The chilling effect of a DoS attack: why the KrebsOnSecurity incident should alarm all of us

Ars Technica recently reported on a troubling situation involving well-known security blogger Brian Krebs and his blog KrebsOnSecurity. Brian’s blog is now back online, thankfully, and he wasted no time firing off this post entitled The Democratization of Censorship which I will quote in part:

More than 20 years after [John] Gilmore first coined [the] turn of phrase [“The Net interprets censorship as damage and routes around it”], his most notable quotable has effectively been inverted — “Censorship can in fact route around the Internet.” The Internet can’t route around censorship when the censorship is all-pervasive and armed with, for all practical purposes, near-infinite reach and capacity. I call this rather unwelcome and hostile development the “The Democratization of Censorship.”

Allow me to explain how I arrived at this unsettling conclusion. As many of you know, my site was taken offline for the better part of this week. The outage came in the wake of a historically large distributed denial-of-service (DDoS) attack which hurled so much junk traffic at Krebsonsecurity.com that my DDoS protection provider Akamai chose to unmoor my site from its protective harbor.

The blog post goes on to describe the details, namely that a denial of service (DoS) attack was aimed at Brian’s blog that was so massive that Akamai could no longer afford to protect him from it. Rather than allow his own hosting provider to get swamped with the traffic, Brian instead chose to take his blog offline by pointing it at the loopback address; given that the vast majority of users are not running a web server on their own PCs, and certainly not on their phones or tables if they are using such a device, this had the effect of taking the blog down. Brian finally put it back up under the protection of Google’s Project Shield.

As to what figurative fireant mound Brian managed to step in, I’m not even sure it really matters that much. The problem is that this happened. If it happens to someone like Brian Krebs, it can just as easily happen to any of us. The tragedy here is not that Akamai and Google are willing to protect sites like Brian’s from crippling denial of service attacks. No, the tragedy is that it’s even necessary that such protection even has a need to exist.

In this case, Google happens to be the good guys. However, it is worth mentioning I have been highly critical of Google in the past; always for a good reason of course, but it’s inevitable that a corporation like Google (or Akamai, for that matter) will get one wrong once in a while.

That’s not to say that Akamai are the bad guys here; they protected Brian’s site for as long as they could, until it became completely unfeasible to do so. To give you an idea of the scale of the chessboard Brian is playing on, here is another chilling quote from his blog post:

In an interview with The Boston Globe, Akamai executives said the attack — if sustained — likely would have cost the company millions of dollars. In the hours and days following my site going offline, I spoke with multiple DDoS mitigation firms. One offered to host KrebsOnSecurity for two weeks at no charge, but after that they said the same kind of protection I had under Akamai would cost between $150,000 and $200,000 per year.

[…]

That annual figure breaks down to $400 or so per day. For most of us that’s a crippling sum; I would think even Bill Gates, Warren Buffett, Jeff Bezos, or most other multi-billionares would probably throw in the towel if keeping a blog or website up cost that much (and was operated purely for free speech and not profit purposes; obviously that’s a drop in the bucket for Microsoft, Amazon, or most of the companies owned by Berkshire Hathaway, for their public-facing and profit-generating websites).

It almost goes without saying, but if it cost that $400 per day to keep this site online, it would be gone. I’m not even sure I could take the two free weeks in good conscience, because I’d be quitting immediately thereafter. I would likely even be afraid to try to distribute the archives via BitTorrent for fear anywhere I tried to seed it from would be hit with the same type of attack. I certainly couldn’t use BitTorrent for posting new updates; maybe I could use something like Freenet or ZeroNet. That would likely mean giving up WordPress, which I really do not want to do.

There has to be something that can be done about this cybervandalism at the Internet service provider (ISP) level. I don’t get why the heck any decent ISP still allows the kind of garbage in a DoS attack outside of its own network. It’s one thing for someone to take control of a botnet on, say, Comcast’s or AT&T’s network, and take someone offline that’s on that network. It’s another entirely to take control of botnets across the planet and blast someone right off of Akamai’s network. I don’t even know if cybervandalism is still the right word at that scale; it’s more like cyberwarfare at that point.