Round 2: DDoS Versus Wikileaks

Posted on Tuesday, November 30th, 2010 | Bookmark on del.icio.us

by Craig Labovitz

In the second round of what may possibly be a protracted Internet skirmish, a denial of service attack briefly blocked access to the cablegate.wikileaks.org web site this morning around 8:00 am EST. On twitter, Wikileaks pegged the DDoS as exceeding 10 Gbps (significantly larger than my 2-4 Gbps estimate for the first round of attacks on Sunday).

As compared with this Sunday’s initial attack (blog analysis available here), ATLAS data from 110 providers around the world suggest today’s DDoS was both larger and more sophisticated. Specifically, today’s attack involved several different components, including a low bandwidth application level DDoS and a 2-3 Gbps Syn attack against the primary “cablegate” IP addresses (the hosted web site is load balanced across data center locations in Europe and the US West Coast).

An example of one of the anonymous alerts ATLAS collected yesterday is shown below. This alert is for a modest TCP Syn attack against cablegate.wikileaks.org targeting high number ports. The source address blocks are anonymized with XX replacing the high number bits.

<attack start="2010-11-30 18:10:01 GMT" stop="2010-11-30 18:56:27 GMT"> <rate bps="70312432" pps="220847"/> <protocols>TCP</protocols> <tcpflags>Syn</tcpflags> <source> <ips>xx.xx.25.0/27</ips> <ports>1024-2047</ports> </source> <dst> <ips>204.236.131.131/32</ips> <ports>16384-32767,32768-65535</ports> </dst> </attack>

In the below chart, I graph traffic from 110 ATLAS carriers around the world to address blocks (BGP prefixes) used by Wikileaks. Note these address blocks may also include traffic to other customer using the same hosting provider. The attack began around 7am EST though a smaller traffic spike occurs around 2am. All times are EST. At the time of this blog posting, the DDoS is still ongoing though not significantly impacting Wikileaks access.

Based on Netcraft and other reports, the outage was brief though cablegate web site performance was moderately impacted throughout the day.

Interestingly, the attack appears to originate from a relatively small number of source IPs, including machines in Russia, eastern Europe and Thailand.

- Craig

Popularity: 4% [?]

This entry was posted on Tuesday, November 30th, 2010 at 4:51 pm and is filed under Arbor Networks - DDoS Experts, ATLAS, Attacks and DDoS Attacks, Events, Hacktivism, Interesting Research, Political DDoS. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

25 Responses | Add your own

Comment Post by: Nicky — November 30th, 2010 @ 10:58 pm EST Reply

Interesting. Is there anyway the countries are off and they are all really coming from the US? Is there a way they can hide where they are actually coming from?

Comment Post by: manny — November 30th, 2010 @ 11:24 pm EST Reply

Nicky: you be they do.

The military calls it Cyberwarfare for a reason.

Comment Post by: KristoferA — December 1st, 2010 @ 3:53 am EST Reply

Russia, Eastern Europe, Thailand… what do these countries have in common? Lots of people using pirated versions of Windows etc that are readily available to purchase on DVDs/CDs. The pirate discs are often contaminated with all kinds of junk/spyware/crapware so those countries are self-made botnets. The real origin of the traffic is most likely elsewhere…

Comment Post by: Vico — December 1st, 2010 @ 10:58 am EST Reply

Actually, Wikileaks is just becoming a target that many different botnet masters are targeting for fun. Because WikiLeaks is in the news it’s “cool” to attack them and see how strong your army is.

Comment Post by: Anthony M. Freed — December 2nd, 2010 @ 6:55 pm EST Reply

Did WikiLeaks Hacker The Jester Pull Police Raid Hoax?

“The Jester was angry enough with militants recruiting for jihad and about the WikiLeaks disclosures to launch a DoS attacks on their sites, so why was he not very peeved about an impostor using his name to scam money? The logical conclusion might be that The Jester himself is the hoaxer…”

https://www.infosecisland.com/blogview/9970-Did-WikiLeaks-Hacker-The-Jester-Pull-Police-Raid-Hoax.html

Comment Post by: ประเทศไทยเป็นหนึ่งในต้นตอการโจมตี Wikileaks | ข่าวไอที ข่าวเทคโนโลยี ข่าวคอมพิวเตอร์ บทความคอมพ� — December 3rd, 2010 @ 11:00 am EST Reply

[...] ที่มา – Arbor Networks [...]

Comment Post by: From the Listening Post… 12/04/2010 (a.m.) « Sean Lawson, Ph.D. — December 3rd, 2010 @ 8:37 pm EST Reply

[...] Round 2: DDoS Versus Wikileaks [...]

Comment Post by: How to Find Wikileaks and Follow Cablegate « ZERO ANTHROPOLOGY — December 3rd, 2010 @ 8:39 pm EST Reply

[...] has been massive and orchestrated attack on the hosting of Wikileaks files, from a distributed denial of service, to Amazon dumping [...]

Comment Post by: How to Find Wikileaks and Follow Cablegate | The News blog — December 3rd, 2010 @ 11:52 pm EST Reply

[...] has been massive and orchestrated attack on the hosting of Wikileaks files, from a distributed denial of service, to Amazon dumping [...]

Comment Post by: Wikileaks on the Run « Machimon — December 4th, 2010 @ 2:11 am EST Reply

[...] has been massive and orchestrated attack on the hosting of Wikileaks files, from a distributed denial of service, to Amazon dumping [...]

Comment Post by: TheJesterFesters — December 4th, 2010 @ 1:45 pm EST Reply

Craig – if you watch the video’s of thejester’s xerxes DOS – one known source of the DOS attacks – you might notice that the news gadget on the sidebar of his Ubuntu desktop is showing news in Cyrillic script – Russian I believe. Rookie mistake on his part.

Comment Post by: The Weakest Link: What Wikileaks Has Taught Us About the Open Internet | an/archivista — December 5th, 2010 @ 1:02 pm EST Reply

[...] of documents to major global newspapers, the site has been besieged by DDOS attacks (upwards of 10 Gbps at one point), forcing the site offline and hampering its ability to deliver data. After moving to [...]

Comment Post by: Wikileaks derailed by just a hundred computers | Pitts Report — December 7th, 2010 @ 12:07 am EST Reply

[...] eastern Europe and Thailand, says Craig Labovitz of Arbor Networks in Ann Arbor, Michigan, who has been tracking the attacks. It is likely that the machines sending the traffic are being secretly controlled by a hacker [...]

Comment Post by: The Weakest Link: What Wikileaks Has Taught Us About the Open Internet | TECHNOLOGY NEWS — December 7th, 2010 @ 4:00 am EST Reply

[...] of documents to major global newspapers, the site has been besieged by DDOS attacks (upwards of 10 Gbps at one point), forcing the site offline and hampering its ability to deliver [...]

Comment Post by: Edward Vielmetti — December 8th, 2010 @ 2:31 pm EST Reply

Here’s a report of a DDOS attack on Mastercard

http://www.sfgate.com/cgi-bin/article.cgi?f=/n/a/2010/12/05/international/i083539S60.DTL

said to be in response to their actions to cut off Wikileaks payment processing.

Comment Post by: DDoS Attacks 101 - White Wall Web Wisdom — December 10th, 2010 @ 10:13 am EST Reply

[...] has been focused specifically on the cables between the US and Iraq. Shortly before and then again after WikiLeaks went live with Cablegate, it experienced a DDoS attack and went down for some [...]

Comment Post by: ThousandEyes | Network Visibility | Service Assurance | Web Performance — December 10th, 2010 @ 11:54 am EST Reply

[...] began monitoring the wikileaks.org domain after we learned about two rounds of DDoS attacks that managed to take the site offline on November 28 and November [...]

Comment Post by: DoS Atacks — December 12th, 2010 @ 4:20 am EST Reply

Craig: Do you have any figures on the DDoS attacks traffic figures for those done by Anonymous Group against postbank, paypal, visa/mastercard?

Comment Post by: Julian Assange: The Man Who Kicked The Hornets' Nest | Webscopia — December 12th, 2010 @ 5:33 am EST Reply

[...] government sponsored attack on Wikileaks was done by Arbor Networks and it can be read here. Wikileaks Blog Post by Arbor Networks. Despite the attacks, the Wikileaks mirror sites are springing up everywhere. The official website [...]

Comment Post by: Julian Assange: The Man Who Kicked The Hornets’ Nest | DoS Attacks — December 12th, 2010 @ 5:38 am EST Reply

Comment Post by: DDoS Attacks Make Headlines, But How Common Are They? : Febryadi.com — December 14th, 2010 @ 4:15 am EST Reply

[...] Now to put this in some perspective with recent events, Arbor Networks estimates that the DDoS attacks that took WikiLeaks down on the day the cables were released were around 2-4 Gbps, just slightly above the average DDoS attack. But two days later, another attack on the site clocked in around 10 Gbps. [...]

Comment Post by: …My heart’s in Accra » New Berkman Paper on DDoS – silencing speech is easy, protecting it is hard — December 22nd, 2010 @ 12:58 pm EST Reply

[...] then Wikileaks came under sustained DDoS attack, and the topic of DDoS as a form of censorship started receiving international media attention. As [...]

Comment Post by: Cara Mencegah DDOS attack dengan mod_evassive Centos/WHM | Code Zero — January 21st, 2011 @ 5:24 pm EST Reply

[...] Round 2: DDoS Versus Wikileaks | Security to the Core | Arbor … [...]

Comment Post by: DDoS Attacks 101 — March 9th, 2011 @ 5:57 am EST Reply

Comment Post by: DDoS Attacks: Size doesn’t matter — February 6th, 2012 @ 11:16 pm EST Reply

[...] were made with less than 1 Gigabit per second (Gbps). Sure, some attacks, like the one that got WikiLeaks in 2010 used 10Gbps level attacks, but, really, you don’t need to that much traffic to knock the stuffings out of a Web [...]

DDoS and Security Reports

Real-Time Internet Traffic Analysis

Tag Cloud

Round 2: DDoS Versus Wikileaks

25 Responses | Add your own

Leave a Comment