Last Friday, 7 September, Wikipedia suffered what appears to be the most disruptive Distributed Denial of Service (DDoS) attack in recent memory.
It’s not that Wikipedia isn’t attacked regularly – it is. It’s just that the DDoS that hit it around 17:40 p.m. (UTC) on that day was far larger than normal and carried on its attack for almost three days.
The site quickly became unavailable in Europe, Africa, and the Middle East, before later slowing or stopping for users in other parts of the world such as the US and Asia.
The size of the attack has not been made public, although from details offered by mitigation company ThousandEyes it’s clear that it was an old-style volumetric flood designed to overwhelm the company’s web servers with bogus HTTP traffic.
Given the protection sites employ these days, this suggests that it was well into the terabits-per-second range used to measure the largest DDoS events on the internet.
In fact, most of that flood would never have reached Wikipedia’s servers, instead of being thrown away by upstream ISPs as a protective measure when it became obvious that a DDoS was underway.
DDoS takedowns
An attack this big is sometimes called a ‘takedown’ (not be confused with legitimate takedowns connected to content), a relatively rare event intended to bring a well-known site’s operation to a halt for as long as possible.
Why Wikipedia? Most likely, because someone out there doesn’t like Wikipedia. As the site’s owners, Wikimedia, put it in a brief statement:
We condemn these sorts of attacks. They’re not just about taking Wikipedia offline. Takedown attacks threaten everyone’s fundamental rights to freely access and share information.
Less likely, a DDoS-for-hire outfit decided to use a famous site like Wikipedia as a look-what-we-can-do advert for their services at the considerable expense of revealing much of the botnet designed to host such attacks.
Given that the attack persisted into the weekend, it’s not surprising that Wikimedia called for help from Cloudflare, the zero-cost mitigation provider for sites that can claim to have a public purpose.
By Sunday, ThousandEyes noticed, Wikipedia’s servers were being ‘fronted’ entirely by Cloudflare, which deploys anti-DDoS technology to identify bad traffic and throw it away.
Interestingly, big DDoS takedowns have become somewhat less frequent these days, presumably because all sites that consider themselves targets employ mitigation companies to defend themselves.
But, at the very least, the Wikipedia attack is a warning that the people who carry out these attacks have not given up on trying.