The Biggest Internet Attack in History

By Nicholas Weaver
Friday, September 23, 2016, 2:33 PM

If you don’t already, all Lawfare readers interested in cybersecurity issues should be regularly reading  Krebs on Security, a blog run by the estimable researcher Brian Krebs. (Disclaimer: I consider Brian a friend and we’ve collaborated on his reporting and an academic publication.) Reporting from an undisclosed location in Virginia, Krebs covers the cybercrime beat with dogged determination. He has broken the story on at least half the major data breaches to date, including the Target breach—any company with half a clue has a standing policy on what to do when Brian Krebs calls. And his investigations into criminal organizations have resulted in major arrests. For example, just the other day two Israelis were arrested within hours of Krebs's report on their activities running a DOS-for-hire botnet. Unsurprisingly, he has made a few interesting enemies in the cyber underground, enemies who try to SWAT him, regularly DOS his site and, on one especially memorable occasion, ordered heroin shipped to his house

But pause before you hurry off to read his reporting. As I write this, Krebs's site has been knocked off the Internet by what may be the largest DOS attack in history. A Denial of Service attack on the Internet is simply a massive flood of traffic designed to disrupt a site, usually launched from a botnet, a large group of compromised computers controlled by a single actor.  DOS attacks happen all the time, but the scale and type of attack we are seeing here is unprecedented.

For a long time, Akamai offered their DOS protection service to Krebs pro bono, both as a public service and because it's fantastic advertising. Brian is perhaps the most high-profile target for cyber-criminals: if Akamai can defend his site, they can defend anybody's. But it would appear Brian's latest round of reporting—including both the Israeli arrests and outing the fact that an anti-DOS service's former owner appeared to control a huge DOS botnet—has managed to annoy someone enough to launch a DOS attack that not only disrupted Kreb’s site but actually caused disruption to Akamai's other services! This attack was so disruptive that Akamai had to prioritize their paying customers and stop supporting Kreb’s site.

Akamai is, in many ways, the "Internet." Akamai hosts many services and are so distributed that any attacker who can DOS Akamai can effectively take down anything they want to on the Internet. Worse, this is probably not a nation-state but instead a highly-motivated private actor, angered by Kreb’s reporting. Let that sink in: A private actor has just demonstrated the capacity to "shut down the Internet" and deployed it for the petty purpose of knocking Krebs’s website off the Internet.

This DOS is also special. We've seen 500 Gbps DOS attacks before, but most of these are what known as "amplification" attacks. In an amplification attack, the attacker fakes request that appear to come to the target and sends those requests to innocent third-party systems that then reply with a large quantity of data. Such attacks are not only more efficient, but also hide the identity of the systems conducting the DOS, as the victim sees the traffic as coming from the third-party servers. By contrast, this DOS attack has the bots directly connecting to Kreb’s website, sending traffic directly. This is less efficient at generating traffic and also directly reveals the identity of the bots, an activity that can lead to substantial remediation.  So this person is not only showing their "take down the Internet" capability, but they are more than happy to reveal—and thus risk losing—the actual resources involved. That has seriously scary implications.

It should be noted that the attack—and its potential implications for the future—plays into to the proposed changes to Rule 41. The new Rule 41 contemplates venue not only when an attacker is hiding their location using technical means, but also grants authority to issue a single warrant for cases involving a botnet in at least 5 different districts as opposed to requiring individual warrants for each location. There may be debatable policy considerations, but if the FBI can take over the botnet's control infrastructure they are likely able to issue commands to cause the bots to remove themselves from the devices they are currently infecting. But issuing even the most benign self-destruct instruction involves the FBI intruding into each computer—activity that does and should require a warrant. Under the current Rule 41, the FBI would need to take the warrant to be signed by a magistrate in every single district where an infected computer resides—at this scale that might encompass every federal district in the United States. The revised Rule 41 permits a single magistrate to approve the warrant, presuming the government meets all other requirements of particularity and probable cause.

So this isn't just a story about some skiddiot DOSing a reporter's site. This is major news, with potentially extremely significant legal, technical, and policy ramifications.