On the eve of the Stuxnet attacks, half a decade ago, I found myself discussing what it all meant with William Gibson (I'd just interviewed him on stage in London), and I said, "I think the most significant thing about any of these sophisticated, government-backed attacks is that they will eventually turn into a cheap and easy weapon that technically unskilled people can deploy for petty grievances." We haven't quite got there yet with Stuxnet, but there's a whole class of "advanced persistent threat" techniques that are now in the hands of fringey criminals who deploy them at the smallest provocation.
Exhibit A is Brian Krebs (previously), a tireless and fearless cybercrime reporter who has outed spammers, scammers, carders, black pharmacy proprietors, pornographers, skimmers, and, significantly, DDoSers. Distributed Denial of Service attacks harness lots of hijacked or compromised computers to flood the target's site with so many malformed, computationally intensive request that it just shuts down -- sometimes taking its ISP with it. Boing Boing has been hit by some doozies in the past, but nothing like what Krebs has had to contend with.
Krebs gets hit often, seemingly in retaliation for his reporting. Naturally, the DDoS creeps he outs are most apt to use DDoS to attack his site. For years, he's relied on pro bono help from Akamai, a company that runs a huge content distribution network that is legendarily hardened against DDoS attacks.
But last week, Krebs went offline altogether, and Akamai let him know that this time, they couldn't shield him. The amount of traffic that was coming in was going to cost Akamai millions -- it was more than even they could absorb.
There's DDoSes and then there's DDoSes. In Krebs's case, the attack hit 620 Gbps, the kind of flood that you'd normally find in a state sponsored attack. In this case, the attacker was able to leverage Internet of Things devices with poor security to build the biggest-yet IoT botnet (a growth industry with no end in sight) that slammed Krebs's network without mercy.
Krebs's attack exists at the intersection of so many of the internet's dumpster-fires. It hit the same week that HP deployed DRM on its printers, making them off-limits to security researchers -- this is the same manufacturer that was outed as having 100,000,000 hijackable printers in the field that could be harnessed for botnets.
Then there's the crimeware industry, which works with scummy ISPs that secretly participate in DDoS attacks for their own financial benefit. Finally, there's the disturbing news that someone (cough China cough) is building an internet-killing weapon that relies on DDoS as its battering ram.
It looks like Krebs's attack was in retaliation for outing a couple of petty Israeli criminals who'd run a DDoS-for-hire service (the attack included the string "freeapplej4ck" in its payloads, a reference to one of the crooks' aliases). These two puny creeps, or their aggrieved dimwit pals, were able to muster the firepower of a government to attack a journalist.
Meanwhile, Krebs was eventually bailed out by Google's Project Shield, one of Jigsaw's anti-"surveillance, extremist indoctrination, and censorship" tools. That right there is another sign of the times: the attacks launched by state-level actors and those who can muster comparable firepower are no match for Google -- so far.
Most of the time, ne’er-do-wells like Applej4ck and others are content to use their huge DDoS armies to attack gaming sites and services. But the crooks maintaining these large crime machines haven’t just been targeting gaming sites. OVH, a major Web hosting provider based in France, said in a post on Twitter this week that it was recently the victim of an even more massive attack than hit my site. According to a Tweet from OVH founder Octave Klaba, that attack was launched by a botnet consisting of more than 145,000 compromised IP cameras and DVRs.
I don’t know what it will take to wake the larger Internet community out of its slumber to address this growing threat to free speech and ecommerce. My guess is it will take an attack that endangers human lives, shuts down critical national infrastructure systems, or disrupts national elections.
But what we’re allowing by our inaction is for individual actors to build the instrumentality of tyranny. And to be clear, these weapons can be wielded by anyone — with any motivation — who’s willing to expend a modicum of time and effort to learn the most basic principles of its operation.
The sad truth these days is that it’s a lot easier to censor the digital media on the Internet than it is to censor printed books and newspapers in the physical world. On the Internet, anyone with an axe to grind and the willingness to learn a bit about the technology can become an instant, self-appointed global censor.
The Democratization of Censorship [Brian Krebs/Krebs on Security]
(Image: Teton Dam Flood - Newdale, WaterArchives.org, CC-BY-SA)