1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
Statement: on the recent DDoS attack on #WikiLeaks Press.

For over a week, wikileaks.org and various supporter websites such as 
cabledrum.net, wlcentral.org, justice4assange.org, and our own news 
aggregation website (wikileaks-press.org) have come under attack. In 
this post, we will elaborate on on the attacks on our own 
infrastructure, as it seems that these attacks are part of a 
coordinated effort.

Wikileaks.org and cabledrum.net in particular have been subject to an 
ongoing distributed denial of service (DDoS) attack over the past six 
days, and as a result wikileaks.org and cabledrum.net cannot be 
reached by most visitors.

A recently registered twitter account antileaks[1] has claimed 
responsibility, citing WikiLeaks' publication and collection of 
donations as acts of "terrorism," but we have seen no credibile 
evidence from them proving their involvement.

WikiLeaks Press is a WikiLeaks-endorsed volunteer-organized news 
aggregation website dedicated to tracking news coverage of material 
released by WikiLeaks. On our site, we publish digests of news and 
scholarly articles which make use of leaked material published by 
WikiLeaks, as well as our own analytical pieces and retrospective 
studies. In addition, we aggregate news relating to WikiLeaks, press 
freedom, censorship, freedom of information, and whistle-blower 
issues. We have hosted a mirror of WikiLeaks' website for over a 
year without incident until the recent DDoS assault.

The initial DDoS attacks on wikileaks-press.org were not strong 
enough to take down our site, but we are now receiving a massive 
amount of traffic. We asked our provider to help mitigate the 
problem, and they have partially blocked access to our server for 
the next 9 hours. We have lost the ability to reliably monitor traffic.

We have provided below some statistics from over the previous week; 
the blue/purple colour spikes are incoming traffic spikes from the 
DDoS attack:
http://oi45.tinypic.com/19o93o.jpg (hourly overview)
http://oi46.tinypic.com/mijvhg.jpg (weekly overview)
Cabledrum has provided us with the following statistics of the DDoS 
experienced by cabledrum.net infrastructure: http://is.gd/5tySP2 .

We believe that the attack method is a so called "DNS amplification 
attack" (see for example for a description [3]). Broadly speaking, 
this attack makes use of open DNS servers where attackers send a 
small request to, the fast DNS servers then amplify the request, the 
request has now increased somewhat in size and is sent to the server 
of wikileaks-press.org. If an attacker then exploits hundreds of 
thousands of open DNS resolvers and sends millions of requests to each 
of them, the attack becomes quite powerful. We only have a small uplink 
to our server, the size of all these requests was 100,000 times the 
size of our uplink.

Last week, computer security and cybercrime journalist Brian Krebs 
experienced a similair attack[4] on his own website using DNS 
amplification.  We tested some of the ip's which attacked us, and we 
have found that most of these ip's have open DNS recursors.  It seems 
likely that public infrastructure is being used to attack WikiLeaks 
supporter sites; the strength of these attacks has been strong enough 
to bring down Tier 1 datacenters with several hundred gigabits of 
connectivity.

//Our response//

Attacks on wikileaks-press.org escalated after Wikileaks retweeted links 
to our mirrors of leaked files from WikiLeaks 
(https://twitter.com/wlpress/status/233852253067411457 ) on a newly 
discovered mass surveillance program known as TrapWire.  So far, the 
supporter sites which have been hit hardest are those which hosted mirrors 
of WikiLeaks material. At times in the past, WikiLeaks mirrors had been 
hosted by hundreds of others, including human rights and press freedom 
groups. The right to republish WikiLeaks material has been upheld in a 
court of law in our jurisdiction of operation (http://is.gd/b7H6zg ). 
Human rights groups including Reporters Without Borders, Amnesty 
International, Article 19, and others, have issued statements 
in defense of WikiLeaks' right to operate and publish.

With that in mind, these attacks appear at a first glance to be part of 
an intimidation campaign; in the absence of any statements by the 
attackers, we are left only with speculation.

In spite of these attacks, there are still various methods available 
for accessing WikiLeaks' archive. For example, the site can still be 
reached over the Tor network [2] at the addresses listed below [5].

In the mean time, our second mirror is still online. Please use 
http://mirror2.wikileaks-press.org/downloads/ and 
http://mirror2.wikileaks-press.org/gifiles/ for the latest files which 
we mirror from WikiLeaks. Please make sure to download and seed the 
torrents to ensure people can still download the information released 
by WikiLeaks.

-- WikiLeaks Press team

References:
[1] https://twitter.com/antileaks
[2] https://torproject.org/
[3] http://technet.microsoft.com/en-us/security/hh972393.aspx
[4] http://krebsonsecurity.com/2012/08/triple-ddos-vs-krebsonsecurity/
[5] http://isax7s5yooqgelbr.onion/ http://isax7s5yooqgelbr.onion/gifiles/

WikiLeaks Donation methods:

Bank Transfer - Option 1: via Sunshine Press Productions ehf:
Skulagötu 19, 101 Reykjavik, Iceland
Landsbanki Islands Account number 0111-26-611010
BANK/SWIFT:NBIIISRE
ACCOUNT/IBAN:IS97 0111 2661 1010 6110 1002 80

Bank Transfer - Option 2: via the not-for-profit Wau Holland Stiftung Foundation:
This support is tax deductible in Germany!
Bank Account: 2772812-04
IBAN: DE46 5204 0021 0277 2812 04
BIC Code: COBADEFF520
Bank: Commerzbank Kassel
German BLZ: 52040021
Subject: WIKILEAKS / WHS Projekt 04

Bitcoin - 1HB5XMLmzFVj8ALj6mfBsbifRoD4miY36v

You can also post a donation via good old fashion postal mail to:

WikiLeaks (or any suitable name likely to avoid interception in your country)
BOX 4080
Australia Post Office - University of Melbourne Branch
Victoria 3052
Australia