The majority of the estimated 145,000 devices were security cameras and DVRs used in home or office settings. Many of these were using either default passwords or easily-guessed ones ("1234," "password," "admin"). Around half of the traffic came from the Europe, Middle East and Africa (EMEA) region, indicating where the compromised devices were located. The volume of traffic was uniquely large, nearly double what Akamai had previously seen in a 363 Gbps attack back in June.
Finally, a large portion of the traffic connected directly from the botnet to the target, rather than reflect or amplify traffic as is typical for DDoS strikes. As Softpedia notes, researchers thought this direct flood to be hardly possible as it would require the attacker to directly control a large volume of bots.
Krebs' site was likely targeted after he'd busted a two-person DDOS-for-hire outfit in early September that had been responsible for a "majority" of the denial-of-service cyberattacks in recent years. Days after Akamai reluctantly stopped protecting the site, he finally got KrebsOnSecurity back online after getting help from Alphabet's Project Shield, a free service that protects journalists from denial-of-service assaults.
A DDoS expert noted that an Akamai-level defense would cost Krebs $150,000 annually, far beyond the budgets of most independent writers and newsrooms. While this report confirms much of what was already suspected, it also cements how easily a voice can be silenced, especially since the Mirai malware's author open-sourced its code for anyone to use.