Arbor Networks: Security to the Core

The popular blogging site Wordpress suffered a DDoS attack a few days ago. Sites like this are often hit, sometimes for inexplicable reasons. Someone gets mad, someone holds a grudge, someone wants retaliation, someone wants to try and hurt the target. I don’t know why Wordpress was hit, there could be any number of reasons. However, our ATLAS network has some visibility into the attacks. What I found in looking at the attacks against Wordpress in the past week were that this wasn’t isolated to just one day. Here’s a brief summary of the attacks I observed:

Number of attacks: 268 in the past 7 days against Wordpress

Attacks by day: 22 on Feb 14, 246 on Feb 19, 2008. No attacks detected against Wordpress on the other days.

Number of reporting ISPs: 1, suggesting this isn’t a broadly sourced, globally scoped attack.

Packets per second over all 268 attacks: over 24,000 packets per second during the peak attack, an average number of 11200 packets per second in each attack over all seen attacks.

Bytes per second over all 268 attacks: A peak bandwidth utilization of 264 Mbps during one attack, with an average of 125 Mbps per attack during all other attacks.

Attack duration: The longest attack was about 40 minutes long, with the average attack lasting about 6 or 7 minutes.

The Wordpress attacks are big enough to cause problems, reportedly about 15 minutes worth of downtime, but are average sized attacks these days.

In other related a number of online gambling sites were also hit with DDoS attacks. Again, it’s hard to gauge motivations, but there are reports that it was related to Cyber-Extortion during SuperBowl Betting. The targets of this attack as noted above included EuropeCasino, Party Poker and Full Tilt Poker.

The attack against EuropeCasino was sizable, with four ISPs reporting the attacks globally. This suggests a broadly scoped attack, as well. A combination of attacks were used, mainly HTTP GET floods, but also some ICMP attacks. By date, the attacks peaked on Feb 15 with 149 attacks measured by our ATLAS network, and reached a peak size of 177 Mbps, and lasted about 15 minutes on average. Other casinos hit suffered smaller attacks by bandwidth, but were hit with a similar pattern. For example, Online Casinos, based in Russia, was hit with 170 attacks on Feb 18, and nearly 300 attacks overall, and again it was broadly reported across many ISPs.

Some of us in the botnet tracking community saw the commands issued to the botnets and know what servers are involved, as the team at ShadowServer noted. The C&C has been active in the DDoS scene before.

All of this suggests that these types of attacks aren’t going to go away any time soon. There’s more tools, more people, and more money at stake. With those factors coming together, DDoS is here to stay for the foreseeable future.

This entry was posted on Wednesday, February 20th, 2008 at 3:48 pm and is filed under ATLAS. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.