When you're well-known in your field it probably goes without saying that you want to appear to be good at what you do. If you're a famous dog trainer, for instance, you probably don't want your dog caught on video running into an Italian restaurant and going for a pan of meatballs. And if you're a famous architect, you'd really rather your roof didn't cave in.
This is the reason that, on the surface, it seems pretty embarrassing that the website of online security expert Brian Krebs buckled in the face of a DDoS attack. But there are lessons to be learned from this incident, and they are lessons every single website owner needs to know – security experts included.
It's tough being Brian Krebs
As much as Brian Krebs is known as an internet security expert, by trade he's a journalist who started out with the Washington Post. In 2001 his computer fell victim to a computer worm, prompting him to take an interest in computer security and cybercrime. He wrote an online security and tech policy blog for the Washington Post website until 2009 when he struck out on his own with KrebsOnSecurity.com, a well-known security blog.
Krebs is widely known for the major stories he has broken. Amongst his many scoops is the malware Stuxnet, believed to be a cyberweapon jointly built by the US and Israel, and the Target Corporation credit card breach which affected 40 million customers. His reports have led to the arrest and prosecution of cybercriminals and have taken down a number of illicit organizations. His work has attracted a lot of attention, not all of it favorable, and not all of it from upstanding citizens.
In addition to the 2001 worm he was afflicted with, Krebs has also been a victim of swatting, a high-stakes hoax in which a major crime such as a bomb threat or hostage-taking is reported at a target's home, causing emergency services to dispatch a response team to the target's address. Three years after the swatting incident came the successful DDoS attack.
The great flood 2.0
As you may have guessed, it wasn't just any old distributed denial of service attack that took down KrebsOnSecurity.com. In fact, it was an unprecedented 620 Gbps flood that smashed the popular security blog, taking it offline and keeping it there for several days.
The speculation has been that the attack came in response to a report Krebs published on a pair of hackers who were nabbed by law enforcement about the same time the attack was launched. Krebs himself calls attacks like these on independent journalists the democratization of censorship. But it isn't the whodunit aspect of the attack nor censorship issues that have online security experts inordinately interested in this massive attack.
A new breed of DDoS
This is the age of staggering distributed denial of service attacks. They're occurring in sizes that have previously been unseen. In addition to the attack on Krebs, French hosting company OVH was recently walloped with DDoS attack traffic that topped 1 Tbps, and the oft-targeted Blizzard online gaming company was brought down three separate times in just two weeks in the month of August by sizable attacks.
Attacks with this type of impact occurring in quick succession is no coincidence. While they aren't all coming from the same botnet, their botnets have the same origin: the Internet of Things, or IoT, smart devices with network connectivity. The IoT includes everything from smart TVs to CCTV cameras, Wi-Fi speaker systems, heart rate monitors, intelligent thermostats and well beyond.
Attackers are targeting IoT devices for a couple of reasons. The first is that the number of IoT devices that can be exploited is already huge and always increasing. According to technology research firm Gartner, by the beginning of 2017 there will be 6 billion devices in the IoT.
The second reason these devices are so attractive to attackers is tha
t from a security standpoint, they're incredibly vulnerable. As Igal Zeifman, a senior manager at DDoS protection provider Incapsula says, "Unlike PCs or servers, most IoT devices aren't well protected — or even protected at all."
The takeaway
You don't have to be Brian Krebs to see that this distributed denial of service attack trend isn't going anywhere anytime soon. With an ever-increasing number of IoT devices in existence and seemingly no push to secure them against hijacking, IoT botnets are only going to become more common, as are the breathtakingly massive attacks they can perpetrate.
No matter how informed you think you are or how secure you think your website is, now is the time to make sure you have invested in industry-leading DDoS protection that has the kind of robust network backbone that can withstand the kind of attack that KrebsOnSecurity.com could not. Even if you're not a well-known online security expert, you don't want to find yourself going down to this kind of attack.
You Can Harness AI for Your Website, Too
AI isn't just recommending content on Google and Facebook anymore.