What SMBs can learn from WikiLeaks’ resilient network

The recent cyber attacks on WikiLeaks and the site’s resiliency are a case study in Web survivability that many businesses would do well to take note of, according to Canadian security experts.

In the recent weeks since the online whistle blowers site began releasing classified cables from the U.S. Department of State, Wikileaks.org has been hit by a series of massive denial of service attacks (DDoS). Subsequently, the organization’s domain name service provider EveryDNS.net terminated the WikiLeaks.org domain name because the DNS provider feared the attacks threatened the stability of the 500,000 other sites it served.

WikiLeaks was also dropped by its host Amazon.com as well as by PayPal, MasterCard and Visa Europe which handled donation transactions to the site. All this was capped by the recent arrest in London of WikiLeaks founder Julian Assange on charges of sexual assault.

Yet, the controversial site continues to operate and its most recent expose floods the Internet.

“There’s just no stopping the leak,” according to Claudiu Popa, principal of Toronto-based tech security firm Informatica and ITBusiness.ca blogger. “That’s because the leaked documents have gone beyond WikiLeaks.”

The documents original leaked by the origination are now being shared and propagated by tens of thousands of computer users and even media outlets, he said.

Contrast WikiLeaks with Tumblr or Comcast–both of which experienced severe, prolonged outages in the past week. Or, compare WikiLeaks virtual invulnerability with the frequent and frustrating overloads and outages experienced by Twitter. Although the underlying motivation might be different, all Web sites and Web-based services can learn a thing or two from WikiLeaks.

In a word (or four), it’s called “single point of failure”. You don’t want any. In fact, if you’re WikiLeaks, you want to build redundancy on your redundancy and be able to survive not just a single point of failure, but a virtual meltdown of cascading failures.

A DDoS is an attack where the hacker attempts to make the resources of a computer or location on a network unavailable to other users, disrupting service, according to Dean Turner, director, global intelligence network, Symantec Security Response.

Typically, distributed denial of service attacks use utilize a network of distributed computers, often times in the form of a botnet, to carry out the attacks, he said.

Turner said Symantec believes WikiLeak’s attackers are using some kind of a LOIC (Low Orbit Ion Cannon). A LOIC is a free attack toolkit.

“Specifically, it is a network stress testing application and attempts a denial of service (DOS) attack on the target site by flooding the server with TCP packets, UDP packets, or HTTP requests with the intention of disrupting the service of a particular host,” Turner said.

Popa of Informatica said WikiLeaks used geo-diversification to foil the DDoS attacks.

“WikiLeaks laid down (although almost nearly too late) an interwoven network of domains, hosts, servers and alternate DNS services to make sure the site continued to operate even if it lost a provider or suffered a domain shut down due to a DoS attack.”

This diversification saved the day for WikiLeaks, according to James Quin, lead research analyst for Info-Tech Research Group in London, Ont.

“WikiLeaks has a bit of an ‘eggs in one basket’ approach – their servers were hosted in a limited number of locations and their DNS was managed by a single provider,” he said.

However, by diversifying just before releasing the classified U.S. State Department documents WikiLeaks was able to build resiliency into their network, Quin said.


Before the big leak, WikiLeak’s content was hosted by two Swedish ISPs and its name server by a French ISP, according James Cowie, chief technology officer of Renesys, an Internet monitoring company in Manchester, NH. He said WikiLeaks added Amazon’s cloud server into a mix just after it began releasing the documents.

After Amazon cut its service, WikiLeaks began hosting WikiLeaks.org with one of the Swedish ISP.

When EveryDNS terminated its service, WikiLeaks worked with several new country-level domains such as WikiLeaks.ch in Switzerland, Wikileaks.at in Austria and Wikileaks.cc in Cocos Islands, said Cowie in his blog.

WikiLeaks also signed up with separate DNS service providers in eight other countries including Canada, Switzerland and Malaysia, he said.

In all, there were 14 different name servers spread over 11 different networks involved. More than 1,000 mirror sites have also been serving up WikiLeaks content in the last few days, said Cowie.

“Taking away WikiLeaks’ hosting, their DNS service, even their primary domain name, has had the net effect of increasing WikiLeaks’ effective use of Internet diversity to stay connected. And it just keeps going,” wrote Cowie.”As long as you can still reach any one copy of WikiLeaks, you can read their mirror page, which lists over 1,000 additional volunteer sites (including several dozen on the alternative IPv6 Internet),” he said.

What can SMBs learn from this?

Spreading out servers was a lifesaver for WikiLeaks but this type of DNS protection is “likely unnecessary” for many small businesses, according to Quin of Info-tech.

“Remember, WikiLeaks adopted this strategy to make sure no single domain registrar could knock them down,” said Quin. “A fully above board commercial enterprise would never have to worry about this.”

Related story –Safe@Office 1000N provides easy network protection for SMBs

He said DDoS attacks are the most nefarious and difficult attacks to defend against and are something that businesses as not likely to address by themselves. “Typically it’s the ISP’s responsibility to keep the business online.”

However, Turner of Symantec, Info-Tech’s Quin and Popa of Informatica have the following recommendations for SMBs that want to protect themselves against DDoS attacks:

Plan early – If you feel your company is a potential DDoS target, anticipate the attack. Popa says the best time to lay out your defenses is before the attack happens “not when the attackers are at the gates.”

Use multiple service providers – Consider signing up with more than one ISP and DNS providers. According to Popa there are providers that allow businesses to go on an “as needed contract” where the business doesn’t have to pay unless the service is used.

Employ alternate payment services – If your business relies on online financial transactions, make sure you’re site enables users to transact through more than one provider.

Sufficient bandwidth – Make sure your business has enough bandwidth to handle spikes in traffic associated with a DDoS attack. This won’t be enough to prevent the attack, but it will allow you more time to begin to deal within, said Info-Tech’s Quin.

Quin also recommends implementing a load-balanced perimeter protection strategy to ensure that failure of a single component won’t leave the business offline.

Restrict access – Turner of Symantec suggests restricting in-office and remote to access t admin and management to only trusted and authorized personnel.

Monitor constantly – Have a comprehensive monitoring, reporting and alert program to ensure that you are aware of what happening with your network at all times. Turner suggests deploying network and host-based intrusion detection systems to monitor traffic for suspicious activities.

Finally, both Quin and Popa recommend that you cultivate strong and positive relationships with your ISPs and other providers so that you get prompt response from them when problems arise.

Nestor Arellano is a Senior Writer at ITBusiness.ca. Follow him on Twitter, read his blog, and join the IT Business Facebook Page.

(With notes from Tony Bradley -PC World US)

Share on LinkedIn Share with Google+