Last Friday, 7 September, Wikipedia suffered what appears to be the most disruptive Distributed Denial of Service (DDoS) attack in recent memory.
It’s not that Wikipedia isn’t attacked regularly – it is. It’s just that the DDoS that hit it around 17:40 p.m. (UTC) on that day was far larger than normal and carried on its attack for almost three days.
The site quickly became unavailable in Europe, Africa, and the Middle East, before later slowing or stopping for users in other parts of the world such as the US and Asia.
The size of the attack has not been made public, although from details offered by mitigation company ThousandEyes it’s clear that it was an old-style volumetric flood designed to overwhelm the company’s web servers with bogus HTTP traffic.
Given the protection sites employ these days, this suggests that it was well into the terabits-per-second range used to measure the largest DDoS events on the internet.
In fact, most of that flood would never have reached Wikipedia’s servers, instead of being thrown away by upstream ISPs as a protective measure when it became obvious that a DDoS was underway.
DDoS takedowns
An attack this big is sometimes called a ‘takedown’ (not be confused with legitimate takedowns connected to content), a relatively rare event intended to bring a well-known site’s operation to a halt for as long as possible.
Why Wikipedia? Most likely, because someone out there doesn’t like Wikipedia. As the site’s owners, Wikimedia, put it in a brief statement:
We condemn these sorts of attacks. They’re not just about taking Wikipedia offline. Takedown attacks threaten everyone’s fundamental rights to freely access and share information.
Less likely, a DDoS-for-hire outfit decided to use a famous site like Wikipedia as a look-what-we-can-do advert for their services at the considerable expense of revealing much of the botnet designed to host such attacks.
Given that the attack persisted into the weekend, it’s not surprising that Wikimedia called for help from Cloudflare, the zero-cost mitigation provider for sites that can claim to have a public purpose.
By Sunday, ThousandEyes noticed, Wikipedia’s servers were being ‘fronted’ entirely by Cloudflare, which deploys anti-DDoS technology to identify bad traffic and throw it away.
Interestingly, big DDoS takedowns have become somewhat less frequent these days, presumably because all sites that consider themselves targets employ mitigation companies to defend themselves.
But, at the very least, the Wikipedia attack is a warning that the people who carry out these attacks have not given up on trying.
thedrogsofwar
The guy/group who did the attack was bragging about it on Twitter. The Wikipedia attack was a sort of proof of concept or test. The next day they went after streamers on Twitch and then went after Blizzard, knocking Overwatch and World of Warcraft servers offline.
John E Dunn
They did although given that these are fairly common It’s not clear why that would require a POC attack against such a large entity as Wikipedia – what would they be trying to prove?
Paul Ducklin
“Because it’s there.”
(With apologies to George Mallory, who died climbing Mount Everest in 1924. Whether he and Sandy Irvine died on the way down from a successful summiting or on the way up – well, we may never know, but they got close.)
Mahhn
So who hates freedom of information and could pull this off?
My first thought is China. Other thoughts?
Mark Stockley
Sadly, the war on intelligence isn’t confined to a country.
Rob Matthews
The Wikipedia attack was a dry run before the attackers hit World of Warcraft game servers over the weekend. The group responsible posted their plan, and screenshots during the attack on their twitter account UKDrillas.
Mahhn
it’s almost funny, something on a scale of nation-state attacks, are just sore loser gamers seeking attention like a crying baby with a big megaphone. Kids like to brag, and that will get them caught, I wonder if Krebs already knows who they are.
Mark Sitkowski
Does anyone know if it was an IoT attack? If so, what devices?
Laurence Marks
Based on the relations among the first three posts, it seems that there must be an excessive moderation delay. The followers would be better served with less delay.
For that matter, is moderation really neccessary? Why not simply let the users flag inappropriate posts?
Mahhn
As someone who has had post moderated myself, I can understand. I’ve had a bad day, read a story that made me angry and wrote something that didn’t belong here (more than once over the years, but I learn to behave mostly), it never showed and I understand. Then there are the bots and work at home adds that,,,, I see your point, but they aren’t wrong to moderate either. Plus the writers and Sophos people respond often while moderating, so that’s a big bonus.
irrelevant
i know who done this. :)
Laurence Marks
FLAG!!
Ian
You have to be a real jerk to attack a free source of information like Wikipedia. Hope these trolls see some jail time.
Mark Sitkowski
@irrelevant
If you really know who ‘done’ this, tell me what they used
Stephen T Mason
The timng (9/11) may be a coincidence dynamic but it is worth factoring it into the profiling of such attacks.