DDoS Report, in the Wake of Wikileaks, Cablegate, and Anonymous

The Wikileaks/Cablegate story has long-term implications for global society on very many levels.  (See JZ’s excellent FAQ on Wikileaks, co-developed with Molly Sauter.)  One is our shared understanding of the Distributed Denial of Service (DDoS) attack phenomenon.  The incidence of DDoS has been growing in recent years.  It links up to important threads to emerge from our OpenNet Initiative work in studying the ways in which states and others exert measures of control on the open Internet.  (Consider, for instance, the reports from ONI on Belarus and Kyrgyz election monintoring, which broke new ground on DDoS a few years ago, led primarily by our ONI partners Rafal Rohozinski, Ron Deibert, and their respective teams).

We are issuing a new report on DDoS today, which we hope will help to put some of these issues into perspective.  For an excellent blog entry on it, please see my co-author Ethan Zuckerman’s post.

After initial publication of State Department cables, Wikileaks reported that their web site became subject to a series of DDoS attacks that threatened to bring it down.  These attacks are simple in concept: multiple computers from around the world request access to the target website in sufficient numbers to make the site “crash.”  It turns out to be hard for most systems administrators to defend against such an attack.  And it turns out to be relatively easy to launch such an attack.  Computers that have been compromised, through the spread of computer viruses, are available for “rent” in order to launch such attacks. In a study that we are releasing this morning, we found instances where the “rent” of these machines is suggested by the round numbers of attacking machines and the precise durations of the attacks.

In the face of these attacks, Wikileaks decided to move its web site to safer ground.  Large-scale web hosts, particularly “cloud computing” service providers, can resist DDoS attacks.  Wikileaks did what one might reasonably suggest to, say, a small human rights organization in an authoritarian regime, where they fear attack from the state or others.  Wikileaks moved to the Amazon.com cloud.  Shortly thereafter, apparently in the face of pressure, Amazon decided to stop serving Wikileaks’ web site, and cut them off.  Wikileaks found a “James Bond-style” bunker in Sweden which agreed to host them — presumably despite pressure to take the site down.

The DDoS story took another major turn in the Wikileaks narrative when Anonymous launched a series of attacks on sites perceived to have been unhelpful to Wikileaks in the post-Cablegate aftermath.  These DDoS attacks raised the specter of cyberwarfare, much discussed in policy circles but all of a sudden on the front page of major newspapers.  Depending on political viewpoint and other factors, people I’ve talked to seemed to see these retribution DDoS attacks as different in their implications from the initial DDoS attacks on Wikileaks itself.

There have been relatively few studies of DDoS as an empirical or a policy matter.  We are releasing a report today, (which I’ve co-authored with Hal Roberts, Ethan Zuckerman, Jillian York, and Ryan McGrady), that describes DDoS and makes a series of recommendations in light of what we’ve found.  It’s funded by a generous grant from OSI.  Regardless of whether you consider DDoS to be criminal behavior, the next wave in cyberwarfare, an acceptable form of protest, or all of the above, we hope you’ll read and give feedback on the report.