DDoS on 600 GB/s as the democratization of censorship

Well-known American journalist Brian Krebs for a long time writes on the topics of information security, revealing the identity of dark speculators mainly from Eastern Europe. Over the years, Brian had to over pass through a lot. Evil Ukrainian hacker has gathered on the forums for two bitcoins to buy heroin and send it to Krebs by post, other hackers have sent a SWAT team into the house on call 911 supposedly his number, took out a loan for $20 thousand to his name, has transferred $1000 to his Paypal account with stolen payment card. The authors of malicious software mention Brian Krebs even in the code of their programs. What can we do, these are the costs of the work of journalists in the field of information security.

Now Krebs has been targeted with new attacks. This time the attackers organized the most powerful DDoS-attack 600 Gbps on the website KrebsOnSecurity.com. A few days later the company Akamai gave up. To protect other customers, it brought out KrebsOnSecurity.com from under its protection.

The attack began on the evening of Tuesday September 20. Initially, it had no effect thanks to the operational work of Akamai engineers. Traffic was filtered out, but experts Akamai have admitted that this attack was almost twice as powerful as the biggest DDoS ‘ and what they saw in life. And probably one of the biggest in the history of the Internet in general.

September 20 at 20:00 the flow of garbage traffic reached 620 GB/s. This is more than enough to drop any website. Up to this maximum DDoS -ttack on Akamai resources was 363 Gbit/s.

DDoS was not organized by the standard method with amplification of queries through DNS servers. Instead, most of the traffic consisted of packets of data generic routing encapsulation (GRE). Communication protocol GRE is used to establish direct P2-connections between network nodes. Such a large amount of traffic surprised the experts – it is not entirely clear hot the amplification is carried out. If amplification was not, it turns out that the attacker used to attack hundreds of thousands of infected machines. It’s some kind of record botnet. Perhaps it consists of IoT devices such as routers, IP-cameras and digital consoles (DVR).

Brian Krebs is not offended by Akamai. For four years they are many times together with a subsidiary firm Prolexic protect it from DDoS-attacks. Just the current DDoS was too large. When it became obvious that the attack will affect other customers, the company Akamai in advance on September 21 at 16:00 warned Brian Krebs that he has two hours to go to another network, and at 18:00 they remove the protection.

The company’s management later explained that otherwise the reflection of such an attack would cause them loss of millions of dollars. Perhaps the head is a bit exaggerated, but in fact protect against attacks of this scale really worth from $100 thousand to $150 thousand per year. They always defended Krebs for free.

In order not to fail their host, the journalist asked to redirect all traffic to, and he tried to use the services of Project Shield — Google’s charity project, designed specifically to protect journalists from DDoS attacks. It turned out that this is ideal, so that on 25 September the site was back online and still works flawlessly.

These events pushed Brian Krebs to philosophical thoughts about the nature of Internet censorship. He recalls the famous words of businessman and libertarian John Gilmore about the impossibility of censoring the Internet. Gilmore said: “the Network recognizes censorship as damage and avoids it.” Those are some great words that have been repeatedly confirmed by life. Even now in Russia can be clearly seen how ineffective censorship of the Internet. Attempts of Roskomnadzor and other censors to block specific network resources really perceives as damage to the integrity of its structure, as an anomaly in normal operation — and offers options to work around this anomaly.

But this principle applies only in the case of “political” censorship, which is traditionally implemented by governments of different countries, limiting free access of its citizens to information.

In the case of a DDoS-attack, we see another example of an attempt to “gag” an opponent, to silence him. Here the state is not involved. Censorship is implemented by the coordinated efforts of many people or bots. In this sense, we can say that a DDoS-attack is a “democratic” version of censorship when the majority imposes its will on the minority and silences the opponent (of course, to a true democracy, such actions are irrelevant).

Brian Krebs believes that currently the greatest threat of censorship are just not the toothless attempts by state officials to ban something on the Internet (officials still understand absolutely nothing about technology and are not capable of inflicting significant damage), and namely acts of experienced professionals. Underground hacker community in recent years quietly turned into a powerful transnational organization, in whose hands is concentrated the enormous computer resources. These resources under certain conditions can turn into cyber weapon.

It is difficult to imagine that the government of any country could organize a DDoS-attack with a capacity of 600 GB/s, it’s incredible. But transnational hacker community — can. In this sense, Brian Krebs speaks of “the democratization of censorship”.


This text is a translation of the article “DDoS на 600 Гбит/с как демократизация цензуры”  published by @alizar on habrahabr.ru.

About the CleanTalk service

CleanTalk is a cloud service to protect websites from spam bots. CleanTalk uses protection methods that are invisible to the visitors of the website. This allows you to abandon the methods of protection that require the user to prove that he is a human (captcha, question-answer etc.).

Leave a Reply

Your email address will not be published. Required fields are marked *