DDoS Events of Note: WordPress, Gambling Sites

The popular blogging site WordPress suffered a DDoS attack a few days ago. Sites like this are often hit, sometimes for inexplicable reasons. Someone gets mad, someone holds a grudge, someone wants retaliation, someone wants to try and hurt the target. I don’t know why WordPress was hit, there could be any number of reasons. However, our ATLAS network has some visibility into the attacks. What I found in looking at the attacks against WordPress in the past week were that this wasn’t isolated to just one day. Here’s a brief summary of the attacks I observed:

Number of attacks: 268 in the past 7 days against WordPress

Attacks by day: 22 on Feb 14, 246 on Feb 19, 2008. No attacks detected against WordPress on the other days.

Number of reporting ISPs: 1, suggesting this isn’t a broadly sourced, globally scoped attack.

Packets per second over all 268 attacks: over 24,000 packets per second during the peak attack, an average number of 11200 packets per second in each attack over all seen attacks.

Bytes per second over all 268 attacks: A peak bandwidth utilization of 264 Mbps during one attack, with an average of 125 Mbps per attack during all other attacks.

Attack duration: The longest attack was about 40 minutes long, with the average attack lasting about 6 or 7 minutes.

The WordPress attacks are big enough to cause problems, reportedly about 15 minutes worth of downtime, but are average sized attacks these days.

In other related a number of online gambling sites were also hit with DDoS attacks. Again, it’s hard to gauge motivations, but there are reports that it was related to Cyber-Extortion during SuperBowl Betting. The targets of this attack as noted above included EuropeCasino, Party Poker and Full Tilt Poker.

The attack against EuropeCasino was sizable, with four ISPs reporting the attacks globally. This suggests a broadly scoped attack, as well. A combination of attacks were used, mainly HTTP GET floods, but also some ICMP attacks. By date, the attacks peaked on Feb 15 with 149 attacks measured by our ATLAS network, and reached a peak size of 177 Mbps, and lasted about 15 minutes on average. Other casinos hit suffered smaller attacks by bandwidth, but were hit with a similar pattern. For example, Online Casinos, based in Russia, was hit with 170 attacks on Feb 18, and nearly 300 attacks overall, and again it was broadly reported across many ISPs.

Some of us in the botnet tracking community saw the commands issued to the botnets and know what servers are involved, as the team at ShadowServer noted. The C&C has been active in the DDoS scene before.

All of this suggests that these types of attacks aren’t going to go away any time soon. There’s more tools, more people, and more money at stake. With those factors coming together, DDoS is here to stay for the foreseeable future.

6 Responses to “DDoS Events of Note: WordPress, Gambling Sites”

August 11, 2008 at 12:34 pm, Freelance Web Design said:

Many people don’t realize how vulnerable most servers are to these types of attacks. It’s a long standing joke that if you make someone mad in IRC some script kiddie will get his buddies to pwn your box. Sadly, it’s all too true. Make love not war on the interwebs! lol.

September 03, 2009 at 7:18 am, Keith - Racing Systems said:

I would imagine gambling sites are pretty near the top of the list for attacks of this nature, as they deal with real money, and in many cases big money, from users, the majority of which lose. So it is easy to high how some folk will get piddled off and take action in the form of a DOS attack.

September 11, 2009 at 7:02 am, Pokies said:

I didn’t realize how open WordPress and websites were open to attack. I wonder what can we do to fully prepare websites and prevent them from being attacked? It must be a constant uphill battle and costly exercise to best prepare for these forms of attacks.

March 05, 2011 at 4:05 am, Wordpress recovers from huge DDoS attack | | Primary Multisite TemplatePrimary Multisite Template said:

[…] comparison, a 2008 analysis by Arbor Networks of DDoS on the company noted that it had been hit by 268 DDoS events in a seven day period in February of that year, which […]

March 06, 2011 at 12:14 am, Wordpress Recovers From Huge DDoS Attack said:

[…] a certain size – but the sheer size will be seen as worrying. For comparison, a 2008 analysis by Arbor Networks of DDoS on the company noted that it had been hit by 268 DDoS events in a seven day period in February of that year, which […]

March 07, 2011 at 2:56 pm, Wordpress recovers from huge DDoS attack said:

[…] comparison, a 2008 analysis by Arbor Networks of DDoS on the company noted that it had been hit by 268 DDoS events in a seven day period in February of that year, which […]

Comments are closed.