Hackers unleashed a powerful and worrying new form of attack recently which took down the website of a prominent security researcher and the services of a French web hosting provider.
Then, over the weekend, the source code for the software that controls one of the massive botnets suspected in the attacks was released, prompting concerns that the internet is in for a new wave of massive distributed denial-of-service attacks, also known as DDoS, which flood targeted sites or services with enormous volumes of data, overwhelming the servers.
The two attacks deployed the largest amounts of data ever in a DDoS—620 gigabits per second in the one against Brian Krebs, the security researcher, and 1 terabit per second against OVH, the hosting provider. The receiving servers buckled under the load, which was the equivalent of 20–30 high-definition movies per second.
The attack on Krebs was apparently retaliation for an article in which he revealed the young men behind a DDoS-for-hire service—allegedly Itay Huri and Yarden Bidani, two 18-year-old Israelis who were arrested days after the attack. The men reportedly earned over $600,000 by renting access to their botnet, which controls hundreds of thousands of compromised security cameras and other internet-connected devices made by nearly 70 companies. In many cases, the people who hire such DDoS services use them to extort companies and individuals by knocking their sites offline until they pay up.
Despite the unmasking of the two hackers, the botnets haven’t been shut down. Two of the largest—Mirai and Bashlight—are still operational with over 200,000 and 900,000 infected devices respectively. On Friday, a hacker posted the source code for Mirai, stating that while the money had been good for a time, the botnet was shrinking as internet service providers booted infected devices from the network. It was time to get out of the game, and he or she was offering the code for others to use.
Despite the pressure on botnets from internet providers, the threat is unlikely to relent anytime soon. Many devices ship with buggy firmware that’s easy to hack or guessable passwords that are seldom changed, giving attackers several ways to infect and repurpose them.
More troubling, though, is the fact that DDoS is now being used as a relatively cheap and easy form of censorship available to both individuals and state actors. At the time of the attack, Kreb’s website was being protected by Akamai Technologies free of charge, but the company had to drop the service midway through as it would have cost them “millions of dollars” to continue. Currently, his site is being protected by Google’s free service Project Shield.
This follows on the heels of the revelation by fellow security researcher Bruce Schneier that someone—most likely state-sponsored hackers—has been probing the infrastructure of various companies that run key pieces of the internet. They appear to be testing the defenses, looking for points of failure that they can then exploit at a later date.
While the idea of one country exploiting the internet in such a way is worrying, as Krebs points out, these massive botnets give individuals as much power to disrupt the internet as anyone.