From September 6 through early in the day on September 9, the online encyclopedia Wikipedia suffered a Distributed Denial of Service (DDoS) attack. The intermittent outages affected parts of Europe, the Middle East, the UK, and the United States. As a result, millions of users around the world were unable to access various Wikipedia sites. Three days of compromised service is highly problematic, especially for a non-profit educational site that is one of the most popular online resources in the world. Ironically, we were writing about hacktivist DDoS attacks just last week, in response to reports of hacktivism being on the wane. Of course, a decrease doesn’t mean stopping altoghether, as these latest attacks clearly demonstrate.
The “bad actors” could be anyone who has a grudge against Wikipedia and, let’s face it, you’d be hard pressed to find a resource with a broader set topics covered in one place. For example, perhaps the bad actors were hired by a government that censors Wikipedia in direct opposition to Wikipedia’s mission to spread knowledge freely. Or the cybercriminal might be a lone actor; some wayward hacker who operates for the sake of sheer maliciousness to create mayhem. (For an example of such a rogue, see Kenneth Currin Schuchman, the 21-year-old who pleaded guilty last week to operating the Satori botnet.)
According to ThreatPost, it was the work of a hacking group that calls itself UkDrillas. That group used its Twitter account to claim responsibility for the Wikipedia attack, as well as an almost simultaneous attack on World of Warcraft, over the same weekend. Hopefully Wikipedia will be able to determine the source of the attack using cyber forensics, but that is often very difficult to achieve. Law enforcement is also at a disadvantage against hackers, because DDoS attacks leave little or no trace of evidence. But the UkDrilla’s bragging on Twitter is one way to give law enforcement and cybersecurity researchers some clues about the true perpetrator(s) of the attack.
Adding Up the Costs of the Attack
DDoS attacks typically incur secondary as well as direct costs, including; loss of customer trust, damaged brand reputation, reduced productivity, IT personnel costs and costly downtime. For a non-profit organization like Wikipedia, a DDoS attack has a lesser impact on revenue; however, since Wikipedia does take donations online, the website being down almost certainly had a negative effect on being able to receive those donations.
How to Strengthen DDoS Protection
As a large organization that has suffered from some censorship, the Wikipedia team surely has dealt with frequent, if not daily, DDoS attacks in the past, and will surely be targeted again and again in the future. Their Site Reliability Team worked hard to protect the Wikipedia network, but the cybercriminals obviously still managed to find some weakness. We don’t know what kind of DDoS protection Wikipedia has, but it appears that what it did have in place was not sufficient. Besides identifying the hackers and seeking prosecution and justice, this could be a signal for Wikipedia to strengthen its DDoS defenses, with the latest generation of always-on, real-time, protection. And, with a post-attack donation from the founder of Craigslist, according to Infosecurity Magazine, it may now have the funds to do so.
Judging by the duration of the attack, it was volumetric in nature, i.e., consuming a high proportion of available network bandwidth or exhausting the resources of stateful security devices, such as Firewalls and IPSs. Problems like this can arise if an organization is relying on legacy DDoS mitigation solutions, such as an out-of-band scrubbing center, where suspected attack traffic is re-routed for mitigation and only what is deemed to be good/legitimate traffic then forwarded to the intended destination. One of the biggest challenges is that there’s often a lengthy delay between the start of an attack and its detection, re-routing and subsequent remediation. The target can be subjected to the full force of the attack for a significant period of time before protection actually engages. These legacy approaches are often resource-intensive, making it expensive to deliver effective round-the-clock protection.
In contrast, an always-on, automated DDoS protection solution can consistently achieve complex attack detection and mitigation, within seconds – not the minutes or hours taken by legacy solutions. An automated system can immediately detect malicious packet flows, formulate mitigation filtering rules, and apply these, on the fly, without any intervention from security analysts or network operators.
Currently, many Internet Service Providers are deploying these enabling technologies as part of their existing Internet routing infrastructure; in the future, many more will need to do so, to successfully defend against more powerful, frequent and sophisticated DDoS attacks.
For over a decade, Corero has been providing state-of-the-art, highly-effective, automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. If you’d like to learn more, please contact us.