In late September, the website of journalist and cybersecurity expert Brian Krebs was hit with a crippling hacker assault known as a “distributed denial of service,” or DDoS, which knocked him off the Internet for several days.
Krebs is one of the savviest security experts out there, yet at first he was rendered almost powerless to fight off the attack. More to the point, he was silenced. That’s a concern because Krebs believes the attack was launched in retaliation for a story he wrote exposing two Israeli hackers, who were arrested around the same time.
The economics of mitigating large-scale DDoS attacks do not bode well for protecting the individual user, to say nothing of independent journalists.
The scariest elements of this episode are these: First, the weapons allowing cyberattackers to bring down websites and networks no longer belong exclusively to “state actors” such as governments, but are widely available in private hands. Second, these weapons are getting better every day. Finally, the cost of defending against such attacks can ruin their targets, vastly enhancing the attackers’ ability to silence them.
“The economics of mitigating large-scale DDoS attacks do not bode well for protecting the individual user, to say nothing of independent journalists,” Krebs says. He calls the result “the democratization of censorship.” One doesn’t need a government censor’s blue pencil and scissors to muzzle an adversary; one can bludgeon him into silence.
The DDoS is perhaps the most common means of attacking a target website or network. Put simply, the attackers flood the target with incoming traffic in such volume and from so many different sources that the legitimate traffic can’t get through.
“Largely it’s a matter of bandwidth,” security expert Bruce Schneier wrote in mid-September. “If the attacker has a bigger fire hose of data than the defender, the attacker wins.”
The Internet security firm Verisign says it observed that the number of DDoS attacks increased 75% in the first half of 2016 compared to a year earlier, while the peak attack size increased 214%, an indication of the greater difficulty of fending them off.
As Krebs and others observe, the two most important and disturbing developments in the field are the proliferation of Internet-connected devices that can be seized by hackers and exploited to participate in an attack as members of “botnets” — think of them as armies of automated attackers — and the spread of software allowing hackers to infect them and turn them to their own uses.
To a great extent, these devices are not computers. They’re Internet-enabled webcams, cloud-connected data storage drives, digital video recorders and Internet routers whose manufacturers fail to equip with adequate security software and endow with weak passwords that buyers don’t bother to change, and therefore are left vulnerable to cyber takeovers by remote control. They’re elements of the highly touted “Internet of things,” or IoT, easily converted into threats to our privacy and security.
These vulnerabilities create an asymmetric battlefield — it’s cheap and easy to mount an attack, hugely expensive to repel one.
[Update: Krebs reported over the weekend that the source code for the botnet used in the attack on his website, which is dubbed “Mirai,” has been publicly released, sharply increasing the chances it can be used for malicious purposes.
[Mirai works by scanning the Web for Internet-connected devices with poor password protection, often default passwords installed by manufacturers. The botnet can “quickly assemble very large IoT-based DDoS armies,” Krebs wrote.
[The devices include home security cameras whose images can be accessed by owners via the Web, Internet routers and digital video recorders. They’re often protected by default user name/password combinations such as “admin/123456” or “root/password” and owned by consumers without the time or ability to change the access codes. This makes them easily accessible to scanning programs searching for default combinations so they can that then infect them with malware that converts them to slaves in a malicious army.]
The attack on Krebs, a former Washington Post reporter whose site has become a go-to destination for information on network security, shows how this works. Krebs’ website was serviced by Akamai Technologies, which provides hosting and security to some of the largest companies on the Web and handled his account at no charge.
Starting on the evening of Sept. 20, Krebs’ site became the target of the largest DDoS attack Akamai engineers had ever seen, nearly double the volume of anything in the past. Akamai fended off the first waves, but as the onslaught continued the cost of fighting it rose sharply, while it threatened to affect Akamai’s other customers. The company chose instead to uncouple Krebs’ site from its system and withdraw the free protection.
Krebs says he does “not fault Akamai” for cutting him loose as a pro-bono client, although it gave him only a few hours to find an alternative host. He was told that the 24/7 protection he was obtaining through Akamai would cost as much as $200,000 per year, but instead came under the wing of Google’s Project Shield, a free service that supports independent news organizations with protection from DDoS attacks.
Attacks like these are certain to become more common, with firms of all kinds becoming targets. Over the last week, the French Internet hosting service OVH has been fighting a DDoS assault nearly twice the size of the Krebs attack, with traffic coming from as many as 145,000 webcams and DVRs at a time.
These attacks don’t signify merely the determination of hackers, but the lax practices of Internet service providers and equipment manufacturers. Protocols and standards have existed for years to enable ISPs to block suspicious traffic from insecure sources. So, too, does software that device makers could build into their products to secure them against outside manipulation.
Thus far, these steps have seemed too costly or bothersome to take. That’s because the threat to the general public still seems trivial or abstract. But things could change in a flash.
“I don’t know what it will take to wake the larger Internet community out of its slumber to address this growing threat to free speech and eCommerce,” Krebs wrote in the aftermath of his attack. “My guess is it will take an attack that endangers human lives, shuts down critical national infrastructure systems, or disrupts national elections.” By then it may be too late.
Oct. 5, 11:18 a.m.: This post has been updated with information about the release of the source code for the botnet that attacked Krebs’ site.
This column was originally published Sept. 29.