{
	"id": "4c143c0f-f610-4e05-bd9e-e7a93c516ffb",
	"created_at": "2026-04-06T00:13:08.727209Z",
	"updated_at": "2026-04-10T13:11:48.131261Z",
	"deleted_at": null,
	"sha1_hash": "91d5f3f765bdea74ba82123833d22dbd60ccf52a",
	"title": "KrebsOnSecurity Hit With Record DDoS",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 224358,
	"plain_text": "KrebsOnSecurity Hit With Record DDoS\r\nPublished: 2016-10-01 · Archived: 2026-04-05 17:12:10 UTC\r\nOn Tuesday evening, KrebsOnSecurity.com was the target of an extremely large and unusual distributed denial-of-service (DDoS) attack designed to knock the site offline. The attack did not succeed thanks to the hard work of the\r\nengineers at Akamai, the company that protects my site from such digital sieges. But according to Akamai, it was\r\nnearly double the size of the largest attack they’d seen previously, and was among the biggest assaults the Internet\r\nhas ever witnessed.\r\nThe attack began around 8 p.m. ET on Sept. 20, and initial reports put it at approximately 665 Gigabits of traffic\r\nper second. Additional analysis on the attack traffic suggests the assault was closer to 620 Gbps in size, but in any\r\ncase this is many orders of magnitude more traffic than is typically needed to knock most sites offline.\r\nMartin McKeay, Akamai’s senior security advocate, said the largest attack the company had seen previously\r\nclocked in earlier this year at 363 Gbps. But he said there was a major difference between last night’s DDoS and\r\nthe previous record holder: The 363 Gpbs attack is thought to have been generated by a botnet of compromised\r\nsystems using well-known techniques allowing them to “amplify” a relatively small attack into a much larger one.\r\nIn contrast, the huge assault this week on my site appears to have been launched almost exclusively by a very\r\nlarge botnet of hacked devices.\r\nThe largest DDoS attacks on record tend to be the result of a tried-and-true method known as a DNS reflection\r\nattack. In such assaults, the perpetrators are able to leverage unmanaged DNS servers on the Web to create huge\r\ntraffic floods.\r\nIdeally, DNS servers only provide services to machines within a trusted domain. But DNS reflection attacks rely\r\non consumer and business routers and other devices equipped with DNS servers that are (mis)configured to accept\r\nhttps://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/\r\nPage 1 of 3\n\nqueries from anywhere on the Web. Attackers can send spoofed DNS queries to these so-called “open recursive”\r\nDNS servers, forging the request so that it appears to come from the target’s network. That way, when the DNS\r\nservers respond, they reply to the spoofed (target) address.\r\nThe bad guys also can amplify a reflective attack by crafting DNS queries so that the responses are much bigger\r\nthan the requests. They do this by taking advantage of an extension to the DNS protocol that enables large DNS\r\nmessages. For example, an attacker could compose a DNS request of less than 100 bytes, prompting a response\r\nthat is 60-70 times as large. This “amplification” effect is especially pronounced if the perpetrators query dozens\r\nof DNS servers with these spoofed requests simultaneously.\r\nBut according to Akamai, none of the attack methods employed in Tuesday night’s assault on KrebsOnSecurity\r\nrelied on amplification or reflection. Rather, many were garbage Web attack methods that require a legitimate\r\nconnection between the attacking host and the target, including SYN, GET and POST floods.\r\nThat is, with the exception of one attack method: Preliminary analysis of the attack traffic suggests that perhaps\r\nthe biggest chunk of the attack came in the form of traffic designed to look like it was generic routing\r\nencapsulation (GRE) data packets, a communication protocol used to establish a direct, point-to-point connection\r\nbetween network nodes. GRE lets two peers share data they wouldn’t be able to share over the public network\r\nitself.\r\n“Seeing that much attack coming from GRE is really unusual,” Akamai’s McKeay said. “We’ve only started\r\nseeing that recently, but seeing it at this volume is very new.”\r\nMcKeay explained that the source of GRE traffic can’t be spoofed or faked the same way DDoS attackers can\r\nspoof DNS traffic. Nor can junk Web-based DDoS attacks like those mentioned above. That suggests the attackers\r\nbehind this record assault launched it from quite a large collection of hacked systems — possibly hundreds of\r\nthousands of systems.\r\n“Someone has a botnet with capabilities we haven’t seen before,” McKeay said.\r\n“Someone has a botnet with capabilities we haven’t seen before,” McKeay said. “We looked at the traffic coming\r\nfrom the attacking systems, and they weren’t just from one region of the world or from a small subset of networks\r\n— they were everywhere.”\r\nThere are some indications that this attack was launched with the help of a botnet that has enslaved a large number\r\nof hacked so-called “Internet of Things,” (IoT) devices — routers, IP cameras and digital video recorders (DVRs)\r\nthat are exposed to the Internet and protected with weak or hard-coded passwords.\r\nAs noted in a recent report from Flashpoint and Level 3 Threat Research Labs, the threat from IoT-based\r\nbotnets is powered by malware that goes by many names, including “Lizkebab,” “BASHLITE,” “Torlus” and\r\n“gafgyt.” According to that report, the source code for this malware was leaked in early 2015 and has been spun\r\noff into more than a dozen variants.\r\n“Each botnet spreads to new hosts by scanning for vulnerable devices in order to install the malware,” the report\r\nnotes. “Two primary models for scanning exist. The first instructs bots to port scan for telnet servers and attempts\r\nto brute force the username and password to gain access to the device.”\r\nhttps://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/\r\nPage 2 of 3\n\nTheir analysis continues:\r\n“The other model, which is becoming increasingly common, uses external scanners to find and harvest new bots,\r\nin some cases scanning from the [botnet control] servers themselves. The latter model adds a wide variety of\r\ninfection methods, including brute forcing login credentials on SSH servers and exploiting known security\r\nweaknesses in other services.”\r\nI’ll address some of the challenges of minimizing the threat from large-scale DDoS attacks in a future post. But\r\nfor now it seems likely that we can expect such monster attacks to soon become the new norm.\r\nMany readers have been asking whether this attack was in retaliation for my recent series on the takedown of the\r\nDDoS-for-hire service vDOS, which coincided with the arrests of two young men named in my original report as\r\nfounders of the service.\r\nI can’t say for sure, but it seems likely related: Some of the POST request attacks that came in last night as part of\r\nthis 620 Gbps attack included the string “freeapplej4ck,” a reference to the nickname used by one of the vDOS co-owners.\r\nUpdate Sept. 22, 8:33 a.m. ET: Corrected the maximum previous DDoS seen by Akamai. It was 363, not 336 as\r\nstated earlier.\r\nSource: https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/\r\nhttps://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/"
	],
	"report_names": [
		"krebsonsecurity-hit-with-record-ddos"
	],
	"threat_actors": [],
	"ts_created_at": 1775434388,
	"ts_updated_at": 1775826708,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/91d5f3f765bdea74ba82123833d22dbd60ccf52a.pdf",
		"text": "https://archive.orkl.eu/91d5f3f765bdea74ba82123833d22dbd60ccf52a.txt",
		"img": "https://archive.orkl.eu/91d5f3f765bdea74ba82123833d22dbd60ccf52a.jpg"
	}
}