Posted on Monday, November 29th, 2010 | Bookmark on del.icio.us

Wikileaks Cablegate Attack

by Craig Labovitz

Yesterday morning, a DDoS attack temporarily disrupted traffic to Wikileaks hours ahead of the “Cablegate” release of leaked US documents. Wikileaks announced the outage on a Facebook update and Twitter post around 11:00am EST while simultaneously derogating the attack and insisting “El Pais, Le Monde, Speigel, Guardian & NYT will publish many US embassy cables tonight, even if WikiLeaks goes down”.



In the below graph, I show traffic to one of Wikileak’s primary hosting provider on November 28 through 100 ATLAS providers around the world. At approximately 10:05am EST, traffic abruptly jumps by 2-4 Gbps as the attack begins.

Shortly after the attack started, Wikileaks redirected DNS from its AS8473 Swedish hosting provider to use mirror sites hosted by a large cloud provider in Ireland (and later the US as well). While the DDOS attack generated an outpouring of blog posts, news articles and tweets, it appears to have had little impact on the Wikileaks “Cablegate” disbursement of documents.

Overall, at 2-4 Gbps the Wikileaks DDoS attack was modest in the relative scheme of recent attacks against large web sites. Though, TCP and application level attacks generally require far lower bps and pps rates to be effective (more discussion of recent DDoS trends is available here). Engineering mailing list discussion also suggests the hosting provider and upstreams decided to blackhole all Wikileaks traffic rather than transit the DDoS.

At the time of this writing, all Wikileaks domains are reachable from servers in the US, Europe and Asia. The New York Times and most other major media outlets also have since published extensive synopses of the leaked documents.

While the source of the attack is unknown, blogs and social networking sites have alternatively blamed governments and vigilante hacker groups. At least one twitter account with a history of past attacks (“the Jester”) has claimed responsibility. In earlier tweets, the Jester boasted of using low bandwidth application layer attacks instead of relying on large botnets (all of which is consistent with the data ATLAS observed for this Wikileaks attack).

Wikileaks also came under fire in 2008 with a 500 Mpbs DDoS attack shortly before the release of leaked Swiss bank documents.

Update: A follow-on blog post analyzing the second day of Wikileaks DDoS attacks is now available here.

 
- Craig
 

Share

Related Posts

Zemanta

This entry was posted on Monday, November 29th, 2010 at 1:17 pm and is filed under Arbor Networks - DDoS Experts, ATLAS, Attacks and DDoS Attacks, Events, Hacktivism, Interesting Research, Political DDoS. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

27 Responses | Add your own



Comment Post by: Andreas — November 29th, 2010 @ 8:25 pm EST  Reply

Thanks for sharing the data. It’s quite stunning that we can now observe disruptive traffic in the range of several Gbps. Back in 2007, some 80 Mbps applied in several distinct attacks were sufficient to cause disruptive effects for the Estonian internet infrastructure.

Comment Post by: Left to chance » Cyberattack Against WikiLeaks Was Weak — November 29th, 2010 @ 9:00 pm EST  Reply

[...] Arbor Networks, which analyzes malicious network traffic crossing the internet’s backbones, reports that the DDoS generated between 2 and 4 Gbps of disruptive traffic, slightly above the average for all DDoS attacks, but [...]

Comment Post by: Hacker intentó frenar Wikileaks con DDoS | bSecure — November 29th, 2010 @ 9:38 pm EST  Reply

[...] acuerdo con información publicada por Craig Labovitz, jefe del departamento de ciencias de la firma de seguridad Arbor Networks, el sitio Wikileaks.org [...]

Comment Post by: WikiLeaks Hit With DoS Attack Before Documents Leaked | alte-programme.de — November 30th, 2010 @ 1:02 am EST  Reply

[...] DDoS attack was modest in the relative scheme of recent attacks against large web sites,” blogged Craig Labovitz, chief scientist for Arbor Networks. “Though, TCP and application level attacks generally require [...]

Comment Post by: Anthony M. Freed — November 30th, 2010 @ 3:15 am EST  Reply

Anti-Jihadi Hacker The Jester Hits WikiLeaks Site With XerXeS DoS Attack

For my interviews with The Jester beginning in February of this year, including two exclusive videos of the XerXeS DoS attack in action, please see the following articles:

https://www.infosecisland.com/blogtag/427/Jester.html

Comment Post by: DoS Attack Hit WikiLeaks Before Document Disclosure | eWEEK Europe UK — November 30th, 2010 @ 4:47 am EST  Reply

[...] DDoS attack was modest in the relative scheme of recent attacks against large web sites,” blogged Craig Labovitz, chief scientist for Arbor Networks. “Though, TCP and application level attacks generally [...]

Comment Post by: Cyberattack Against WikiLeaks Was Weak — November 30th, 2010 @ 5:21 am EST  Reply

[...] [...]

Comment Post by: WikiLeaks Using Amazon Servers After Attack | pendefend — November 30th, 2010 @ 11:22 am EST  Reply

[...] Arbor Networks, a security-engineering firm, reported that after the attack started, WikiLeaks redirected traffic to its “Cablegate” site from a Swedish hosting provider to the “mirror” sites in France and the U.S., which provide exact copies. [...]

Comment Post by: Intentaron frenar filtración de Wikileaks con ataque DDoS | www.Netmedia.info — November 30th, 2010 @ 12:26 pm EST  Reply

[...] acuerdo con información publicada por Craig Labovitz, jefe del Departamento de Ciencias de la firma de seguridad Arbor Networks, el sitio Wikileaks.org [...]

Comment Post by: Marshall Eubanks — November 30th, 2010 @ 12:32 pm EST  Reply

There is apparently another, stronger, attack on Wikileaks this morning (Tuesday)

From @wikileaks on twitter

wikileaks WikiLeaks
DDOS attack now exceeding 10 Gigabits a second.
1 hour ago

wikileaks WikiLeaks
We are currently under another DDOS attack.

Comment Post by: DDoS attack on WikiLeaks exceeds 10 Gbps | Hallways Solutions — November 30th, 2010 @ 11:07 pm EST  Reply

[...] The first assault on wikileaks.org on Sunday, reportedly launched by a “hacktivist” that goes by the name of “th3j35t3r” (The Jester), was a “modest” 2-4 Gbps in size, according to security firm Arbor Networks analyst Craig Labovitz. [...]

Comment Post by: Craig Labovitz — November 30th, 2010 @ 11:39 pm EST  Reply

Marshall,

Thanks for the pointer. I just published analysis of the second, stronger attack in a blog post at http://asert.arbornetworks.com/2010/11/round2-ddos-versus-wikileaks.

- Craig

Comment Post by: Tech and Legal Intersecting: Game Console Modding, Wikileaks as DDoS Victim, Level 3 and Comcast Toll — December 1st, 2010 @ 1:52 am EST  Reply

[...] quite a bit of maintenance in the background, including moving the site back to Amazon EC2 hosting.The Arbor Networks Security Blog showed the above picture in a blog post yesterday to demonstrate the traffic to WikiLeaks yesterday [...]

Comment Post by: Anthony M. Freed — December 1st, 2010 @ 4:37 am EST  Reply

Hacker “The Jester” Reports Raid By Law Enforcement

Infamous anti-jihadi hacker The Jester (th3j35t3r), who earlier this week claimed responsibility for a denial of service attack that temporarily disabled the WikiLeaks website, reported that he was the subject of a search and equipment seizure by law enforcement…

https://www.infosecisland.com/blogview/9916-Hacker-The-Jester-Reports-Raid-By-Law-Enforcement.html

Comment Post by: DDoS-атака на Wikileaks выросла до 10 Гбит/с, Amazon пока справляется | tundrik.ru — December 1st, 2010 @ 9:50 am EST  Reply

[...] продолжается до сих пор. Эксперты из Arbor Networks обратили внимание, что когда шведские серверы перестали справляться с [...]

Comment Post by: Wikileaks von zweiter DDoS-Attacke gebeutelt - Security | News | ZDNet.de — December 1st, 2010 @ 10:05 am EST  Reply

[...] [...]

Comment Post by: Interpol puts Assange (WikiLeaks founder) on most-wanted list — December 1st, 2010 @ 7:39 pm EST  Reply

[...] Mass., which monitors and protects companies against DDoS attacks, analyzed Sunday's attack here.) Another way to think of it is that someone, somewhere is demanding that the WikiLeaks cablegate [...]

Comment Post by: Amazon drops Wikileaks hosting…..Assange is still among the missing….Wikileaks is under attack itself… - Politicaldog101.Com — December 1st, 2010 @ 11:56 pm EST  Reply

[...] What’s notable about today’s attack is the scale. WikiLeaks tweeted this morning that the attack was “exceeding 10 Gigabits a second” — two to five times as large as the initial attack on Sunday. (Arbor Networks of Chelmsford, Mass., which monitors and protects companies against DDoS attacks, analyzed Sunday’s attack here.) [...]

Comment Post by: DDoS-атака на Wikileaks выросла до 10 Гбит/с, Amazon пока справляется : HRUSHETSKYY VITALIY — December 2nd, 2010 @ 10:09 am EST  Reply

[...] которая продолжается до сих пор. Эксперты из Arbor Networks обратили внимание, что когда шведские серверы перестали справляться с [...]

Comment Post by: From the Listening Post… 12/04/2010 (a.m.) « Sean Lawson, Ph.D. — December 4th, 2010 @ 3:40 am EST  Reply

[...] Wikileaks Cablegate Attack [...]

Comment Post by: yudinindi — December 5th, 2010 @ 10:35 am EST  Reply

it’s stunning me, the average of the attack reach 10 GBPS or maybe higher in advance…thats why the site temporarily disable

Comment Post by: Eric Karstens – WikiLeaks, the Cloud, and Internet pluralism: A roundup of emerging lessons learned — December 8th, 2010 @ 11:46 am EST  Reply

[...] attacks, as network specialist Craig Labovitz with the Internet security firm Arbor Networks has reported. DDoS attacks bring down a website basically by automatically calling it up from multiple places [...]

Comment Post by: Amazon’s WikiLeaks takedown-Berkman « FACT – Freedom Against Censorship Thailand — December 13th, 2010 @ 1:54 am EST  Reply

[...] about 10Gbps, which is big enough to take down all but a couple dozen or less ISPs in the world; arbor claims about 2-4 Gbps, which is still big enough to cause the vast majority of ISPs in the world major [...]

Comment Post by:   DDoS Attacks 101 - White Wall Web Wisdom — December 13th, 2010 @ 2:58 am EST  Reply

[...] lot of media attention has been focused specifically on the cables between the US and Iraq. Shortly before and then again after WikiLeaks went live with Cablegate, it experienced a DDoS attack and went down [...]

Comment Post by: The Internet Goes to War | Data Protection and Recovery Center — December 23rd, 2010 @ 11:04 am EST  Reply

[...] Also see earlier blog posts (link available here) for more analysis of the Wikileaks [...]

Comment Post by: DDoS Attacks 101 — March 9th, 2011 @ 5:55 am EST  Reply

[...] lot of media attention has been focused specifically on the cables between the US and Iraq. Shortly before and then again after WikiLeaks went live with Cablegate, it experienced a DDoS attack and went down [...]

Comment Post by: Sulmi i DDos në Wikileaks grumbullon fuqi | KosovaByte - Shkenca dhe Teknologjia në Shqip — September 1st, 2011 @ 7:19 am EST  Reply

[...] Ç’është e dukshme për sulmet e djeshme është shkalla e lartë. Wikileaks cicëroi në mëngjesin e djeshëm që sulmi ishte duke kaluar 10 Gigabit për second – dy deri në pesë here më shumë se sulmi i filluar të dielën. (Arbor Networks I Chelmsfor, Mass., i cili monitoron dhe mbron kompani nga sulmet DDoS, analizoi sulmi e të dielës këtu.) [...]

Leave a Comment