DoS Attack Hit WikiLeaks Before Document Disclosure

WikiLeaks was hit with a denial-of-service attack as it prepared to publicise a trove of diplomatic documents.

The attack occurred on 28 November, striking the controversial site before it posted a collection of more than 250,000 US embassy cables online. The main WikiLeaks.org site appeared to bear the brunt of the attack, according to Paul Mutton of Netcraft, who added that the site suffered from “patchy or slow availability for several hours”.

Modest attack

“Twitter user th3j35t3r claimed to be carrying out the denial of service attack against www.wikileaks.org, although in a tweet that has since been deleted, th3j35t3r stated that it was not a distributed attack,” Mutton blogged. “If WikiLeaks believed the attack to be distributed, it could suggest that other parties had also been carrying out separate attacks at the same time. … th3j35t3r’s Twitter feed lists dozens of other sites that have also been taken down, mainly communicated through ‘TANGO DOWN’ messages posted via the XerCeS Attack Platform.”

According to an analysis by Arbor Networks, the attack began around 10:05 a.m. EST on 28 November. Shortly after the attack started, WikiLeaks redirected DNS from its AS8473 Swedish hosting provider to use mirror sites hosted by a large cloud provider in Ireland (and later the United States as well), Arbor found.

“Overall, at 2-4 Gbps the Wikileaks DDoS attack was modest in the relative scheme of recent attacks against large web sites,” blogged Craig Labovitz, chief scientist for Arbor Networks. “Though, TCP and application level attacks generally require far lower bps and pps rates to be effective. Engineering mailing list discussion also suggests the hosting provider and upstreams decided to blackhole all Wikileaks traffic rather than transit the DDoS.”

WikiLeaks was blasted during the past 24 hours by US officials, with Secretary of State Hillary Clinton stating the US government “strongly condemns the illegal disclosure of classified information”.

“This administration,” she said today, “is advancing a robust foreign policy that is focused on advancing America’s national interests and leading the world in solving the most complex challenges of our time. … In every country and in every region of the world, we are working with partners to pursue these aims. So let’s be clear: This disclosure is not just an attack on America’s foreign policy interests. It is an attack on the international community – the alliances and partnerships, the conversations and negotiations that safeguard global security and advance economic prosperity.”

Among the documents is a cable linking the Chinese government to the Aurora attack that impacted Google, Adobe Systems and dozens of other corporations. The attack was first reported by Google in January, and speculation immediately pointed to China as the culprit.

No significant downtime

While the controversy swirls, cablegate.wikileaks.org has so far escaped any significant downtime, Mutton blogged.

“This site has used 3 IP addresses since its launch, probably in anticipation of being attacked or deluged with legitimate traffic,” he wrote. “Two of these IP addresses are at Octopuce in France, which also hosts the single IP address now used by warlogs.wikileaks.org. Ironically, the third IP address being used to distribute secret US embassy cables is an Amazon EC2 instance hosted in – you guessed it – the US.”