14 DAY TRIAL // Brian Krebs, the journalist who exposed vDos, a DDoS-for-Hire service, has been battling DDoS attacks for the last week, with the biggest hitting his servers on Tuesday night. According to Krebs and Akamai, this latest attack seems to be one of the largest ever recorded.
Krebs said the attack started on Tuesday, September 20, at 8:00 PM ET, and initially it was clocked at 665 Gbps, but later subsided and continued at values of 620 Gbps.
Akamai, the company that helped Krebs mitigate the attack, reported this mark, which is bigger than the previous DDoS record reported by Arbor Networks in June 2016, of 579 Gbps.
DDoS cannons got bigger this past year
DDoS levels have been slowly going up since the start of the year. A report from Arbor Networks revealed that a hacktivist campaign against the Brazilian government during the Rio Olympics kept DDoS attacks at a 500 Gbps plateau without any difficulty through the competition's two-week period.
This rise in DDoS resources appears to be fueled by the proliferation of insecure and easy-to-hack Internet of Things (IoT) devices. A report from Level 3 in August said the company discovered at least one million hacked IoT devices, and a botnet of 120,000 bots or stronger.
An out-of-the-ordinary DDoS attack
Regarding the attack on his site, Krebs says there were two types of traffic hitting his website.
There were basic (SYN, GET, and POST) packet floods and GRE (Generic Routing Encapsulation) data packets.
This is out of the ordinary because most of today's biggest DDoS attacks use reflection & amplification techniques that take smaller input and grow it to a bigger output size, reaching the 500+ Gbps levels.
For this attack, crooks didn't even bother. Krebs and Akamai say the attackers just slung junk traffic at the site from a multitude of compromised hosts. Akamai says most of the traffic came from hacked devices, most likely IoT equipment.
Bulk of the Krebs DDoS attack was GRE packets
The SYN, GET, and POST packet floods weren't even the main attack's bulk, which consisted mostly of GRE packets.
This protocol, usually employed to establish connections between Internet routers, was abused in DDoS attacks before but has rarely made any headlines.
"Seeing that much attack coming from GRE is really unusual," Akamai’s CSO Martin McKeay said. "We’ve only started seeing that recently, but seeing it at this volume is very new."
Hidden in most of the junk packets hitting Krebs' website was a small message that read "freeapplej4ck," in reference to AppleJ4ck, one of the two owners of the vDos service. Both AppleJ4ck and his partner, M30W (P1st), were arrested last week by Israeli police following Krebs' exposé.
Holy moly. Prolexic reports my site was just hit with the largest DDOS the internet has ever seen. 665 Gbps. Site's still up. #FAIL — briankrebs (@briankrebs) September 21, 2016
per the last tweet, they threw it all at my site; SYN Flood, GET Flood, ACK Flood, POST Flood, GRE Protocol Flood]; 665.00 Gbps;143.50 Mpps — briankrebs (@briankrebs) September 21, 2016
Prolexic said the 665 Gbps attack that hit my site tonight is almost twice the size of the largest attack they've seen previously. — briankrebs (@briankrebs) September 21, 2016
The poor cowards are now trying to flood my Skype with requests and inbox with subscriptions. The skids are really mad now, look out. — briankrebs (@briankrebs) September 21, 2016