The website of security researcher and blogger Brian Krebs has been hit by what is thought to be one of the biggest DDoS attack ever recorded.
Krebs said the attack on KrebsOnSecurity.com started on Tuesday evening, and was initially recorded at 665 Gbps. Further analysis discovered that the attack was slightly smaller than that, topping out at 620 Gbps. That is still “many orders of magnitude more traffic than is typically needed to knock most sites offline,” Krebs said on his blog.
The attack failed in that KrebsOnSecurity remained online throughout, thanks to engineers at Akamai. Krebs added that the attack was nearly double the size of the next largest DDoS attack recorded by Akamai, which had been 336 Gbps.
That attack had used common “amplification” techniques that enable a small botnet made up of compromised systems to turn an otherwise small attack into a larger one. This attack however appears to have been “launched almost exclusively by a very large botnet of hacked devices,” Krebs said.
Analysis of the traffic used in the attack showed that it used what Krebs called “garbage Web attack methods that require a legitimate connection between the attacking host and the target.” The attack was designed to look like it was coming from generic routing encapsulation (GRE) data packets - a protocol that can create a direct connection between two network nodes.
Martin McKeay, Akamai’s senior security advocate, told Krebs: “Seeing that much attack coming from GRE is really unusual. We’ve only started seeing that recently, but seeing it at this volume is very new. Someone has a botnet with capabilities we haven’t seen before.”
Traffic used in the attack was coming from all over the world rather than one region in particular and it appears that much of the traffic came from hacked IoT devices, such as routers and IP cameras that had weak passwords.
It is thought the attack was launched in retaliation for recent work Krebs did to take down DDoS-for-hire service vDos; two alleged members of the group were arrested earlier this month. Krebs said a link “looks likely,” as the phrase “freeapplej4ck” was found in one of the packets, a reference to the nickname used by one of the vDos members.