between Internet we have today and the ideal version of it in my view. Shit that runs over it is an entirely different story.

      Spoofed routing updates, IP spoofing, none of this should be possible by design.

      If everyone got off their asses and implemented BCP 38 it would be more difficult yet I'm not so sure we would see a better outcome. Preventing reflection is helpful and having more confidence in source addresses important yet I find it hard to believe this is a solution to anything.

      With a non retarded internet DDOS attacks could simply be blocked at the source by certified ISPs.

      Problem isn't spoofed traffic it is desire and capability to flood others.

      • There isn't much daylight between Internet we have today and the ideal version of it in my view. Shit that runs over it is an entirely different story.

        Uh no. The internet is the network and the computers. It's an inter-net-work of computers. The shit that runs over it is likewise therefore also part of the internet. If the internet will happily carry shit traffic, then it's a shit internet.

        I love it too, but let's not pretend that it's not grossly flawed.

        • Uh no. The internet is the network and the computers. It's an inter-net-work of computers. The shit that runs over it is likewise therefore also part of the internet. If the internet will happily carry shit traffic, then it's a shit internet.

          I love it too, but let's not pretend that it's not grossly flawed.

          No I'm talking about the architecture of the network itself and have made that quite clear. You can invent whatever definitions you want and ignore the clear context of parents remarks yet in doing so you are no longer communicating any useful information.

          Asserting pipes are shit because you pumped them full of shit is itself worthless shit.

    • Fine. Can I send you the bill for these multi-million dollar routers you want to turn in to boat anchors? I have two or three dozen I'll need to replace.

      • Fine. Can I send you the bill for these multi-million dollar routers you want to turn in to boat anchors? I have two or three dozen I'll need to replace.

        If the internet becomes just a lot of DDoS then they'll effectively be boat anchors anyway. The problem needs fixing at any cost, because the cost of not fixing it is that the internet becomes useless and that cost is too much to bear. Will you ignore the disease until it kills the host? Or will you administer a painful medicine?

  • by Anonymous Coward

    SPECTRE. The SPecial Executive for Counter-intelligence, Terrorism, Revenge and Extortion.

    From a James Bond movie.
    https://en.wikipedia.org/wiki/SPECTRE

    • by AJWM ( 19027 )

      "From a James Bond movie."

      Kids these days.

      Even if you're going to restrict yourself to movies, SPECTRE was the villain in most of the Sean Connery Bond flics. And that was in no small part because they took liberally from Ian Fleming's books.

      At least you got the acronym right.

      Now, for bonus points, what did THRUSH (the Man from UNCLE bad guys) stand for? (And, trivia note, Ian Fleming contributed concepts for that TV series, including the name of the main character, Napoleon Solo.)

      Are we sufficiently off-

      • THRUSH isn't an acronym. It's the name of the organisation. Attempts to make it one came later, in some of the novelisations, I think.

      • by dbIII ( 701233 )

        Now, for bonus points, what did THRUSH stand for?

        Stand? No. Squirm uncomfortably? Yes.

  • As long as it scales in parallel to money, its nothing new or revolutionary. New gun for hire, different day.

  • ...that there's ANOTHER reason the "internet of things" is a stupid idea.

  • Big deal. One domain was silenced.

    He can still work and do what he needs, now he has to participate in the rest of the media network.

    That's the whole point of the Internet being invented in the 60's to begin with. One site / segment get's bombed, you can still get on in other segments of the network. All he needs to do is submit Press Releases just like everyone else.

    Problem that's not a problem has been solved.

    • by bheerssen ( 534014 ) <bheerssen@gmail.com> on Friday September 23, 2016 @11:19PM (#52951587)

      Krebs' site had the full backing of Akamai until it became too expensive for them to continue fending off the attacks. If it's too expensive for Akamai to do this, it means that the attackers can take any site offline, no matter how big or how powerful. So, no, it's not just about one site. How long until Akamai itself can't keep up with attacks and has to shut down?

      • Re: (Score:3, Insightful)

        by Anonymous Coward

        >Krebs' site had the full backing of Akamai until it became too expensive for them to continue fending off the attacks

        It wasn't too expensive for Akamai to continue fending off the attacks. It was too expensive to them to fend off the attacks for free

        • Well, since the figures I've seen bandied around are that protection from this level of attack would be about USD100-200K per annum, this effectively means that unless you have a lot of money or a company willing and able to pay what amounts to protection money, you potentially won't be permitted to speak - doing so with an uncomfortable topic for someone gets you knocked offline. Pay the wrong mob and you get to pay again, and again, and again.

          One potential outcome may be that truly personal sites will bec

          • Well, since the figures I've seen bandied around are that protection from this level of attack would be about USD100-200K per annum

            Google offers it free [withgoogle.com] to all journalists.

      • by Anonymous Coward

        For as much Libertarian cock sucking goes on around /. this seems to be exactly the free market at work. Only he was getting service for free. So yeah, he wasn't worth keeping around without being a real customer.

    • by Anonymous Coward

      This is a problem in itself. What you suggest means the end of a free internet. Only domain owned by organizations big enough to absorb that kind of ddos or too small to attract attention would be left in the end.

  • by Plus1Entropy ( 4481723 ) on Friday September 23, 2016 @11:10PM (#52951537)

    What's especially troubling is that this attack can happen to many other websites, not just KrebsOnSecurity.

    So wait, a DDOS attack can happen to anybody? This kind of hard hitting revelation is why I keep coming back to this site.

    • You heard it here first. Now there's something they don't say about slashdot

    • I've been DDoS'd for talking shit on irc. Well, I say shit, but what I was saying was true... only inflammatory. But back then it didn't take a very large attack to knock someone off ye olde internet, an ISP would scarcely notice.

  • This sounds like a good use for some torrent-type technology to supply "distributed websites"
    Rather than having a server or "servers", articles go out from a seed source and are quickly seeded throughout the world. Maybe add some sort of checksumming/encryption to help validate that an article did in-fact come from the real source and not an impostor... it would stop sh*t like this from happening.

    • by raymorris ( 2726007 ) on Friday September 23, 2016 @11:57PM (#52951737) Journal

      > articles go out from a seed source and are quickly seeded throughout the world.

      That's a wonderful idea. We'd need a new protocol for distributing these "articles". We could call it Network News Transfer Protocol or something. You could tag your article according to categories andsubcategories, and people could subscribe to these different news groups. We could use ssl/tls for authentication of peers.

      It probably wouldn't take too long to develop such a protocol; I bet we could have it done by 1986.

      • by phorm ( 591458 )

        Gee, sarcasm.

        newsgroups are different than a P2P seeding system. There wasn't really a peer so much that your ISP and some other major odies would keep local cache's of the top groups. The obvious disadvantage of this being that those same bodies get to choose which newsgroups they clone/share, whereas in P2P anyone who has picked up the document/article/whatever is potentially also a peer.

        • Re: (Score:3, Insightful)

          by smallfries ( 601545 )

          Which central server did these non-peers cache the newsgroups from?

        • by swb ( 14022 )

          NNTP was pretty decentralized, one of the challenges with it in the later days of NNTP was the relative ease of newgroup injection and crapflooding.

          IIRC, NNTP server software on the hardware of the early 2000s scaled poorly and the traffic volumes were growing fast so you started to see ISPs get much more control oriented when it came to retention periods and which newgroup messages they would honor and from whom.

        • > newsgroups are different than a P2P seeding system. There wasn't really a peer so much that your ISP and some other odies (bodies?)

          You didn't have to use your ISP's servers, just like you don't have to use their DNS. People routinely used other news servers, and nerds often ran their own. Of course using your ISP's local servers tends to be faster and more efficient than some server on a far-away network.

          Until shortly before NNTP mostly died, most ISPs didn't want liability from choosing to carry s

    • by Burz ( 138833 )

      I2P does this... https://geti2p.net/en/docs/app... [geti2p.net]

      In fact, addresses within both Tor and I2P are crypto public keys.

      It even has a distributed filesystem.

  • The attackers are distributed. The victims are not. We need to superdistribute web content like we do with music. Think TOR meets torrents. It would take httpd authors, browser authors, and even search engines to get in on the act, but it would put an end to the problem. (somebody is probably already working on this)

    The web, like e-mail, is going through death throes. The kids will decide what lives and what dies I guess.

    • by SeaFox ( 739806 ) on Saturday September 24, 2016 @01:22AM (#52951991)

      The web, like e-mail, is going through death throes.

      Gimmie a break. You know how often I've heard "email is dying"? Generally it's from some stupid millennial, or the mouthpiece of a social networking company that offers a messaging feature that, for all intents and purposes, is email (except with formatting and picture/video inserting bells and whistles). What they really mean is "we wish email were dead, so everyone would be forced to become one of our users and we could become the new defacto email".

      When those kids go out and get a job and have to communicate in a serious fashion, it's not Facebook they're going to be launching -- it's Outlook.

      • Generally it's from some stupid millennial, or the mouthpiece of a social networking company that offers a messaging feature that, for all intents and purposes, is email (except with centralization, censorship, advertising and data-mining). What they really mean is "we wish email were dead, so everyone would be forced to become one of our users and we could become the new defacto email".

        FTFY.

    • by Burz ( 138833 )

      "TOR meets torrents" is I2P.

      It has distributed content sites like Syndie, and even has bittorrent contained within the net (not a gateway to clearnet) and a distributed filesystem (Tahoe-lafs).

  • Stupid IoT (Score:5, Interesting)

    by orlanz ( 882574 ) on Friday September 23, 2016 @11:16PM (#52951571)

    If they are so easy to commandeer, I think a group should go around bricking these damn things. Brick enough of them and either users will toss them or return them. Either way, the vendor will actually consider lockdown and security a value add or go out of business. The world is better off.

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      To ISPs "servers" are considered 'harmful devices', but botnets of these sorts of clients with out of development closed source firmwares are considered "nonharmful devices". Lol.

  • Story's Not Over (Score:5, Insightful)

    by Bruce Perens ( 3872 ) <bruce@perens.com> on Saturday September 24, 2016 @12:27AM (#52951845) Homepage Journal

    If I understand this correctly, Akamai threw Krebs out because Akamai could not handle the DDS. This means I'm never sending any business to Akamai because they can't handle it properly. But it doesn't mean Krebs is off the air for long.

    For example, I bet Cloudflare would take him on. They've differentiated themselves on the ability to handle DDS.

    • If I understand this correctly, Akamai threw Krebs out because Akamai could not handle the DDS. This means I'm never sending any business to Akamai because they can't handle it properly. But it doesn't mean Krebs is off the air for long.

      Do you have a source for this? All I've seen is that Akamai/Prolexic was unwilling to keep doing it for free, because it was getting really expensive. That seems like a significant difference, especially from the perspective of somebody intending to pay money for the services rendered.

    • If I understand this correctly, Akamai threw Krebs out because Akamai could not handle the DDS. This means I'm never sending any business to Akamai because they can't handle it properly. But it doesn't mean Krebs is off the air for long.

      For example, I bet Cloudflare would take him on. They've differentiated themselves on the ability to handle DDS.

      There's also Google's Project Shield, which is free for journalists.

  • by Anonymous Coward

    The answer is already here.
    Use ipfs
    https://ipfs.io/ [ipfs.io]
    This problem goes away on it's own. Sure they DDoS but they only be hitting 127.0.0.1

  • by twistedcubic ( 577194 ) on Saturday September 24, 2016 @12:53AM (#52951913)
    Site is suffering a DDoS attack, and we slashdot it.
  • Why should an entity reveal its capabilites setting up such attack bringing himself too much in the public light and without any monetary profit. It may backfire by getting the authorities, and even other ddos attacks users, on his trail and by triggering the search and implementation of technical and regulatory measures to reduce or eliminate the means he uses for the attack. The entity behind this does attack may have just triggered a Barbara Streisand attack.
  • In the past it was trivial to just mirror websites as they typically only consisted of some HTML pages and some images. If something like that happened in the past, you'd just have mirrors popping up everywhere.

    Today websites are much more complicated. Even something as simple as a blog is now dynamically generated every time its loaded. You cannot simply mirror that.

    • by NotAPK ( 4529127 )

      "You cannot simply mirror that."

      You can actually mirror a dynamic site trivially, it's just that the snapshot goes immediately out of date.

      The first way to improve dynamic website performance is to put a proxy in front of the web server to cache content and minimise the number of hits that reach dynamic code.

      I'll add a caveat to my comment about mirroring dynamic sites: I'm not talking about the latest wave of non-HTML sites that use JS to render directly in the browser. In theory they can be mirrored as we

  • by burni2 ( 1643061 ) on Saturday September 24, 2016 @02:15AM (#52952111)

    Ok, people my point is we have too long relied on companies protecting those that can pay (Brian cannot) the hefty fee from DDOS.

    And when I introduced this thought with "one fat .. target" I meant even Akamai with its big - but limited - bandwidth is condensed to just one target when that bandwidth is exhausted.

    My point: Mittigation for this scale of attack is to counter it with a "borg collective" of an even or bigger scale.

    The vulnerability for Brian, us and everyone is, that the fight is one against an army. Now one could argue that going on the offensive(attacking the bots, identifying the bots) would be a favourable cause. However this would end up in many little scrimishes that drain energy and end in a victory for that bad guys, because they have more energy.

    So I don't think that such an offensive would be a meaningful course of action. The best course of action would be to first weaken those DDOS attacks and then rendering them uneffective because there is not even a single target.

    So todays sites are a single sitting fat target, Akamai is just a thick wall, but every wall can be shot to pieces with a big army.

    But there are two known and working mittigations

    a.) freenet / freesite - with its hash keys and asymetric encryption a site is even "signed", also everyone who connects to a freesite will store it in the cache/storage.

    b.) bit-torrent
    example: It is still active and thriving till today, under attack and not just holding up but thriving.

    Idea: torrent(ify) the web

    But the secondary - offensive - measure is to identify the unwilling bots of these bot nets and work on this front - long long way to go.

  • Krebs just needs to change his distribution model. Instead of limiting this info to his own website, just start publishing the content on any interested website. Why hasn't slashdot already contacted him and offered to host his content? Even if they can DDoS a single major site into submission, they won't stand a chance of taking several offline.

    For that matter, why wasn't Akamai sending out tons of abuse@ emails during this mess, telling ISPs to stop the flood coming from their side, or face financial lia

  • Hold manufacturers of such shitty IoT appliances liable for facilitating crimes. Not only will we be spared fridges that spy on our lives, this whole mess would end pretty fucking quickly.

  • It's not a good thing when one or two jackasses can fuck over the entire internet.

    And yes, I know this wasn't the entire internet, but imagine this attack writ large, performed by multiple actors, possibly with state backing (or maybe just a lot of personal resources).

    The internet is basically at the mercy of whoever feels malicious on any given day and who has the ability to push a few buttons.

  • The site is back! Now hosted by google.

Real Programmers don't eat quiche. They eat Twinkies and Szechwan food.

Working...