Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Censorship Security The Internet

Krebs Is Back Online Thanks To Google's Project Shield (krebsonsecurity.com) 149

"After the massive 600gbps DDOS attack on KrebsOnSecurity.com that forced Akamai to withdraw their (pro-bono) DDOS protection, krebsonsecurity.com is now back online, hosted by Google," reports Slashdot reader Gumbercules!!.

"I am happy to report that the site is back up -- this time under Project Shield, a free program run by Google to help protect journalists from online censorship," Brian Krebs wrote today, adding "The economics of mitigating large-scale DDoS attacks do not bode well for protecting the individual user, to say nothing of independent journalists...anyone with an axe to grind and the willingness to learn a bit about the technology can become an instant, self-appointed global censor." [T]he Internet can't route around censorship when the censorship is all-pervasive and armed with, for all practical purposes, near-infinite reach and capacity. I call this rather unwelcome and hostile development the "The Democratization of Censorship...." [E]vents of the past week have convinced me that one of the fastest-growing censorship threats on the Internet today comes not from nation-states, but from super-empowered individuals who have been quietly building extremely potent cyber weapons with transnational reach...

Akamai and its sister company Prolexic have stood by me through countless attacks over the past four years. It just so happened that this last siege was nearly twice the size of the next-largest attack they had ever seen before. Once it became evident that the assault was beginning to cause problems for the company's paying customers, they explained that the choice to let my site go was a business decision, pure and simple... In an interview with The Boston Globe, Akamai executives said the attack -- if sustained -- likely would have cost the company millions of dollars.

One site told Krebs that Akamai-style protection would cost him $150,000 a year. "Ask yourself how many independent journalists could possibly afford that kind of protection money?" He suspects the attack was a botnet of enslaved IoT devices -- mainly cameras, DVRs, and routers -- but says the situation is exacerbated by the failure of many ISPs to implement the BCP38 security standard to filter spoofed traffic, "allowing systems on their networks to be leveraged in large-scale DDoS attacks... the biggest offenders will continue to fly under the radar of public attention unless and until more pressure is applied by hardware and software makers, as well as ISPs that are doing the right thing... What appears to be missing is any sense of urgency to address the DDoS threat on a coordinated, global scale."
This discussion has been archived. No new comments can be posted.

Krebs Is Back Online Thanks To Google's Project Shield

Comments Filter:
  • by DeusExCalamus ( 1146781 ) on Sunday September 25, 2016 @11:45AM (#52957739)
    The Krebsonline DDoS was 600gbits+, not megabits.
  • 600gbits+ is a huge volume of traffic. I bet it was not cheap to get it done. I wonder who would have the motive and the money to do such a thing.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Seeing as how the attacks occured after he posted a series of articles on Israeli-run company vDOS...and that the traffic was larger than practically any other DDoS attack that's been recorded?

      It's pretty obvious who has the money and the motive, Israel. They co-opted one of their own, slimy companies to do their dirty work, if it ever blew up in their faces they could bring charges down on vDOS and deny responsibility. vDOS alone can't generate 600+ gigabits of traffic, that's beyond the capacity of any pu

      • Re: (Score:2, Insightful)

        I kind of doubt that the Israeli government was involved in a company whose main customers are common internet trolls that want to (for a fee) knock video game streamers offline for 5 minutes to cause them to lose an arena match in world of warcraft. Seriously, that's the biggest revenue driver for a company like vDOS.

        The fact that it was located in Israel is likely coincidence, more than anything. It wouldn't surprise me if a collection people who offer these "booter" services didn't like the thought that

        • by Anonymous Coward

          I agree but your use of vowels is anti-semantic

      • Although it would be convenient for someone out for fun or an enemy of Israel to attack a target that Israel could be blamed for. I think we should wait for some forensics before blaming anyone.

        • Agreed. But the rush to judgement is already in full swing. Camers, DVRs and routers. Oh my! Don't you dare mention Windows!!

          As far as I'm concerned there isn't a shred of evidence that this was IOT based.

    • Re:That is huge.. (Score:5, Interesting)

      by Dutch Gun ( 899105 ) on Sunday September 25, 2016 @12:02PM (#52957833)

      From Kreb's site:

      Many readers have been asking whether this attack was in retaliation for my recent series on the takedown of the DDoS-for-hire service vDOS, which coincided with the arrests of two young men named in my original report as founders of the service.

      How about the folks who provide DDOS for hire? For them it costs nothing (if they're just using spare capacity), since they own the botnets. And at the same time, they're sort of advertising their wares at the same time.

      This sort of thing is just going to get worse when crappy / non-existant IoT security devices exposed themselves to the web via large-capacity fiber and cable connections. It's already bad enough with compromised routers and computers. Most people won't get protected. They'll just get knocked off the web at will by people like this.

      • Re:That is huge.. (Score:5, Insightful)

        by Dutch Gun ( 899105 ) on Sunday September 25, 2016 @12:13PM (#52957887)

        Reading further in comments, I saw this comment from Krebs (emphasis mine):

        Actually, the intel I’m gathering suggests it’s not routers at issue, but mostly DVRs and some IP cameras.

        So, sounds like the Internet of Things is already biting us fairly hard these days. OS makers for computers and phones have made those platforms much harder to compromise than they used to be, and regularly patch known vulnerabilities. But I fear IoT manufacturers are going to make all the same, old mistakes that PCs went though over the past decade or so, instead of gleaming the hard-won knowledge of best security practices.

        • Aaaaand... like an idiot, I failed to notice that this information is right there in the summary. How often does one read TFA and fail to read the summary? That has to count for something, right?

        • by Anonymous Coward

          But I fear IoT manufacturers are going to make all the same, old mistakes that PCs went though over the past decade or so, instead of gleaming the hard-won knowledge of best security practices.

          Security, done properly, is expensive. When your business is based entirely on selling cheap shit, there's no room in the profit margin for proper security.

        • by xtsigs ( 2236840 )

          But I fear IoT manufacturers are going to make all the same, old mistakes that PCs went though over the past decade or so, instead of gleaming the hard-won knowledge of best security practices.

          Enough PC users demanded greater security because they saw a negative impact on performance. If DVR performance is not degraded, then not many will notice or care enough to spend a few extra dollars for the security.

          Verizon is continually attempting to sell me more bandwidth and higher performing equipment (router, DVR). They rarely even mention security in their pitch. They'll first sell me upgrades to accommodate the malware overhead. I expect that they'll start playing up the security angle when they thi

      • Re:That is huge.. (Score:4, Interesting)

        by rudy_wayne ( 414635 ) on Sunday September 25, 2016 @02:37PM (#52958609)

        [T]his sort of thing is just going to get worse when crappy / non-existant IoT security devices exposed themselves to the web via large-capacity fiber and cable connections. [I]t's already bad enough with compromised routers and computers. Most people won't get protected. [T]hey'll just get knocked off the web at will by people like this.

        As noted in the article: "the situation is exacerbated by the failure of many ISPs to implement the BCP38 security standard to filter spoofed traffic"

        There is something of an inverse relationship -- at least in the U.S. The bigger an ISP is, the less likely they are to give a shit.

  • by destinyland ( 578448 ) on Sunday September 25, 2016 @11:52AM (#52957775)
    Krebs quoted his mentor as saying this:

    "DDoS attacks have become the Great Equalizer between private actors and nation-states."
  • Kudos to google (Score:5, Insightful)

    by QuietLagoon ( 813062 ) on Sunday September 25, 2016 @12:08PM (#52957867)
    I was wondering if one of the big ones would step up to the plate on this one.

    .
    Funny, I don't know why, but facebook was never one of the ones I thought might do it.

    • Could that be because Facebook don't offer this kind of service?

    • The service is actually available to anyone serving news, human rights, or election monitoring, or human rights content. A slashdotter actually suggested the service in the article that appeared here a few days ago.

  • by smooth wombat ( 796938 ) on Sunday September 25, 2016 @12:11PM (#52957881) Journal
    the situation is exacerbated by the failure of many ISPs to implement the BCP38 security standard to filter spoofed traffic,

    Nothing like sticking your finger in the eyes of those who keep claiming they need to restrict bandwidth to their paying users while at the same time delivering slow speeds for exorbitant prices.

    Apparently those hundreds of millions of free dollars generated every month by Comcast/Verizon/et al can't be used for anything useful such as implementing security filtering to slow/prevent this situation.
  • They would fare by using cloudflare instead.

    • by Zocalo ( 252965 ) on Sunday September 25, 2016 @01:12PM (#52958245) Homepage
      I can't see Brian Krebs moving to Cloudflare under any circumstances. He's lain into them far too many times, and will likely continue to do so, over their support of various cybercrime operations like the vDOS stressor that his exposure of - and arrest of two suspects - likely lead to someone launching the DDoS that took him off line earlier this week. As Krebs sees it, Cloudflare are a major part of the problem and their activities are highly questionable since they directly benefit from people seeking protection from the very services Cloudflare are helping stay in operation; it just makes it easier to keep the moral highground if he's hosted elsewhere. Cloudflare's view is that because they are not actually hosting the sites themselves, just hosting a reverse proxy that redirects traffic to them, they are on firm legal ground and are doing nothing wrong.

      Something to think about, if you're in the market for DDoS protection...
    • by Anonymous Coward

      It's very possible that CloudFlare is hosting the people who are responsible for the attacks against Krebs.

      CloudFlare has many criminal customers. Check out this recent list of DDoS/"Stresser"/"Booter" websites proudly hosted by CloudFlare:

      alphastress.com, anonymous-stresser.net, aurastresser.com, beststresser.com, boot4free.com, booter.eu, booter.org, booter.xyz, bullstresser.com, buybooters.com, cnstresser.com, connectionstresser.com, crazyamp.me, critical-boot.com, cstress.net, cyberstresser.org, darkstr

    • by KozmoStevnNaut ( 630146 ) on Monday September 26, 2016 @04:02AM (#52961159)

      Cloudflare doesn't work for shit. There was a DDoS attack against Something Awful recently, and the DDoS "protection" crumbled almost completely.

  • site still down? (Score:3, Informative)

    by Forever Wondering ( 2506940 ) on Sunday September 25, 2016 @12:25PM (#52957957)

    I just tried the two top links and get:

    Firefox can't establish a connection to the server at krebsonsecurity.com.

            The site could be temporarily unavailable or too busy. Try again in a few moments.
            If you are unable to load any pages, check your computer's network connection.
            If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.

    • It might take some time for DNS changes to propogate. The IP address was set to localhost for a while to get the attacks off of the net.
      • Yeah, probably DNS propogation. It works for me.

        The IP address was set to localhost for a while to get the attacks off of the net.

        Shouldn't the IP address be set to one of the attacking IP addresses, so the person/ISP with the compromised device has to deal with all that traffic? Collect the attacking IP addresses, find which ISP is the source of biggest share of them, and redirect the entire attack back at them. When they clean their act up (e.g. implement BCP38), move on to next ISP with the most atta

        • by choprboy ( 155926 ) on Sunday September 25, 2016 @04:12PM (#52959011) Homepage

          Shouldn't the IP address be set to one of the attacking IP addresses, so the person/ISP with the compromised device has to deal with all that traffic? Collect the attacking IP addresses, find which ISP is the source of biggest share of them, and redirect the entire attack back at them.

          And which one of the estimated 200,000 attacking IPs would you target with this? How would the ISP responsible for that IP know that the one IP was part of the problem when being hit with a DDOS from 199,999 other IPs not under their control? The correct response to criminal activity is not to continue the criminal activity.

          Due to the fact that many of the nets abuse handling channels are ineffective (roughly half take no observable action in my experience), perhaps a more effective long term solution would be for the major CDNs, Google, Facebook, etc., to get together and work on notifying end users more directly. In this case, the CDNs/etc. could implement a shared/dynamic blocking list for those 200k IPs such that no content would be delivered, only an error message indicating that their equipment is compromised. The end user would still be free to use the internet and transmit traffic, but their favorite sites would be useless until they clean their equipment/submit a removal request. This provides direct pressure on the end user creating the problem, and by extension their ISP thru support desk calls, to clean up the compromised systems.

      • Yeah... I had to flush our DNS servers last night. The problem was not that the host record was set to localhost, but that the SOA (Start of Authority) changed from Akimai to GoogleDomains. The old Akimai SOA had a multi-day expiration lifetime and the Akimai servers are still giving out a valid A record response of localhost with a 5min expiration. So until the SOA ages out of various name servers, it will remain unreachable for some.

    • Fine for me.

  • by Anonymous Coward

    Google's Project Shield is excellent, and will save a lot of independent journalists.

    However, we probably need an alternative Project Shield for journalists that discuss topics Google wouldn't want to support (or be safe supporting).

  • by mrsam ( 12205 )

    Dunno if that could ever possibly happen, but consider the following scenario

    1. A poorly administered ISP ignores the fact that it's infested with zombie DDOS proxies.

    2. Google starts returning a static web page stating "Your internet provider is unable to reach Google, please contact your Internet provider for support." message, instead of their home page, for queries from that ISP's IP address ranges.

    Probably just a pipe dream for a lazy Sunday afternoon.

    • All those people who agitate against an improved internet because they fear nebulous control and because it wouldn't be "trust" based are creating a situation where the real internet will become a bunch of centrally managed corporate networks which CAN block DDOS's. Whereas the open internet build on broken by design protocols and broken by design inter-connection contracts will wither and die.

      The current internet isn't build on trust, it's build on quicksand. The current internet is inherently untrustworth

      • by l0n3s0m3phr34k ( 2613107 ) on Sunday September 25, 2016 @01:44PM (#52958405)
        "build on broken by design protocols" Seriously? The Internet is NOT broken-by-design in any way. The original scope of the design did not include the system ever being an open-to-the-public system that supports a large portion of today's civilization. It was never, in it's original scope, designed to have public web servers, financial transactions, video streaming, or such. The original purpose of ARPANET, that eventually metamorphosed into the current internet, was "to exploit new computer technologies to meet the needs of military command and control against nuclear threats, achieve survivable control of US nuclear forces, and improve military tactical and management decision making". The entire thing wasn't designed to allow non-trusted actors on it in the first place.

        The design is solid. Your claim is like driving your car into a lake and then claiming the car is "broken by design" because it doesn't properly function as a water-going vehicle. Or that humans are "broken by design" because we can't breath a methane atmosphere.
        • Okay, let me rephrase then ... it's design is broken for it's current purpose.

          Cause we are trying to drive this car on the water.

  • by gweihir ( 88907 ) on Sunday September 25, 2016 @01:18PM (#52958291)

    I mean, what better opportunity to demonstrate the power of your solution and with free reporting on it as well? Nobody likes the DDoS terrorists (and yes, that is what they are for all practical purposes, because they are attacking critical infrastructure), so this can only go well.

  • BCP38 filtering (Score:4, Interesting)

    by NevDull ( 170554 ) on Sunday September 25, 2016 @01:19PM (#52958299) Homepage Journal

    The only way to get BCP38 filtering widespread is to hold ISPs liable for spoofed traffic originating on and exiting their network.

    • We can lobby consumer router manufacturers to include it. Openwrt has a bcp38 package with no configuration, done by Dave Taht and the Cerowrt folks.
  • Let's take a relatively smart, but also relatively ignorant, common man whose router, pvr, smart tv, etc have been compromised.

    And if one or some of one's devices are partly responsible for this:

    How would he know?

    What steps can he take to find out if he's part of the problem?

    And, perhaps as importantly, if he finds out he is, what can he do* to fix the problem and prevent it happening again?

    There's no prize for good advice, but a detailed and thorough answer would be of use I'm sure :-).

    *Yep, I can think of

  • But the timing of the two stories, yesterday and today, sure comes across to me like something that's been obviously stage-managed.

  • by Anonymous Coward

    I call this rather unwelcome and hostile development the "The Democratization of Censorship...."

    Which democracy ever came with each citizen getting control of a million strong botnet of insecure products?

    This person is a tool to serve the narrative that it is a good thing in any way that Google is the one and only distributor of effective censorship 'protection' on the internet. What a racket. Literally.

  • bout time... Congrats Mr. Krebs
  • What happens when Brian comes across some nefarious shenanigans that Google has pulled? A moment of hesitation - even subconsciously?

Real Programmers don't eat quiche. They eat Twinkies and Szechwan food.

Working...