Brian Krebs, a top security blogger who writes on the Krebs on Security blog, was attacked by a massive DDoS attack, recently. A giant botnet made up with things connected to the internet, such as lightbulbs, cameras, and thermostats, had launched the largest DDoS attack ever delivered with the use of IoT (internet of things) devices.
The attack was so big that Akamai, the CDN (content delivery network) and cloud service provider of Krebs, has canceled the security blogger’s account. The reason for the cancellation was not that Akamai couldn’t mitigate the attack, but they used so many resources for protection that it became rather expensive, according to Andy Ellis, the firm’s Chief Security Officer.
The delivery network stopped protection for the Krebs on Security blog after 665 Gbps of traffic overwhelmed the security expert’s site on Tuesday. The attack’s size was almost over the double what Akamai had ever seen before. Ellis says it will take time to analyze and come up with more effective mitigation tools for this IoT botnet.
The Akamai CSO added the attack was similar to the 2010 attacks of Anonymous where they used the open source, low-orbit ion cannon tool, or to the 2014 DDoS attacks launched from compromised Joomla and WordPress servers. According to Ellis, this is a lesson for companies to have a better system against DDoS attacks.
The Krebs on Security attack is a work of a botnet made up of IoT devices, Ellis says. So many devices were used in the breach that the hacker didn’t even have to amplify the impact of the individual devices.
“We’re still trying to size it,” Ellis said estimating the number of IoT devices used in the attack to a million. “We think that might be an overestimate but it’s also possible that will be a real estimate once we get into the numbers.”
According to Dave Lewis, a global security advocate for Akamai, with estimates of 21 billion IoT devices by 2020, the size of the botnets created for attacks could be massive.
“What if an attacker injects code into devices to create a Fitbit botnet?” Lewis said. “Researchers have already shown it’s possible to wirelessly load malware onto a Fitbit in less than 10 seconds so the possibility isn’t fantastic.
“It’s possible they are faking it or it’s possible it’s a camera that was doing these attacks. There are indicators that there are IoT devices here, at scale.”
Ellis says the attack didn’t use any reflection or amplification and it consisted of legitimate HTTP requests. Some things are still unknown, for example, who is behind the attack and what method did they used to infect the devices.
According to Ellis, Akamai had contacted other websites where they reported similar, but smaller attacks from the same botnet. Many of the sites were related to gaming, and Krebs wrote about such attacks so there could be a connection between them.
“I can’t really fault Akamai for their decision. I likely cost them a ton of money today,” Krebs tweeted. “So long everyone. It’s been real.”