Wikileaks Cablegate Attack

By: Craig Labovitz -

Yesterday morning, a DDoS attack temporarily disrupted traffic to Wikileaks hours ahead of the “Cablegate” release of leaked US documents. Wikileaks announced the outage on a Facebook update and Twitter post around 11:00am EST while simultaneously derogating the attack and insisting “El Pais, Le Monde, Speigel, Guardian & NYT will publish many US embassy cables tonight, even if WikiLeaks goes down”.



In the below graph, I show traffic to one of Wikileak’s primary hosting provider on November 28 through 100 ATLAS providers around the world. At approximately 10:05am EST, traffic abruptly jumps by 2-4 Gbps as the attack begins.

Shortly after the attack started, Wikileaks redirected DNS from its AS8473 Swedish hosting provider to use mirror sites hosted by a large cloud provider in Ireland (and later the US as well). While the DDOS attack generated an outpouring of blog posts, news articles and tweets, it appears to have had little impact on the Wikileaks “Cablegate” disbursement of documents.

Overall, at 2-4 Gbps the Wikileaks DDoS attack was modest in the relative scheme of recent attacks against large web sites. Though, TCP and application level attacks generally require far lower bps and pps rates to be effective (more discussion of recent DDoS trends is available here). Engineering mailing list discussion also suggests the hosting provider and upstreams decided to blackhole all Wikileaks traffic rather than transit the DDoS.

At the time of this writing, all Wikileaks domains are reachable from servers in the US, Europe and Asia. The New York Times and most other major media outlets also have since published extensive synopses of the leaked documents.

While the source of the attack is unknown, blogs and social networking sites have alternatively blamed governments and vigilante hacker groups. At least one twitter account with a history of past attacks (“the Jester”) has claimed responsibility. In earlier tweets, the Jester boasted of using low bandwidth application layer attacks instead of relying on large botnets (all of which is consistent with the data ATLAS observed for this Wikileaks attack).

Wikileaks also came under fire in 2008 with a 500 Mpbs DDoS attack shortly before the release of leaked Swiss bank documents.

Update: A follow-on blog post analyzing the second day of Wikileaks DDoS attacks is now available here.

 
- Craig
 

Comments

  1. Thanks for sharing the data. It’s quite stunning that we can now observe disruptive traffic in the range of several Gbps. Back in 2007, some 80 Mbps applied in several distinct attacks were sufficient to cause disruptive effects for the Estonian internet infrastructure.

  2. Anti-Jihadi Hacker The Jester Hits WikiLeaks Site With XerXeS DoS Attack

    For my interviews with The Jester beginning in February of this year, including two exclusive videos of the XerXeS DoS attack in action, please see the following articles:

    https://www.infosecisland.com/blogtag/427/Jester.html

  3. Marshall Eubanks 11/30/2010, 12:32 pm

    There is apparently another, stronger, attack on Wikileaks this morning (Tuesday)

    From @wikileaks on twitter

    wikileaks WikiLeaks
    DDOS attack now exceeding 10 Gigabits a second.
    1 hour ago

    wikileaks WikiLeaks
    We are currently under another DDOS attack.

    1. Craig Labovitz 11/30/2010, 11:39 pm

      Marshall,

      Thanks for the pointer. I just published analysis of the second, stronger attack in a blog post at /asert/2010/11/round2-ddos-versus-wikileaks.

      - Craig

  4. Hacker “The Jester” Reports Raid By Law Enforcement

    Infamous anti-jihadi hacker The Jester (th3j35t3r), who earlier this week claimed responsibility for a denial of service attack that temporarily disabled the WikiLeaks website, reported that he was the subject of a search and equipment seizure by law enforcement…

    https://www.infosecisland.com/blogview/9916-Hacker-The-Jester-Reports-Raid-By-Law-Enforcement.html

  5. it’s stunning me, the average of the attack reach 10 GBPS or maybe higher in advance…thats why the site temporarily disable