Akamai deserves credit for the way it disclosed why it stopped protecting the Krebs on Security Web site last week after defending it for three days from the largest botnet it had ever encountered.
It must have been embarrassing for the company to acknowledge that it was a business decision it was forced to make because of the expense and consumption of resources to keep the site up was too great.
But the company did so and addressed a more important issue, namely that the attack was generated by a botnet of Internet of Things devices, mainly cameras, routers and DVRs, according to Krebs.
This is a new threat capable of marshaling millions of devices that are inherently insecure and that are growing rapidly in number. And it’s an acknowledged problem that has been talked about for years without much progress to stem the problem.
By openly talking about the attack, Akamai provided enough information quickly to raise awareness of the problem while the attack was still fresh. Krebs himself writes that he thinks something more dire than taking down a journalist’s site will be needed before action is taken – such as an attack that causes actual damage to property or persons.
He also notes that he can’t blame Akamai for dropping its protection for is site. After all, he says, he wasn’t a paying customer, which is another reason to credit Akamai. In his work Krebs has drawn many more conventional DDoS attacks over the years, from which Akamai has protected him, acknowledging the value of what he writes and the fact that a single author working alone cannot afford to protect himself.
Going forward Akamai says it plans this week to share publicly more data about the botnet that took down Krebs once it has had the chance to perform some analysis.
After successful attacks and data breaches, the parties involved have a wealth of information about what happened that would be helpful to the wider IT community in preventing similar malicious activity. Often that information doesn’t get shared for weeks or months or ever. Some of the reasons are legal and some are based on a culture of secrecy, but regardless, not sharing doesn’t help create a safer internet.
So thanks to Akamai.