Once Project Shield ultimately got KrebsOnSecurity back online, it took just 14 minutes for the attacks to resume. The first one came in the form of a flood of 130 million syn packets per second, a volume that’s big enough to bring down plenty of sites, but a tiny drop when measured against the resources Google has. About a minute later, the attack shifted to a slightly more powerful flood of about 250,000 HTTP queries per second. It came from about 145,000 different IP addresses, making it clear that Mirai, an open-source botnet app that enslaves cameras and other Internet-of-things devices, was responsible. The attackers followed it with yet more variations, including a 140 gigabit-per-second attack made possible through a technique known as DNS amplification and a 4 million packet per-second syn-ack flood.
An image accompanying Menscher’s talk.
Credit: Google
An image accompanying Menscher’s talk. Credit: Google
At the four-hour mark, KrebsOnSecurity experienced one of the bigger attacks seen by Project Shield engineers. It delivered more than 450,000 queries per second from about 175,000 different IP addresses. Like the attacks that preceded it, it posed no immediate threat to KrebsOnSecurity or the Google resources that were protecting it.
The attacks were the most powerful in the first two weeks, but as they continued, they incorporated a variety of new techniques. One, dubbed a WordPress pingback attack, abused a feature in the widely used blogging platform that automates the process of two sites linking to each other. It caused a large number of servers to simultaneously fetch KrebsOnSecurity content in an attempt to overwhelm site resources. Google was able to block it, because each querying machine broadcast a user agent that contained the words “WordPress pingback,” which Google engineers promptly blocked. Another technique dubbed “cache-busting attacks” was also stopped.
The DDoS attacks on KrebsOnSecurity remain a regular occurrence even today, and while some have resulted in brief interruptions so far none have caused sustained outages. Menscher shared the following lessons with the audience, which was made up largely of security-related engineers, technologists, and researchers: