Tag Archives : cablegate November 2010

Round 2: DDoS Versus Wikileaks

By: Craig Labovitz -

In the second round of what may possibly be a protracted Internet skirmish, a denial of service attack briefly blocked access to the cablegate.wikileaks.org web site this morning around 8:00 am EST. On twitter, Wikileaks pegged the DDoS as exceeding 10 Gbps (significantly larger than my 2-4 Gbps estimate for the first round of attacks on Sunday).


As compared with this Sunday’s initial attack (blog analysis available here), ATLAS data from 110 providers around the world suggest today’s DDoS was both larger and more sophisticated. Specifically, today’s attack involved several different components, including a low bandwidth application level DDoS and a 2-3 Gbps Syn attack against the primary “cablegate” IP addresses (the hosted web site is load balanced across data center locations in Europe and the US West Coast).

An example of one of the anonymous alerts ATLAS collected yesterday is shown below. This alert is for a modest TCP Syn attack against cablegate.wikileaks.org targeting high number ports. The source address blocks are anonymized with XX replacing the high number bits.


<attack start="2010-11-30 18:10:01 GMT" stop="2010-11-30 18:56:27 GMT">
<rate bps="70312432" pps="220847"/>
<protocols>TCP</protocols>
<tcpflags>Syn</tcpflags>
<source>
<ips>xx.xx.25.0/27</ips>
<ports>1024-2047</ports>
</source>
<dst>
<ips>204.236.131.131/32</ips>
<ports>16384-32767,32768-65535</ports>
</dst>
</attack>

In the below chart, I graph traffic from 110 ATLAS carriers around the world to address blocks (BGP prefixes) used by Wikileaks. Note these address blocks may also include traffic to other customer using the same hosting provider. The attack began around 7am EST though a smaller traffic spike occurs around 2am. All times are EST. At the time of this blog posting, the DDoS is still ongoing though not significantly impacting Wikileaks access.


Based on Netcraft and other reports, the outage was brief though cablegate web site performance was moderately impacted throughout the day.

Interestingly, the attack appears to originate from a relatively small number of source IPs, including machines in Russia, eastern Europe and Thailand.

– Craig