KrebsOnSecurity site under attack after DDoS-for-hire service was exposed and alleged owners arrested
Itay Huri and Yarden Bidani were arrested on 8 September by Israeli authorities in connection with an FBI investigation into the DDoS-for-hire service iStock

Security researcher Brian Krebs' website KrebsOnSecurity came under "heavy and sustainable" attack after two 18 year-old Israeli hackers were arrested over their connection with a DDoS-for-hire service called vDOS. The arrests coincided with an article, which exposed the two hackers as the alleged "masterminds" behind vDOS and highlighted how the attack-for-hire service had raked in over $600,000 over the past couple of years.

Krebs said: "For most of Friday, KrebsOnSecurity came under a heavy and sustained denial-of-service attack, which spiked at almost 140 Gbps. A single message was buried in each attack packet: 'godiefaggot'."

Itay Huri and Yarden Bidani were arrested on 8 September by Israeli authorities in connection with an FBI investigation into the DDoS-for-hire service. The two were reportedly released on bail after questioning and put under house arrest for 10 days. The Israeli authorities also seized the pair's passports and banned them from using the internet or any electronic communications for 30 days.

Krebs' original report on vDOS was also published on the same day, detailing the exploits of the site. Krebs said vDOS had been "massively hacked, spilling secrets about tens of thousands of paying customers and their targets". Krebs added: "In just four months between April and July 2016, vDOS was responsible for launching more than 277 million seconds of attack time, or approximately 8.81 years worth of attack traffic."

vDOS pwned?

According to Krebs, the vDOS, which was connected to a minimum of four servers hosted in Bulgaria, went offline "sometime on Friday", which was caused by a BGP hijack. The attack was launched by DDoS mitigation and protection offering security firm BackConnect Security.

BGP hijacking involves one ISP fraudulently broadcasting to all other ISPs across the globe that it owns and/or operates a string of internet addresses, when in reality, it has no control rights to them. "It is a hack most often associated with spamming activity," Krebs said.

BackConnect Security CEO and founder Bryant Townsend confirmed to Krebs that the firm had indeed hijacked vDOS' internet address space, "in an effort to get out from under a massive attack launched on the company's network Thursday, and that the company received an email directly from vDOS claiming credit for the attack."

Townsend said: "For about six hours, we were seeing attacks of more than 200 Gbps hitting us. What we were doing was for defensive purposes. We were simply trying to get them to stop and to gather as much information as possible about the botnet they were using and report that to the proper authorities."

vDOS OpSec lax

vDOS, which has been active since 2012, is known to have conducted over 150,000 DDoS attacks. However, despite the service's impressive exploits, it appears that its OpSec (Operational Security) may have been fairly lax.

In August, the teenage hacker duo Huri and Bidani published a white paper on DDoS attack methodologies, in which Huri used his real name and mentioned that he was slated to be drafted into the Israel Defence Forces. Additionally, the email address used by Bidani was later connected by Krebs to vDOS's administrator.

Moreover, the duo had extensive discussions about DDoS attacks on social media. Krebs pointed out: "Huri and Bidani were fairly open about their activities, or at least not terribly careful to cover their tracks. Yarden's now abandoned Facebook page contains several messages from friends who refer to him by his hacker nickname 'AppleJ4ck' and discuss DDoS activities. vDOS's customer support system was configured to send a text message to Huri's phone number in Israel — the same phone number that was listed in the Web site registration records for the domain v-email[dot]org, a domain the proprietors used to help manage the site."

DDoS protection service CloudFlare, which vDOS was initially hiding behind, released the service's attack log files from April to July 2016. The files include the usernames of vDOS clients, the internet addresses of the targets, date and time of the execution of attacks and more.

Krebs claimed that he "writing more about the victims of vDOS" in the coming days.