Until last Friday’s attack, talking about IoT security threats seemed like yelling: "The sky is falling!" Now, many people are wondering how hackers could have shut down a significant chunk of the Internet in one fell swoop. Here’s a chronological summary of events leading up to the historic botnet attack.
September 8: Krebs Dishes Dirt on DDoS
Security guru Brian Krebs posted an article about a DDoS attack-for-service site known as vDOS. He claimed that the site earned $600,000 in two years. Hours after posting, authorities in Israel arrested two of the alleged operators of the site.
In one of his posts, Krebs wrote that: “To say that vDOS has been responsible for the vast majority of DDoS attacks in recent years. From April to July 2016, the service launched roughly 8.81 years worth of attack traffic.” The service offered “IP stresser” services for as little as $29.99 monthly.
September 20: Krebs and Dyn Write about BackConnect, the Security Firm That Hacks Hackers
Krebs wrote how a DDoS mitigation firm known as BackConnect admitted to hacking hundreds of Internet addresses in Europe to learn more about hackers targeting the company. In an email to Krebs, Bryant Townsend, CEO of the business, confirmed the company had launched a border gateway protocol hijack on the hack-for-hire company vDOS but stated it was a “defensive” maneuver.
Dyn also wrote a blog post on the subject, titled BackConnect’s Suspicious BGP Hijacks, which claims that BackConnect had often spoofed Internet addresses using the BGP hijack technique.
That same day, Krebs saw his web server attacked in what was one of the biggest DDoS attacks to date. Hackers would hit Dyn later.
BackConnect would later state that it had nothing to do with the attack.
September 23: Akamai Drops Support for Krebs
The content delivery network Akamai announced that it would stop providing free DDoS protection services to Brian Krebs. The company had protected Krebs from 250 DDoS attacks over the course of four years but stated that it would be too expensive to fend off future attacks of the same magnitude of the assault against Krebs. Google would step in two days later to protect his website as part of its Project Shield
October 1: Source Code for Mirai Goes Open Source
The source code for the “Mirai” that attacked the web server of Brian Krebs was released on a hackers’ forum.
“The author probably felt threatened. … either by someone close to them or law enforcement was closing in on them,” says Thomas Pore, director of IT and services of Plixer. “Should someone grab their laptop, you don’t want to be the only person holding that source code. So when you flood that out to Github, many security researchers as well as malicious actors are going to pull that code.”
“You don’t typically see someone who has something possibly as powerful as this is release the source code unless they are really freaked out about getting in trouble for it. It is a way to cover your tracks. You don’t usually see that,” agrees Chase Cunningham, Ph.D., A10 Networks’ director of cyber operations.
October 19: Dyn Speaks on BackConnect's Use of BGP Hijacks
Doug Madory, the director of internet analysis at the DNS company Dyn, gives a talk on DDoS at NANOG, the North American Network Operators Group. In his talk, Madory shares his perspective on BackConnect’s attacks against vDos. He states that BackConnect is likely the first security company to confirm its use of a BGP hijack to intercept traffic.