As a testament to his effectiveness at digging out the various online scammers, Akamai "had to" boot Krebs off of their service - the criminal gangs wanted him and his website out of the picture, and directed enough DDoS volume to overwhelm Akamai's ability to handle the load.
IIRC Google intervened and offered to put him behind their shield system. Which I think tells more about Akamai than anything else. (Krebs's website address resolves to a Google network space.)
In a fit of irony, even sometime after that event, Krebs's website still sported Akamai's DDoS protection service ads.
Unless you have direct 1p knowledge Im very skeptical of framing that as a capability or capacity problem (“had to” “overwhelm” etc). Im very confident it was purely an effort vs benefit discussion. Which isnt too hard when the benefit is an intangible good will.
Ive worked for a very large CDN, and Ive both unilaterally removed a customers access and involved in even more awkward “inviting them to use another provider more suited to their use case” discussions with account managers, PMs, legal, etc. There are a multitude of unsurprising reasons those things happen, even for credible and legitimate paying customers. It was _never_ because we were “overwhelmed.” However attracting a high operational burden or cost burden would certainly play in to the _business decision_.
As a trivial example a transparently online gambling site with nominal jurisdiction somewhere difficult in asia may generate very legitimate traffic and even pay their $20 or $200 bill. But that revenue isnt worth the cost of scaling up our network edge all across the AP for unmetered junk bits directed at their distribution, burning goodwill with peers when _their_ network gets blown up, or driving more operational and security load as their gambling site competitors employ more novel and bigger attacks. Simply put not all business is worth it, and you dont have to accept all customers. Part on reasonable terms when possible and apply by relevant laws. Thats the actual obligation.
Every company I've worked for has certain clients/customers that the company would (for various reasons) be better off financially to no longer have those clients/customers. At some point, those internal conversations become much less awkward as every realizes the reality of the situation. Those companies that had to undergo bidding processes usually fixed the glitch at that time by making very noncompetitive bids.
Sure, as a business decision it must have made perfect sense at the time - Akamai had bigger (paying) customers to protect. But that doesn't make the optics around it any less terrible.
The message they were telegraphing with their combined actions was effectively: "We protect some of the largest corporations on the planet... but do not have the resources to keep an individual journalist and blogger online. Your business could be next."
Whoever made the decision to pull service to Krebs should have also thrown their weight around to get those ads off of Krebs's website, because the compound outlook must have been hideous. (How do you get your ads off of a website without causing any more animosity? You quickly renegotiate an exclusivity deal and then choose not to run any ads at all on it.)
Can't edit now, but a point to this I'd like to add: 'serve' could absolutely mean best-effort (ie: filtered, moved, null routed, whatever). I don't intend for compulsory weathering-of-the-storm (for the sake of PR), but rather... recognition that this is part and parcel with The Business.
Maybe they/partners couldn't weather the storm. Report on it; Engineering blogs are all the rage. Being a CDN involves more than serving well-traveled bytes, getting paid, or touting how big of a reseller you are. Cat must chase mouse! Krebs is arguably the best customer for this; not e-commerce (can endure the worst outcome - no service) and has domain expertise.
If I enter a protection scheme with someone who - after all - isn't all that tough... why would I/anyone continue? The internet is a big place.
IIRC Google intervened and offered to put him behind their shield system. Which I think tells more about Akamai than anything else. (Krebs's website address resolves to a Google network space.)
In a fit of irony, even sometime after that event, Krebs's website still sported Akamai's DDoS protection service ads.