The huge distributed denial of service (DDoS) attack which wiped security journalist Brian Krebs' website from the internet came from a million-device-strong Internet of Things botnet.
"Attack appears to include numerous IoT devices, including security cameras. Still itemizing them," an Akamai spokesman told El Reg by email.
The attack "included substantial shaped traffic (traffic directly controlled by that botnet operator), rather than merely reflected, amplified unshaped traffic," he added.
Krebs' website was taken down at his request after it had been receiving up to 620Gbps of malicious traffic. He thinks he was targeted because he is currently researching DDoS gangs.
Two people were recently arrested in connection with recent DDoS attacks, which may have been one outcome of Krebs' sleuthing, as he notes here.
DDoS mitigation firm Akamai, which had Krebs as a pro bono customer, struggled to cope with the volume of incoming requests and gave him two hours' notice of being kicked off their system.
The journalist – who said "I don't fault them [Akamai] at all" – asked his hosting provider to redirect his website to 127.0.0.1 to sinkhole all the malicious traffic, a move which KO'd his website, too.
Google later stepped in to provide DDoS mitigation through its Project Shield service, meaning Krebs' website is back up again.
Krebs said, on his blog, that the sort of DDoS mitigation protection Akamai gave him (until deciding not to) would cost between $150,000 and $200,000 per annum.
“Preliminary analysis of the attack traffic suggests that perhaps the biggest chunk of the attack came in the form of traffic designed to look like it was generic routing encapsulation (GRE) data packets, a communication protocol used to establish a direct, point-to-point connection between network nodes,” he added.
A story by Network World quoted Dave Lewis, Akamai's “global security advocate” as saying: “It’s possible they are faking it or it’s possible it’s a camera that was doing these attacks.” ®