Security blogger Krebs says IoT DDoS attack was payback for a blog

Similar attacks may be a nation calibrating how strong core internet defenses really are

ddos krebs
Thinkstock/Stephen Sauer

Security blogger Brian Krebs says a massive distributed denial-of-service attack that took down his Web site last week was likely the consequences for his outing of two Israelis who ran a DDoS-for-hire business.

+More on Network World: The IoT is uranium+

The pair, whom he identifies as Itay Huri and Yarden Bidani, both 18, were arrested in Israel at the request of the FBI six days after Krebs posted his blog and are now under house arrest.

He thinks this blog posted Sept. 16 irked them or their confederates to retaliate with the attack against Krebs’s site using a botnet of hundreds of thousands or perhaps a million hijacked internet of things devices, mainly cameras, routers and DVRs.

He says the attack include the text string “freeapplej4ck,” an apparent reference to one of the two arrested Israelis who goes by the hacker name Applej4ck.

Huri and Bidani ran vDOS, a business that sold subscriptions to a DDoS attack platform for between $20 and $200 per month.

If Krebs’s suspicions are true, it means that malicious actors with relatively modest means can summon up giant botnets comprised of IoT devices and deliver unheard of volumes of DDoS traffic.

A similar attack against the French hosting provider OVH topped out at 1.5TBps using an army of bots. “This botnet with 145607 cameras/dvr (1-30Mbps per IP) is able to send >1.5Tbps DDoS,” according to a tweet by Octave Klaba, the founder of OVH.

The attacks are apparently continuing, Klaba tweeted today: “+6857 new cameras participated in the DDoS last 48H.”

Earlier this month, security expert Bruce Schneier warned in a blog that unknown parties seem to be systematically testing how resilient key internet infrastructure is to DDoS attacks. He says his information comes from companies that provide the infrastructure, but that he couldn’t name because they spoke to him under conditions of anonymity.

The attacks seem carefully measured to reach a certain volume of traffic, then stop. Later, they resume at the same level of intensity and gradually increase, which is indicative of attempts to quantify just what it would take to break each victim’s network, Schneier says.

The unknown attackers throw different types of attacks against the networks they are testing, he says, to evaluate what tools the victims have and how effective they are.

He says he doesn’t know who is behind these probing attacks, but speculates it is a nation and a large one at that, but probably not an activist or researcher or even criminals. He mentions Russia and China.

“It feels like a nation's military cybercommand trying to calibrate its weaponry in the case of cyberwar. It reminds me of the US's Cold War program of flying high-altitude planes over the Soviet Union to force their air-defense systems to turn on, to map their capabilities,” Schneier writes.


Copyright © 2016 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022