Why the silencing of KrebsOnSecurity opens a troubling chapter for the ‘Net | Ars Technica

http://arstechnica.com/security/2016/09/why-the-silencing-of-krebsonsecurity-opens-a-troubling-chapter-for-the-net/

The attack shows how DDoS can be used to silence journalists. Trying to cope this kind of attack is expensive.

3 Comments

  1. Tomi Engdahl says:

    For details on the attack read this posting:

    Brian Krebs site hit with 665 Gbps DDoS attack; Largest Internet has ever seen
    http://www.epanorama.net/newepa/2016/09/21/brian-krebs-site-hit-with-665-gbps-ddos-attack-largest-internet-has-ever-seen/comment-page-1/#comment-1514621

    Reply
  2. Tomi Engdahl says:

    The Democratization of Censorship
    https://krebsonsecurity.com/2016/09/the-democratization-of-censorship/

    John Gilmore, an American entrepreneur and civil libertarian, once famously quipped that “the Internet interprets censorship as damage and routes around it.” This notion undoubtedly rings true for those who see national governments as the principal threats to free speech.

    However, events of the past week have convinced me that one of the fastest-growing censorship threats on the Internet today comes not from nation-states, but from super-empowered individuals who have been quietly building extremely potent cyber weapons with transnational reach.

    “Censorship can in fact route around the Internet.” The Internet can’t route around censorship when the censorship is all-pervasive and armed with, for all practical purposes, near-infinite reach and capacity. I call this rather unwelcome and hostile development the “The Democratization of Censorship.”

    DDoS protection provider Akamai chose to unmoor my site from its protective harbor.

    Let me be clear: I do not fault Akamai for their decision. I was a pro bono customer from the start, and Akamai and its sister company Prolexic have stood by me through countless attacks over the past four years.

    making sure my hosting provider wasn’t going to bear the brunt of the attack when the shields fell. To ensure that absolutely would not happen, I asked Akamai to redirect my site to 127.0.0.1 — effectively relegating all traffic destined for KrebsOnSecurity.com into a giant black hole.

    Today, I am happy to report that the site is back up — this time under Project Shield, a free program run by Google to help protect journalists from online censorship. And make no mistake, DDoS attacks — particularly those the size of the assault that hit my site this week — are uniquely effective weapons for stomping on free speech, for reasons I’ll explore in this post.

    Why do I speak of DDoS attacks as a form of censorship? Quite simply because the economics of mitigating large-scale DDoS attacks do not bode well for protecting the individual user, to say nothing of independent journalists.

    I spoke with multiple DDoS mitigation firms. One offered to host KrebsOnSecurity for two weeks at no charge, but after that they said the same kind of protection I had under Akamai would cost between $150,000 and $200,000 per year.

    Ask yourself how many independent journalists could possibly afford that kind of protection money? A number of other providers offered to help, but it was clear that they did not have the muscle to be able to withstand such massive attacks.

    I’ve been toying with the idea of forming a 501(c)3 non-profit organization — ‘The Center for the Defense of Internet Journalism’,

    CALIBRATING THE CANNONS

    Earlier this month, noted cryptologist and security blogger Bruce Schneier penned an unusually alarmist column titled, “Someone Is Learning How to Take Down the Internet.” Citing unnamed sources, Schneier warned that there was strong evidence indicating that nation-state actors were actively and aggressively probing the Internet for weak spots that could allow them to bring the entire Web to a virtual standstill.

    “Someone is extensively testing the core defensive capabilities of the companies that provide critical Internet services,” Schneier wrote. “Who would do this? It doesn’t seem like something an activist, criminal, or researcher would do. Profiling core infrastructure is common practice in espionage and intelligence gathering. It’s not normal for companies to do that.”

    “Today’s reality is that DDoS attacks have become the Great Equalizer between private actors & nation-states,” Dobbins quipped.

    What exactly was it that generated the record-smashing DDoS of 620 Gbps against my site this week?

    There is every indication that this attack was launched with the help of a botnet that has enslaved a large number of hacked so-called “Internet of Things,” (IoT) devices — mainly routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords. Most of these devices are available for sale on retail store shelves for less than $100, or — in the case of routers — are shipped by ISPs to their customers.

    The reality is that there are currently millions — if not tens of millions — of insecure or poorly secured IoT devices that are ripe for being enlisted in these attacks at any given time. And we’re adding millions more each year.

    The problem of DDoS conscripts goes well beyond the millions of IoT devices that are shipped insecure by default: Countless hosting providers and ISPs do nothing to prevent devices on their networks from being used by miscreants to “spoof” the source of DDoS attacks.

    BCP38 is designed to filter such spoofed traffic, so that it never even traverses the network of an ISP that’s adopted the anti-spoofing measures. However, there are non-trivial economic reasons that many ISPs fail to adopt this best practice

    To address the threat from the mass-proliferation of hardware devices such as Internet routers, DVRs and IP cameras that ship with default-insecure settings, we probably need an industry security association, with published standards that all members adhere to and are audited against periodically.

    The wholesalers and retailers of these devices might then be encouraged to shift their focus toward buying and promoting connected devices which have this industry security association seal of approval. Consumers also would need to be educated to look for that seal of approval. Something like Underwriters Laboratories (UL), but for the Internet, perhaps.

    As much as I believe such efforts could help dramatically limit the firepower available to today’s attackers, I’m not holding my breath that such a coalition will materialize anytime soon.

    The traffic hurled at my site in that massive attack included the text string “freeapplej4ck,” a reference to the hacker nickname used by one of vDOS’s alleged co-founders.

    Most of the time, ne’er-do-wells like Applej4ck and others are content to use their huge DDoS armies to attack gaming sites and services. But the crooks maintaining these large crime machines haven’t just been targeting gaming sites. OVH, a major Web hosting provider based in France, said in a post on Twitter this week that it was recently the victim of an even more massive attack than hit my site. According to a Tweet from OVH founder Octave Klaba, that attack was launched by a botnet consisting of more than 145,000 compromised IP cameras and DVRs.

    I don’t know what it will take to wake the larger Internet community out of its slumber to address this growing threat to free speech and ecommerce. My guess is it will take an attack that endangers human lives, shuts down critical national infrastructure systems, or disrupts national elections.

    The sad truth these days is that it’s a lot easier to censor the digital media on the Internet than it is to censor printed books and newspapers in the physical world.

    Project Shield
    https://jigsaw.google.com/projects/#project-shield

    Network Ingress Filtering:
    Defeating Denial of Service Attacks which employ IP Source Address Spoofing
    https://tools.ietf.org/html/bcp38

    Reply
  3. Tomi Engdahl says:

    Criticize Donald Trump, get your site smashed offline from Russia
    Newsweek Cuban connection story enrages miscreants
    http://www.theregister.co.uk/2016/09/30/criticizing_donald_trump_will_get_you_ddosed_off_the_internet/

    It has been an odd day for Newsweek – its main site was taken offline after it published a story claiming a company owned by Republican presidential candidate Donald Trump broke an embargo against doing deals with Cuba.

    The magazine first thought that the sheer volume of interest in its scoop was the cause for the outage, but quickly realized that something more sinister was afoot.

    The site was being bombarded by junk traffic from servers all around the world, but the majority came from Russia, the editor in chief Jim Impoco has now said.

    Newsweek Website Attacked After Report On Trump, Cuban Embargo
    http://talkingpointsmemo.com/livewire/dos-hack-newsweek-trump-cuba-embargo-story

    The editor-in-chief of Newsweek confirmed Friday that the magazine’s website was on the receiving end of a denial-of-service attack Thursday night, following the publication of a story accusing one of Donald Trump’s companies of violating the Cuban trade embargo.

    Editor-In-Chief Jim Impoco noted that the attack came as the story earned national attention.

    Later Friday afternoon, Impoco emailed TPM that in an initial investigation, the “main” IP addresses linked to the attack were found to be Russian. It should be noted that it is possible to fake an IP address.

    “As with any DDoS attack, there are lots of IP addresses, but the main ones are Russian, though that in itself does not prove anything,” he wrote. “We are still investigating.”

    A DoS attack makes sites completely unavailable to their intended users. Many noted that Newsweek’s website was down last night, initially assuming that it was due to high traffic on the Cuba piece. But Eichenwald tweeted Friday morning that the actual issue was an attack on the magazine’s website

    Denial-of-service attacks may be considered a federal crime under the Computer Fraud and Abuse Act.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*