'World's largest' DDoS sees infosec journo's site taken down

Unknown attackers have succeeded in forcing the closure of infosec journalist Brian Krebs' website, KrebsOnSecurity, after content delivery network provider Akamai stopped hosting it following a massive denial of service attack.

Brian Krebs.

At first thought to be 665 gigabit per second in size, traffic analysis by Akamai suggested the attack reached 620 Gbps, potentially making it the largest denial of service packet flood on the internet ever recorded.

Prior to today's DDoS, large attacks in the 400 to 500 Gbps range had been recorded this year. While smaller DDoS floods are common occurences, large attacks like the one on KrebsOnSecurity are difficult to orchestrate as they require careful coordination and skills.

They also require a large amount of network connected devices to send traffic, and before his website was turned off, Krebs said Akamai believed the attack emanated from a huge botnet with possibly thousands of hacked systems.

Akamai security spokesperson Martin McKeay told Krebs that he believed the attack was the largest the company had seen, and that it relied not on reflection or amplification of traffic, but garbage requests to the webserver. 

McKeay said the biggest attack Akamai had hitherto seen was 363 Gbps.

The biggest amount of attack traffic stemmed from Generic Routing Encapsulation (GRE) protocol packets, Akamai's analysis showed. GRE is a Cisco-developed protocol used to encapsulate network layer protocols, for use with virtual private networking.

McKeay said that as GRE traffic can't have source addresses spoofed, this pointed to a very large botnet of compromised routers and internet-connected cameras and digital video recorders. 

“Someone has a botnet with capabilities we haven’t seen before,” McKeay said. 

“We looked at the traffic coming from the attacking systems, and they weren’t just from one region of the world or from a small subset of networks — they were everywhere,” McKeay said.

Krebs said via Twitter that Akamai was providing the anti-DDoS Prolexic service pro bono for his site.

He added that he couldn't fault Akamai for their decision, as the large attack on KrebsOnSecurity would've cost the provider "a ton of money".

While nobody has taken responsibility for the DDoS yet, some of the fake requests to Krebs' webserver contained the "freeapplej4ck" text string. 

This is believed to be a reference to one of the Israeli teens, Yarden "Applej4ck" Bidani, who was arrested together with Itay Huri for running a "booter" or DDoS for hire service called vDOS, which promised traffic floods of up to 216 Gbps.

iTnews has sought comment from Akamai on whether or not the DDoS on KrebsOnSecurity overwhelmed its Prolexic protection service, forcing them to take the site offline.