Wikileaks Cablegate Attack

Yesterday morning, a DDoS attack temporarily disrupted traffic to Wikileaks hours ahead of the “Cablegate” release of leaked US documents. Wikileaks announced the outage on a Facebook update and Twitter post around 11:00am EST while simultaneously derogating the attack and insisting “El Pais, Le Monde, Speigel, Guardian & NYT will publish many US embassy cables tonight, even if WikiLeaks goes down”.



In the below graph, I show traffic to one of Wikileak’s primary hosting provider on November 28 through 100 ATLAS providers around the world. At approximately 10:05am EST, traffic abruptly jumps by 2-4 Gbps as the attack begins.

Shortly after the attack started, Wikileaks redirected DNS from its AS8473 Swedish hosting provider to use mirror sites hosted by a large cloud provider in Ireland (and later the US as well). While the DDOS attack generated an outpouring of blog posts, news articles and tweets, it appears to have had little impact on the Wikileaks “Cablegate” disbursement of documents.

Overall, at 2-4 Gbps the Wikileaks DDoS attack was modest in the relative scheme of recent attacks against large web sites. Though, TCP and application level attacks generally require far lower bps and pps rates to be effective (more discussion of recent DDoS trends is available here). Engineering mailing list discussion also suggests the hosting provider and upstreams decided to blackhole all Wikileaks traffic rather than transit the DDoS.

At the time of this writing, all Wikileaks domains are reachable from servers in the US, Europe and Asia. The New York Times and most other major media outlets also have since published extensive synopses of the leaked documents.

While the source of the attack is unknown, blogs and social networking sites have alternatively blamed governments and vigilante hacker groups. At least one twitter account with a history of past attacks (“the Jester”) has claimed responsibility. In earlier tweets, the Jester boasted of using low bandwidth application layer attacks instead of relying on large botnets (all of which is consistent with the data ATLAS observed for this Wikileaks attack).

Wikileaks also came under fire in 2008 with a 500 Mpbs DDoS attack shortly before the release of leaked Swiss bank documents.

Update: A follow-on blog post analyzing the second day of Wikileaks DDoS attacks is now available here.

 
– Craig
 

26 Responses to “Wikileaks Cablegate Attack”

November 29, 2010 at 9:00 pm, Left to chance » Cyberattack Against WikiLeaks Was Weak said:

[…] Arbor Networks, which analyzes malicious network traffic crossing the internet’s backbones, reports that the DDoS generated between 2 and 4 Gbps of disruptive traffic, slightly above the average for all DDoS attacks, but […]

November 29, 2010 at 8:25 pm, Andreas said:

Thanks for sharing the data. It’s quite stunning that we can now observe disruptive traffic in the range of several Gbps. Back in 2007, some 80 Mbps applied in several distinct attacks were sufficient to cause disruptive effects for the Estonian internet infrastructure.

November 30, 2010 at 1:02 am, WikiLeaks Hit With DoS Attack Before Documents Leaked | alte-programme.de said:

[…] DDoS attack was modest in the relative scheme of recent attacks against large web sites,” blogged Craig Labovitz, chief scientist for Arbor Networks. “Though, TCP and application level attacks generally require […]

November 29, 2010 at 9:38 pm, Hacker intentó frenar Wikileaks con DDoS | bSecure said:

[…] acuerdo con información publicada por Craig Labovitz, jefe del departamento de ciencias de la firma de seguridad Arbor Networks, el sitio Wikileaks.org […]

November 30, 2010 at 3:15 am, Anthony M. Freed said:

Anti-Jihadi Hacker The Jester Hits WikiLeaks Site With XerXeS DoS Attack

For my interviews with The Jester beginning in February of this year, including two exclusive videos of the XerXeS DoS attack in action, please see the following articles:

https://www.infosecisland.com/blogtag/427/Jester.html

November 30, 2010 at 4:47 am, DoS Attack Hit WikiLeaks Before Document Disclosure | eWEEK Europe UK said:

[…] DDoS attack was modest in the relative scheme of recent attacks against large web sites,” blogged Craig Labovitz, chief scientist for Arbor Networks. “Though, TCP and application level attacks generally […]

November 30, 2010 at 5:21 am, Cyberattack Against WikiLeaks Was Weak said:

[…] […]

November 30, 2010 at 11:22 am, WikiLeaks Using Amazon Servers After Attack | pendefend said:

[…] Arbor Networks, a security-engineering firm, reported that after the attack started, WikiLeaks redirected traffic to its “Cablegate” site from a Swedish hosting provider to the “mirror” sites in France and the U.S., which provide exact copies. […]

November 30, 2010 at 12:32 pm, Marshall Eubanks said:

There is apparently another, stronger, attack on Wikileaks this morning (Tuesday)

From @wikileaks on twitter

wikileaks WikiLeaks
DDOS attack now exceeding 10 Gigabits a second.
1 hour ago

wikileaks WikiLeaks
We are currently under another DDOS attack.

November 30, 2010 at 11:39 pm, Craig Labovitz said:

Marshall,

Thanks for the pointer. I just published analysis of the second, stronger attack in a blog post at /blog/asert/2010/11/round2-ddos-versus-wikileaks.

– Craig

November 30, 2010 at 12:26 pm, Intentaron frenar filtración de Wikileaks con ataque DDoS | www.Netmedia.info said:

[…] acuerdo con información publicada por Craig Labovitz, jefe del Departamento de Ciencias de la firma de seguridad Arbor Networks, el sitio Wikileaks.org […]

November 30, 2010 at 11:07 pm, DDoS attack on WikiLeaks exceeds 10 Gbps | Hallways Solutions said:

[…] The first assault on wikileaks.org on Sunday, reportedly launched by a “hacktivist” that goes by the name of “th3j35t3r” (The Jester), was a “modest” 2-4 Gbps in size, according to security firm Arbor Networks analyst Craig Labovitz. […]

December 01, 2010 at 1:52 am, Tech and Legal Intersecting: Game Console Modding, Wikileaks as DDoS Victim, Level 3 and Comcast Toll said:

[…] quite a bit of maintenance in the background, including moving the site back to Amazon EC2 hosting.The Arbor Networks Security Blog showed the above picture in a blog post yesterday to demonstrate the traffic to WikiLeaks yesterday […]

December 01, 2010 at 4:37 am, Anthony M. Freed said:

Hacker “The Jester” Reports Raid By Law Enforcement

Infamous anti-jihadi hacker The Jester (th3j35t3r), who earlier this week claimed responsibility for a denial of service attack that temporarily disabled the WikiLeaks website, reported that he was the subject of a search and equipment seizure by law enforcement…

https://www.infosecisland.com/blogview/9916-Hacker-The-Jester-Reports-Raid-By-Law-Enforcement.html

December 01, 2010 at 9:50 am, DDoS-атака на Wikileaks выросла до 10 Гбит/с, Amazon пока справляется | tundrik.ru said:

[…] продолжается до сих пор. Эксперты из Arbor Networks Ð¾Ð±Ñ€Ð°Ñ‚или внимание, что когда шведские серверы перестали справляться с […]

December 01, 2010 at 10:05 am, Wikileaks von zweiter DDoS-Attacke gebeutelt - Security | News | ZDNet.de said:

[…] […]

December 01, 2010 at 7:39 pm, Interpol puts Assange (WikiLeaks founder) on most-wanted list said:

[…] Mass., which monitors and protects companies against DDoS attacks, analyzed Sunday's attack here.) Another way to think of it is that someone, somewhere is demanding that the WikiLeaks cablegate […]

December 01, 2010 at 11:56 pm, Amazon drops Wikileaks hosting…..Assange is still among the missing….Wikileaks is under attack itself… - Politicaldog101.Com said:

[…] What’s notable about today’s attack is the scale. WikiLeaks tweeted this morning that the attack was “exceeding 10 Gigabits a second” — two to five times as large as the initial attack on Sunday. (Arbor Networks of Chelmsford, Mass., which monitors and protects companies against DDoS attacks, analyzed Sunday’s attack here.) […]

December 02, 2010 at 10:09 am, DDoS-атака на Wikileaks выросла до 10 Гбит/с, Amazon пока справляется : HRUSHETSKYY VITALIY said:

[…] которая продолжается до сих пор. Эксперты из Arbor Networks обратили внимание, что когда шведские серверы перестали справляться с […]

December 04, 2010 at 3:40 am, From the Listening Post… 12/04/2010 (a.m.) « Sean Lawson, Ph.D. said:

[…] Wikileaks Cablegate Attack […]

December 05, 2010 at 10:35 am, yudinindi said:

it’s stunning me, the average of the attack reach 10 GBPS or maybe higher in advance…thats why the site temporarily disable

December 08, 2010 at 11:46 am, Eric Karstens – WikiLeaks, the Cloud, and Internet pluralism: A roundup of emerging lessons learned said:

[…] attacks, as network specialist Craig Labovitz with the Internet security firm Arbor Networks has reported. DDoS attacks bring down a website basically by automatically calling it up from multiple places […]

December 13, 2010 at 1:54 am, Amazon’s WikiLeaks takedown-Berkman « FACT – Freedom Against Censorship Thailand said:

[…] about 10Gbps, which is big enough to take down all but a couple dozen or less ISPs in the world; arbor claims about 2-4 Gbps, which is still big enough to cause the vast majority of ISPs in the world major […]

December 23, 2010 at 11:04 am, The Internet Goes to War | Data Protection and Recovery Center said:

[…] Also see earlier blog posts (link available here) for more analysis of the Wikileaks […]

March 09, 2011 at 5:55 am, DDoS Attacks 101 said:

[…] lot of media attention has been focused specifically on the cables between the US and Iraq. Shortly before and then again after WikiLeaks went live with Cablegate, it experienced a DDoS attack and went down […]

September 01, 2011 at 7:19 am, Sulmi i DDos në Wikileaks grumbullon fuqi | KosovaByte - Shkenca dhe Teknologjia në Shqip said:

[…] Ç’është e dukshme për sulmet e djeshme është shkalla e lartë. Wikileaks cicëroi në mëngjesin e djeshëm që sulmi ishte duke kaluar 10 Gigabit për second – dy deri në pesë here më shumë se sulmi i filluar të dielën. (Arbor Networks I Chelmsfor, Mass., i cili monitoron dhe mbron kompani nga sulmet DDoS, analizoi sulmi e të dielës këtu.) […]

Comments are closed.