On September 20, the news website belonging to security journalist and former Washington Post staffer Brian Krebs started suffering one of the highest DDoS attacks ever measured.
After two days of defending against the attack, the content delivery network that hosted KrebsOnSecurity.com had to pull the plug. Akamai hosted Krebs's website pro bono, but the costs of diverting server resources to keep KrebsOnSecurity online during the record attack, which topped out at 665 Gbps, proved too costly, and the company gave Krebs a few hours warning before shutting down the site.
"It's looking likely that KrebsOnSecurity will be offline for a while," Krebs tweeted on Thursday afternoon. "Akamai's kicking me off their network tonight."
In a blog posting before his website succumbed to Akamai's decision, Krebs explained how the attack was comprised of a huge botnet of compromised devices. The attack is almost certainly linked to a DDoS-for-hire service called vDOS. A Krebs report on vDOS resulted in two Israeli nationals being arrested earlier this month.
"Given that the attack itself had the string "freeapplej4ck" in it (applej4ck being the nickname of one of the proprietors of the vDOS service who was arrested in Israel shortly after my story ran), I think it's very likely to have been in retribution," Krebs told Motherboard.
I caught up with Krebs over the phone to ask a few questions about what it's like to be targeted by a record DDoS attack.
MOTHERBOARD: Hi Brian. Were you expecting this to happen? What is your next move?
Brian Krebs: No, I wasn't expecting this to happen. I was expecting attacks to happen, but I wasn't expecting them to be that large. I don't think anybody was. As I said in my tweets, Akamai/Prolexic has been protecting me pro bono for several years now, and has protected my site through I can't even count how many attacks, and I guess this one just kind of broke the banks for them a little bit. According to them, it was almost twice as big as the biggest one they've seen previously, and I'm sure it cost them a lot of money. The challenge now is finding another setup that won't so quickly be similarly exhausted.
Have you thought about hosting your website elsewhere?
Yeah, but, I'm kind of like plutonium right now. I don't know. To me, it's very interesting. I'm working on a story that tries to explore this a little more deeply. I think people tend to think of governments as the biggest source of censorship these days, and I have to say I don't think that's correct anymore.
Well I think DDoS is the great equaliser between private actors and nation states. So it's a little confusing at the moment in that respect.
Has the attack had a psychological impact on you? I can imagine it must be pretty stressful.
Sure, it's been stressful. What I can say is I've been grateful that I've been able to not worry so much about the technical side of things and really just focus on my investigations and the work I've been doing to expose the folks who are running these huge attack networks and facilitating them. But, unfortunately, I have to spend more time caring about that and less time on my work; in many ways it's been a very effective form of censorship.
What's your immediate plan? Are you going to take a few days out?
Akamai came and said about 4 o'clock yesterday, "This is a business decision, and we're really sorry but we have to let you go, and we'll have you off our platform in a couple of hours," and so my first concern was to make sure my hosting provider, who has also been very good to me over the last six years, did not bear the brunt of that traffic. And so I just pulled Akamai until I figure out what my next move is. That's where I'm at now, trying to get it back up under some semblance of protection. I wish I could go into that deeper at this point, but I don't think it's prudent to do so.
Thank so much for talking to us Brian. I wish you all the luck over the next few days in getting your site back up and running!
Get six of our favorite Motherboard stories every day by signing up for our newsletter.