Hackers are after WikiLeaks. The controversial site was hit by a sustained distributed denial of service (DDoS) attack on Tuesday morning. The attack, which briefly made WikiLeaks inaccessible, was directed at cablegate.wikileaks.org--the recently released cache of secret diplomatic cables the organization has been leaking. WikiLeaks was also hit by another denial of service (DoS) attack on Sunday, when the cables were released.
A politically motivated hacker or group of hackers named “th3j35t3r”--“The Jester” in leet--took credit for the Sunday attack. According to a tweet, the site was targeted for “attempting to endanger the lives of our troops, 'other assets' & foreign relations.” The Jester's Twitter feed contains a log of attacks on other sites, most of which are homepages for either jihadist or political Islamist organizations.
According to WikiLeaks, today's DDoS attack exceeded 10 gigabits per second as of 9 a.m. New York time. This was much more intense than Sunday's attack, which was a comparatively mild 2-4 gigabits per second. Internet security firm Netcraft investigated today's DDoS attack as well. Netcraft's analysis notes that cablegate.wikileaks.org is configured to use three different IP addresses as a load balancer, which still failed to prevent today's DDoS attack.
WikiLeaks has put multiple safeguards in place to distribute their leaked diplomatic cables. Apart from working with media organizations such as the New York Times and Der Spiegel, WikiLeaks has embraced every nerd's favorite: Torrents. The organization has placed a torrent of all their diplomatic cable leaks on the Web.
In order to cope with the DDoS attack on Sunday, WikiLeaks did some improvised DNS jiggering. The site redirected DNS configurations from their Swedish host to cloud sites hosted by Amazon.com in Ireland and the United States.
Interestingly, detailed analyses and walkthroughs of past DDoS attacks on WikiLeaks have been posted to the web. Anthony Freed of Infosec Island interviewed the Jester in February, who described a script he used called XerXes for a past attack:
“Okay it started with a little script I wrote a while back to harden-test servers […] I modified this script, and it was just a nasty script, very cumbersome. When I realized the extent of the jihad online recruiting and co-ordination involvement (much later), I realized I could turn this script into a weapon. […] XerXes requires no zombie network or botnet to be effective. Once a single attacking machine running XerXeS has smacked down a box, it's down, there is no need for thousands of machines. But, XerXeS does not hurt intermediary nodes along its path to the target. So the answer is that such institutions’ systems would still be intact, as it causes no collateral damage, just not functional."
It is important to remember two key things, however:
Today's DdoS attack was highly complex. Although the timing did not significantly affect access to WikiLeaks from North America, it was timed to make it inaccessible to Europe for much of the business day.
DdoS attacks on WikiLeaks are great for agitprop and publicity, but do nothing to inhibit the site's operations. The organization's bread and butter for information dissemination are the traditional media, bloggers and day-to-day communication between individuals in person and online--not their website. Furthermore, torrents make a nifty backup plan.
Meanwhile, China is fighting WikiLeaks the traditional way: through the Great Firewall. China formally announced they are blocking access to WikiLeaks today, with Foreign Ministry spokesperson Hong Lei noting that “China takes note of the government reports. We hope the U.S. Side will handle the relevant issues. […] As for the content of the documents, we will not comment on that.”