Massive DDoS Attack Puts Squeeze On WordPress

WordPress.com, a popular blogging platform, was hit by a large Distributed Denial of Service (DDoS) attack that affected connectivity to a number of its hosted blogs.

The attack is the largest WordPress has ever seen, its parent company Automattic told TechCrunch, whose blog site is hosted on WordPress, along with a number of large customers, including BBC, CNN, Red Hat and Flickr.

Tens Of Millions Of Packets Per Second

The attack appeared to have begun just before 11:00am Eastern Time (16:00 GMT) on March 3 and lasted for about two hours, according to a status page on Automattic’s site.

WordPress had some issues with performance around 6:00am Eastern Time, which it managed to resolve, according to the site’s Twitter feed. Automattic has not commented on whether the performance issues were related to the DDoS attack which occurred about six hours later.

As for its extreme size, the DDoS attack was “multiple gigabits per second and tens of millions of packets per second,” according to a blog post for WordPress’s VIP customers, reposted on Twitter.

The company is now working with its upstream provider on measures to prevent such “non-trivial” attacks from affecting connectivity, according to the WordPressVIP blog post.

It remains unclear where the attack originated, or if any specific blog was being targeted. A recent Harvard University study found that 280 independent media and human-rights Web sites were hit during 140 attacks between September 2009 and August 2010, and researchers asserted that these numbers are probably only a small portion of actual attacks.

WordPress founder Matt Mullenweg told Tech Crunch the sustained attack “may have been politically motivated” against a non-English blog, but declined to provide any other information. “We’re still investigating and have no definitive evidence yet,” he said.

The attack is unlikely to be the work of hacktivists from the Anonymous Operation, best known for their WikiLeaks revenge attacks. Although the group has recently used DDoS attacks to disrupt services, it probably lacks the manpower or bandwidth to launch a truly massive attack such as this. Many of its participants use the Low Orbit Ion Cannon (LOIC ) tool to launch attacks from general consumer ISPs through DSL or cable modem services.

The WordPress attack required a botnet with “high hundred-thousands to millions” of computers for such a sustained attack, Jason Hoffman, co-founder and chief scientist at cloud provider Joyent, told eWEEK. For example, a large botnet, dubbed Vecebot, knocked blogs belonging to Vietnamese dissidents offline last autumn.

WordPress is currently reporting normal service on its site but said it will be monitoring the situation closely. There appears to be some sporadic performance issues but not enough to disrupt services.

For internet-service-providers, DDoS mitigation includes throttling down bandwidth and filtering out packets from users and IP addresses, Hoffman explained. Along with available quality of service tools, ISPs can write firewall and load balancer rules that can filter out and kill suspicious packets, he said.

The DDoS attack impacted all three Automattic data centres in Chicago, San Antonio and Dallas, he said. It also affected Automattic’s other services, IntenseDebate, BBQ Pit and Akismet API.