Cybersecurity reporter Brian Krebs may be the victim of the largest distributed-denial-of-service (DDoS) attack in the history of the internet.
Whoever orchestrated the attack set the record earlier this week.
DDoS attacks flood servers with so much traffic that they can no longer function. As of last year, the record for this kind of attack was around 300 gigabits per second — enough bandwidth to send the English text of Wikipedia twice every three seconds. Earlier this year, the BBC reportedly suffered a 602 Gbps attack.
Krebs claims his recent attack capped out at 665 Gbps.
“I suppose it is an honor to be attacked like this,” said Krebs. “My gamer friends would say I’ve unlocked that level.”
Krebs, a former Washington Post reporter, now runs his own site, Krebs on Security. He is well known for identifying data breaches — often before the victims do — by scouring the dark web for sales of new leaked data.
He speculated that this attack might be related to his reporting about vDOS, a former rent-a-DDoS service whose Israeli proprietors were arrested last week. Krebs is no stranger to attacks of all types — a hacker forum once used crashing Krebs on Security as a way to audition for their site. But since vDOS closed, attackers have attempted multiple denial-of-service attacks on the site each day.
Such attacks require vast networks of computers to send traffic that are usually hijacked by malware. Recently these “botnets” began using poorly secured devices connected to the internet as a weapon of choice. There are more and more devices — from security cameras to toys and refrigerators — attached to the internet, many of which have easily cracked passwords.
Services like vDOS and commercial malware letting customers set up their own botnets have made it easy for anyone with a dollar and bad intentions to run their own DDoS attack.
“We now have tools that were only available to nation states available to anybody,” said Krebs.
There are multiple proposals to help law enforcement handle botnets, both through legislation and changes to the rules of evidence.
They have largely been shunned by civil libertarians and digital rights activists who note that, to shut down an unknown computer involved in an attack, law enforcement would first have to hack a computer without its owner’s permission.
Krebs said he would prefer tech companies take more responsibility for network infrastructures that prevent denial-of-service attacks and more secure devices than a legislative solution.
Unlike the prior record holder, the BBC, Krebs’s site was not knocked offline by its attack. He uses a commercial service that filters inbound traffic.
“I’m glad it happened to me — every time it happens, I get a good story out of it,” he said.