[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[infowar.de] Al-Jazeera hobbled by DDOS attack - News site targeted for second day
Ein paar weitere Steine zum Al-Dschasira-Webpuzzle:
Zusammenfassung: massive Angriffe auf Web- und Nameserver,
offenbar auesserst versierte und "engagierte" Angreifer.
Anmerkung: Die offenbare DNS-Loeschung/Wechsel der Eintraege
und die Blockierung der Ziel-Ips per Routing durch Provider
und Uplinks sind durchaus uebliche Abwehrmaßnahmen gegen der-
artige Angriffe, fuer die Erreichbarkeit des (Web-)Angebots
allerdings nicht sonderlich foerderlich - Was durchaus auch
Teil eines Angriffszenarios sein kann.
Al-Jazeera hobbled by DDOS attack
News site targeted for second day
By Paul Roberts
March 26, 2003
The Arab satellite television network Al-Jazeera suffered a second day
of sustained distributed denial of service (DDOS) attacks against its
English and Arabic language Web sites on Wednesday.
The attacks have pushed the network, which is based in Doha, Qatar ,
off the Web for the time being and forced Al-Jazeera to increase
bandwidth for the sites and step up security in a desperate effort to
get back online.
"All of our Web sites are down. The U.S. [Web site] is out of order
and the Europe [Web site] is under attack. We come up for five or ten
minutes and then the attacks bring us down again," said Salah
AlSeddiqi, IT manager at Al- Jazeera.
AlSeddiqi and others describe a powerful and coordinated attack on
Al-Jazeera's Web sites that began on March 25, shortly after the
network published photos of U.S. soldiers who had been taken prisoner
by Iraqi forces inside Iraq .
Beginning on Tuesday, Al-Jazeera was hit with traffic in excess of 200
Mbps and up to 300 Mbps, he said.
The network's Web sites typically receive traffic in the range of 50
or 60 Mbps. With the commencement of hostilities, however, traffic to
Al-Jazeera's sites had spiked to more than 150 Mbps, AlSeddiqi said.
The attacks were described as a DNS (Domain Name System) flood attack
by Joanne Tucker, managing editor of Al-Jazeera's English language Web
site, whose address is http://english.aljazeera.net.
DNS flood attacks send a high volume of Internet traffic to the name
servers that are responsible for a particular Web domain, rendering
those servers unresponsive.
In response to the attacks, Al-Jazeera attempted to increase its
bandwidth allocation, but the attackers scaled their efforts to meet
the increase, according to AlSeddiqi.
As a result of the sustained attacks, the Qatar company that managed
the site told Al-Jazeera on Wednesday that its U.S.-based hosting
company said it could no longer continue to host the sites because of
the effect of the attacks on other customer Web sites, AlSeddiqi said.
That company, DataPipe, a service of Hoboken Web Services, in Hoboken,
New Jersey , said in a statement that it provided hosting services to
the Qatar company that managed the Al-Jazeera site, but had ended its
relationship with that company.
DataPipe did not have a contract or a relationship with Al-Jazeera
itself, the company said.
Al-Jazeera was told that its site would continue to be hosted only
until the end of March, AlSeddiqi said.
The recent attacks and the decision by one of its Web hosting
companies has IT staff at Al-Jazeera suspicious of larger forces that
may be at work.
"We feel it's an organization with knowhow and money. They have very
powerful machines to do [the attack] and someone to pay for the
bandwidth," AlSeddiqi said.
Tucker expressed concerns that the attacks may be part of a
coordinated effort to silence the network for coverage that has been
critical of the U.S.-led war in Iraq .
"It's a strategy to block access to the site to legitimate visitors.
The problem is that any content or information that doesn't boost U.S.
morale or unify public opinion might be perceived as a threat to the
war effort," Tucker said.
A security expert familiar with Al-Jazeera's troubles said the news
network appeared to be suffering both from an IRC (Internet Relay
Chat) "bot" attack and from increased demand due to the outbreak of
hostilities in Iraq and the launch of its English language site.
IRC bot attacks use IRC chat channels to send coordinated attack
instructions to networks of compromised machines worldwide, according
to Johannes Ullrich, chief technology officer for the Internet Storm
Center at the SANS Institute.
While the volume of traffic to Al-Jazeera's Web sites was high, a
network of between 1,000 and 5,000 compromised machines could easily
generate that level of traffic, Ullrich said.
Such networks are not uncommon. Some IRC bot networks contain over
10,000 zombie machines, he said.
Casting doubt on the suggestion that the attacks had to originate from
a large, well-funded source, Ullrich said that the IRC bots could
easily be coordinated by a single user with knowledge of the network
and the right commands to issue.
"There are probably plenty of people who can do something like [the
Al-Jazeera DDOS attack] just for the fun of it. I just got DDOS'd last
night," Ullrich said.
Others familiar with such attacks say they are common and have many
"We have a number of customers who come to us with concerns like
[Al-Jazeera's]. Effectively they're experiencing a virtual sit in,"
said Andy Ellis, chief security architect at Akamai Technologies, an
e-business infrastructure provider in Cambridge, Mass.
While 200 Mbps is high volume for a single Web site to suffer, Ellis
said that he knew of larger attacks.
In addition, it is common for such DDOS attacks to be targeted at
routers or DNS servers that service a number of different Web sites,
according to Ullrich.
Hosting companies will frequently decide to stop hosting the site that
is attracting the unwanted attention in order to maintain service to
its other customers, he said.
"The sad thing is that there's very little they can do. If you have
10,000 or 20,000 machines attacking you and they're constantly
changing, the only thing you can do is get more bandwidth --
essentially buy your way out of the attack," Ullrich said.
Other companies, including many prominent U.S. news Web sites, opt to
use private networks such as Akamai's which blunt the force of DDOS
attacks by spreading the hosted Web site content out to thousands of
host servers, then routing each request to a server close to the
Akamai's network also uses load balancing to direct traffic away from
servers that are experiencing high demand, as in a DDOS attack, Ellis
An Akamai spokesman declined to comment on whether the company had
been contacted by Al-Jazeera or whether it would be willing to host
Al-Jazeera's Web sites.
While it works to crawl out from under the DDOS attack, Al-Jazeera is
continuing to update content on its English language site. The network
is also moving forward with the development of a fully-featured
English language Web site that will include more than just war
coverage, according to Tucker.
The company hopes to be back online soon and said that the launch of
its full English language site is on schedule for mid-April, Tucker
Paul Roberts is a Boston-based correspondent for the IDG News Service,
an InfoWorld affiliate.
Mail an infowar -
- infopeace -
de mit "unsubscribe" im Text.