How Google fought back against a crippling IoT-powered botnet and won

OAKLAND, Calif.—In September, KrebsOnSecurity—arguably the Internet’s most intrepid source of security news—was on the receiving end of some of the biggest distributed denial-of-service attacks ever recorded. The site soon went dark after Akamai said it would no longer provide the site with free protection, and no other DDoS mitigation services came forward to volunteer their services. A Google-operated service called Project Shield ultimately brought KrebsOnSecurity back online and has been protecting the site ever since.

At the Enigma security conference on Wednesday, a Google security engineer described some of the behind-the-scenes events that occurred shortly after Krebs asked the service for help, and in the months since, they said yes. While there was never significant hesitancy to bring him in, the engineers did what engineers always do—weighed the risks against the benefits.

“What happens if this botnet actually takes down google.com and we lose all of our revenue?” Google Security Reliability Engineer Damian Menscher recalls people asking. “But we considered [that] if the botnet can take us down, we’re probably already at risk anyway. There’s nothing stopping them from attacking us at any time. So we really had nothing to lose here.”

It took only about an hour for Menscher’s team to arrive at the decision to help Krebs. A much more lengthy process involved actually admitting KrebsOnSecurity into Project Shield, a free service with the mission of protecting news-, journalist-, human rights-, and elections-monitoring sites from DDoS attacks that might otherwise prevent them from publishing. A key requirement for admittance is that the person requesting service proves they have control over the site. Because KrebsOnSecurity was down at that moment, Krebs was unable to satisfy this requirement. Making matters worse, the domain-name system settings KrebsOnSecurity used had been locked to thwart the attempted domain hijacking attacks that regularly targeted the site. That prevented Krebs from showing he had control of the site’s DNS settings.

Once Project Shield ultimately got KrebsOnSecurity back online, it took just 14 minutes for the attacks to resume. The first one came in the form of a flood of 130 million syn packets per second, a volume that’s big enough to bring down plenty of sites, but a tiny drop when measured against the resources Google has. About a minute later, the attack shifted to a slightly more powerful flood of about 250,000 HTTP queries per second. It came from about 145,000 different IP addresses, making it clear that Mirai, an open-source botnet app that enslaves cameras and other Internet-of-things devices, was responsible. The attackers followed it with yet more variations, including a 140 gigabit-per-second attack made possible through a technique known as DNS amplification and a 4 million packet per-second syn-ack flood.

An image accompanying Menscher’s talk.

Credit: Google

At the four-hour mark, KrebsOnSecurity experienced one of the bigger attacks seen by Project Shield engineers. It delivered more than 450,000 queries per second from about 175,000 different IP addresses. Like the attacks that preceded it, it posed no immediate threat to KrebsOnSecurity or the Google resources that were protecting it.

The attacks were the most powerful in the first two weeks, but as they continued, they incorporated a variety of new techniques. One, dubbed a WordPress pingback attack, abused a feature in the widely used blogging platform that automates the process of two sites linking to each other. It caused a large number of servers to simultaneously fetch KrebsOnSecurity content in an attempt to overwhelm site resources. Google was able to block it, because each querying machine broadcast a user agent that contained the words “WordPress pingback,” which Google engineers promptly blocked. Another technique dubbed “cache-busting attacks” was also stopped.

The DDoS attacks on KrebsOnSecurity remain a regular occurrence even today, and while some have resulted in brief interruptions so far none have caused sustained outages. Menscher shared the following lessons with the audience, which was made up largely of security-related engineers, technologists, and researchers: