600 Gbps DDoS as Democratization of Censorship

The famous American journalist Brian Krebs has been writing for a long time on information security topics, revealing the identities of dark crooks mainly from Eastern Europe. Over the years, Brian had to go through a lot. An evil Ukrainian hacker collected two bitcoins on the forums to buy heroin and send it to Krebs by mail , other hackers sent a special forces detachment to the house on a call to 911 rescue service supposedly from his number, took a loan of $ 20 thousand to his name, transferred $ 1000 to his Paypal account with a stolen payment card. Malware authors even mention Brian Krebs in their code . Well, these are the costs of the work of a journalist in the field of information security.

Now Krebs has undergone new attacks. This time, the attackers organizedthe most powerful DDoS attack of 600 Gb / s on the site KrebsOnSecurity.com . A few days later, Akamai surrendered. To protect other customers, she removed KrebsOnSecurity.com from her protection.

The attack began on the evening of Tuesday, September 20. Initially, it did not give a result thanks to the operational work of Akamai engineers. They managed to filter the traffic, but Akamai experts admitted that this attack was almost twice as powerful as the largest DDoS they saw in life. And, probably, one of the largest in general in the history of the Internet.

September 20 at 20:00 the stream of garbage traffic reached 620 Gbit / s. It is more than enough to put any site. Prior to this, the maximum DDoS attack on Akamai resources was 363 Gbit / s.

DDoS was not organized by the standard method with query amplification through DNS servers. Instead, most of the traffic was generic routing encapsulation (GRE) data packets . The GRE communication protocol is used to establish direct P2P connections between network nodes. Such a large volume of traffic surprised specialists - it is not entirely clear how amplification was performed here. If there was no amplification, it turns out that the attacker used hundreds of thousands of infected machines to attack. This is some kind of record botnet. Perhaps it consists of IoT devices such as routers, IP cameras, and digital video consoles (DVRs).

Brian Krebs is not offended by Akamai. Over the course of four years, they have defended it from DDoS attacks many times, together with its subsidiary Prolexic. Just the current DDoS was too big. When it became apparent that the attack would affect other customers, Akamai warned Brian Krebs in advance on September 21 at 16:00 that he had two hours to switch to another network, and at 18:00 they were unprotecting.

The company’s management later explained that otherwise a reflection of such an attack would have caused them millions of dollars in damage. Probably, the head exaggerated a little, but in fact, protection against attacks of this magnitude really costs from $ 100 thousand to $ 150 thousand per year. Krebs has always been protected for free.

In order not to let his hoster down, the journalist asked to redirect all traffic to 127.0.0.1, and he tried to use the services of Project Shield , a charity project by Google, designed specifically to protect journalists from DDoS attacks. It turned out to be an ideal option, so on September 25th the site returned online and still works without failures.

These events pushed Brian Krebs to philosophical reflections on the essence of censorship on the Internet. It recalls the famous words of entrepreneur and libertarian John Gilmore about the impossibility of censoring the Internet. Gilmore said: “The network recognizes censorship as damage.and bypasses her. " These are magnificent words that life has repeatedly confirmed. Even now, Russia clearly shows how inefficient Internet censorship is. Attempts by Roskomnadzor and other censors to block certain resources The network really perceives it as damage to the integrity of its structure, as an anomaly in normal operation - and offers options for circumventing this anomaly.

But this principle applies only in the case of "political" censorship, which is traditionally carried out by governments of different countries, restricting the free access of their citizens to information.

In the case of the DDoS attack, we see another example - an attempt to "shut up" the opponent, silence him. The state is not involved here. Censorship is implemented by the coordinated efforts of many people or bots. In this sense, we can say that a DDoS attack is a “democratic” version of censorship, when the majority imposes its will on the minority and silences the opponent (of course, such actions have nothing to do with true democracy).

Brian Krebs believes that currently the biggest threat to censorship is not just toothless attempts by government officials to ban something on the Internet (officials still do not understand anything about technology and are not able to cause significant damage), namely the actions of experienced professionals. In recent years, the underground hacker community has quietly turned into a powerful transnational organization, in the hands of which huge computer resources have been concentrated. Under certain conditions, these resources can turn into cyber weapons.

It’s hard to imagine that a government of any country would be able to organize a 600 Gbps DDoS attack, this is unbelievable. But the transnational hacker community can. In this sense, Brian Krebs speaks of "the democratization of censorship."