

WikiLeaks attack escalates - fun2have
http://news.netcraft.com/archives/2010/11/30/wikileaks-attack-escalates.html

======
trotsky
I'm surprised a flood that regularly takes an AWS load balancer offline isn't
showing more link congestion...

get /:

    
    
      tsl@crabapple:~> time curl http://wikileaks.org/ > /dev/null
        % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                       Dload  Upload   Total   Spent    Left  Speed
      100  5837  100  5837    0     0  20684      0 --:--:-- --:--:-- --:--:-- 30087
    
      real    0m0.298s
      user    0m0.003s
      sys     0m0.005s
    

where:

    
    
      tsl@crabapple:~> dig wikileaks.org A | grep -A 1 "; ANS"
      ;; ANSWER SECTION:
      wikileaks.org.          2517    IN      A       184.72.37.90
      tsl@crabapple:~> dig -x 184.72.37.90 PTR | grep -A 1 "; ANS"
      ;; ANSWER SECTION:
      90.37.72.184.in-addr.arpa. 300  IN      PTR     ec2-184-72-37-90.us-west-1.compute.amazonaws.com.
    

palo alto:

    
    
      3  rtr-border1-p2p-core1.slac.stanford.edu (134.79.252.133)  0.796 ms  0.433 ms  0.400 ms
      4  slac-mr2-p2p-rtr-border1.slac.stanford.edu (192.68.191.245)  0.371 ms  0.415 ms  0.400 ms
      5  sunnsdn2-ip-slacmr2.es.net (134.55.217.2)  0.668 ms  0.709 ms  0.676 ms
      6  sunncr1-sunnsdn2.es.net (134.55.209.98)  0.808 ms  0.842 ms  0.823 ms
      7  eqxsjrt1-te-sunncr1.es.net (134.55.38.146)  1.231 ms  1.268 ms  1.247 ms
      8  equinix01-sfo5.amazon.com (206.223.116.177)  1.930 ms  1.780 ms  1.516 ms
      9  * * *
    

nyc:

    
    
      3 te2-7.ccr01.jfk07.atlas.cogentco.com (154.54.1.134) 0.564 ms 0.575 ms
      4 ntt.jfk07.atlas.cogentco.com (154.54.12.66) 0.664 ms 0.659 ms
      5 ae-2.r22.nycmny01.us.bb.gin.ntt.net (129.250.4.174) 0.760 ms 0.731 ms
      6 ae-1.r20.asbnva02.us.bb.gin.ntt.net (129.250.2.9) 31.672 ms 7.974 ms
      7 ae-0.r20.sttlwa01.us.bb.gin.ntt.net (129.250.2.53) 90.576 ms 98.458 ms
      8 ae-4.r20.snjsca04.us.bb.gin.ntt.net (129.250.4.103) 93.544 ms 85.011 ms
      9 ae-1.r21.plalca01.us.bb.gin.ntt.net (129.250.5.32) 90.292 ms 108.205 ms
      10 po-2.r03.plalca01.us.bb.gin.ntt.net (129.250.5.142) 78.070 ms 82.080 ms
      11 xe-3-3.r03.plalca01.us.ce.gin.ntt.net (140.174.28.118) 91.133 ms 91.491 ms
      12 * *
    

dallas:

    
    
      3 vb1300.rar3.dallas-tx.us.xo.net (216.156.0.81) 4 msec 0 msec 4 msec
      4 ae0d1.cir1.dallas2-tx.us.xo.net (207.88.13.125) 12 msec 0 msec 4 msec
      5 dap-brdr-04.inet.qwest.net (63.146.26.169) 0 msec 0 msec 0 msec
      6 snj-core-01.inet.qwest.net (67.14.34.14) 44 msec 44 msec 44 msec
      7 snj-edge-01.inet.qwest.net (205.171.233.38) 48 msec 44 msec
         snj-edge-01.inet.qwest.net (205.171.233.34) 44 msec
      8 67.128.102.202 48 msec 44 msec 44 msec
      9   * * *

~~~
spinlocked
The wikileaks tweet was 12 hrs ago. Difficult to sustain a DDOS for long
periods.

~~~
trotsky
If you look at netcraft's realtime global status link it sure seems like they
are saying it's ongoing. They show mostly failure from all sites over the past
8 hours, and all locations minus romania failed the last test ~15m ago.

<http://uptime.netcraft.com/perf/graph?site=www.wikileaks.org>

They have enviable RTT stability as well, even for a site not being DDOS'd:

    
    
      tsl@crabapple:~> for i in {1..10}; do curl -s -w "%{time_total}\n" -o /dev/null http://wikileaks.org/4oh4$i; done
      0.176
      0.180
      0.177
      0.174
      0.176
      0.174
      0.174
      0.177
      0.174
      0.176

------
spinlocked
I'm pretty sure 50% of the people on this forum have ran nmap against
wikileaks, just to see. Anyhow: ssh and ftp are open but they terminate the
connection after a delay when you try to connect, probably source ip
restrictions. Same for ssh. They are hosted on EC2. I am assuming they are
using the Amazon AMI, which doesn't take ssh root logins, and the user name
will be ec2-user@[host].

The connection is open for the period of the delay. This might a viable attack
vector for a DDOS? (If you cannot connect to FTP or ssh, you cannot upload
files).

Note: Wikileaks is hosted on Amazon AWS Ireland. You're telling me the US
government doesn't have the ability to pull an AWS server in Ireland with a
phone call? Oh please. Wikileaks is a poor attempt by the US government to
unleash an attack a group that funds its political opponents - this will occur
in the near future.

~~~
sorbus
Wikileaks only moved to amazon really recently, to avoid the DDoS attacks
against it (or at least to lessen their impact on the site's availability), I
think. Your conspiracy theory doesn't really have much weight behind it,
unless you have other supporting evidence.

~~~
spinlocked
When conspiracy theories have supporting evidence they cease to be conspiracy
theories.

Your Myers Briggs personality type is probably enfj.

~~~
sorbus
intj, actually.

Wikileaks has now left amazon[1], after amazon was extremely unreliable. So,
it was on amazon for a few days, and then went back to Sweden - according to
your theory, pressured to be removed by the US government, which I'm not going
to dispute, as that part makes sense. If it were a part of a conspiracy by the
US government, it likely would have stayed there (seriously, changing
providers a lot only makes people more suspicious and makes it seem less
reliable). More evidence against your theory.

Furthermore, wikipedia describes conspiracy theories as "used almost
exclusively to refer to any fringe theory which explains a historical or
current event as the result of a secret plot by conspirators of almost
superhuman power and cunning." Your conspiracy theory is a fringe theory,
requires the US government to be extremely competent and cunning (releasing
documents which damage the people releasing them to build credibility before
releasing documents to give an excuse for an attack on another group is rather
convoluted), and involves a secret plot. Note the complete lack of any
requirement for evidence. A conspiracy theory can be correct or incorrect and
still be a conspiracy theory, as long as it is not widely accepted.

[1] <http://news.ycombinator.com/item?id=1958939>

~~~
spinlocked
> intj, actually.

close ;)

------
zzleeper
Is there a way to track those attacks? Do they come from random zombie boxes,
or maybe the IPs are from somewhere in Virginia?

~~~
gasull
It's probably a mix. Some people might be using Low Orbit Ion Canon or a
similar tool, some other people might be DoSing with their botnets, etc.

I'd bet there are some Governments involved as well as individuals who dislike
Wikileaks.

Since the DoS attack comes from so many places, it's very difficult to trace.

~~~
smallblacksun
Governments would no be likely to use tactics like DoS attacks. If they were
attacking wikileaks, the most likely methods would be using political pressure
to get the hosting revoked. If they wanted (or needed) to use technical
solutions, they would probably either attempt more direct attacks, or attack
the dns and routing systems.

~~~
gasull
The Chinese Government has been using hackers/crackers against Google and many
other organizations. I don't see why the Chinese Government --or any other
Government pissed off at the present moment-- wouldn't do the same with
WikiLeaks.

~~~
eli
Sure, they might... but the point is that a DoS attack is pretty naive and
ineffective way to attack the site.

~~~
DanI-S
Government handling of technology is often naive and ineffective...

~~~
trotsky
You really believe the intelligence directorates of various top nation states
are walking around jabbing glass ttys with sticks and saying "durrr"? Stuxnet,
Titan Rain, Elliptic Curve Cryptography, Keyhole?

It doesn't take a genius to know DDOS'ing isn't going to accomplish anything
of significance, basically you just have to be paying a fraction of attention.

------
etherael
This seems to be counter to the goals of the attackers, no?

Problem: Site is disseminating information that you view as confidential at a
slow rate.

Solution: DDoS / otherwise stop the site.

Catch: The entire archive of unfiltered content is already widely disseminated
via a non-DDoSable channel and in the event that you ever actually manage to
succeed at your stated goal there is almost certainly a dead man's switch to
trigger distribution of the cryptographic key to unlock said information.

It seems to me that by pushing this option you just bring the "enemy" closer
to the nuclear option of simultaneous, mass, unfiltered release. Unless you
think they're bluffing with the insurance file, I suppose? Doesn't sound like
a good risk to take.

~~~
exit
i doubt the attackers care what wikileaks disseminates, except insofar as it
makes them a high profile target.

~~~
eli
Buncha bored kids, no doubt.

