Wikipedia Investigates DDoS AttackSites in Europe, Middle East Affected Over the Weekend
The Wikimedia Foundation, which oversees the popular online encyclopedia, is investigating a distributed denial-of-service attack that temporarily blocked access to several of its regional sites over the weekend in parts of Europe as well as the Middle East.
See Also: Autonomous Response: Threat Report
In a statement, the foundation said that by Monday, access to all of the Wikipedia sites affected by the DDoS attack had been restored, and the not-for-profit organization was continuing to restore its infrastructure as well as investigate the cause of the attack.
The attack, which started sometime on Friday, affected several Wikipedia sites in Europe - including Poland, France, Germany and Italy - as well as parts of the Middle East, including Israel, according to downdetector.com. Wikipedia remains one of the world's most popular websites, ranking in the Top 10, according to an analysis by Amazon Alexa.
"As one of the world's most popular sites, Wikipedia sometimes attracts 'bad faith' actors," Wikemedia Foundation says in its statement. "We condemn these sorts of attacks. They're not just about taking Wikipedia offline. Takedown attacks threaten everyone's fundamental rights to freely access and share information. We in the Wikimedia movement and foundation are committed to protecting these rights for everyone."
On Friday night, the official Twitter account for Wikipedia in Germany tweeted about the attack, noting the online encyclopedia's servers has been hit by a "massive and very broad DDoS attack."
von einer 'Distributed-Denial-of-Service attack'. Da beim DDoS-Angriff die Anfragen von einer Vielzahl von Quellen ausgehen, ist es nicht möglich, den Angreifer zu blockieren, ohne die Kommunikation mit dem Netzwerk komplett einzustellen." 3/3— WikimediaDeutschland (@WikimediaDE) September 6, 2019
Netblocks, an internet access watchdog group, also took notice of the attack, noting on Twitter that it appeared to have been amplified through the use of unsecure internet of things devices.
Alert: #Wikipedia is now down across the #US and much of the world, following hours of intermittent disruption caused by a major #DDoS attack; incident ongoing #WikipediaDown— NetBlocks.org (@netblocks) September 7, 2019
It's not clear where the attack against Wikipedia sites started, although at least one person claimed responsibility.
A Twitter user who goes by the handle "UkDrillas" claimed responsibility for the attack, according to a report in the Israeli publication Haaretz. In a series of tweets, the user laid out a timeline of his attacks. In a later tweet, he claimed he was only "testing some new IoT devices." After that, however, the user's Twitter account was blocked on Saturday night, according to Haaretz.com.
The attack was claimed by a hacker called UkDrillas who vowed it would continue and said it was only a "test" for an IoT-driven DDoS botnet attack #wikipediadown https://t.co/Z0EneQKGke pic.twitter.com/sKL9YNcZ8I— Omer Benjakob (@omerbenj) September 7, 2019
In its statement, The Wikimedia Foundation did not specify who may have been behind the attack, and spokesperson declined to discuss the issue further on Monday.
Terry Ray, a senior vice president and CTO at security firm Imperva, tells Information Security Media Group that since the motives behind these various DDoS attacks vary, security leaders need to ask themselves what's the cost of preventing an attacks versus the long-term damage to a company's image or brand that could result if the issue is not resolved quickly enough.
"The reason DDoS attacks are successful are simply because DDoS isn't always perceived as a cybersecurity issue," Ray says. "Consider that DDoS doesn't actually steal anything itself, beyond slowing or stopping businesses in some cases. DDoS is more of an up[time and reliability factor for businesses. Companies have to ask themselves what the cost is for downtime and media attention for these types of attacks - is the cost of mitigation worth the cost of downtime and brand? It's a simple equation and one most businesses have already done. Wikipedia likely determined the cost of protection was more than the cost of DDoS business impact."
DDoS Attacks Increasing
While individual Wikipedia pages have previously been defaced and some countries have blocked access to the sites, this weekend's incidents may be the first time that the online encyclopedia has sustained a large-scale DDoS attack, Haaretz reports.
Those who wage DDoS attacks against websites and internet service providers sometimes attempt to use these incidents to make a profit. For example, earlier this year, a British man pleaded guilty and was sentenced to prison following an attack in the West African country of Liberia. He claims he was paid $100,000 by a rival internet service provider to conduct the attack (see: UK Sentences Man for Mirai DDoS Attacks Against Liberia).
Meanwhile, a defendant who prosecutors say helped co-create the notorious Satori botnet pleaded guilty earlier this month to computer crime charges. Kenneth Currin Schuchman admitted that he and others attempted to rent out various botnets for DDoS attacks that others could use (see: Satori Botnet Co-Creator Pleads Guilty).
After a decrease in DDoS attacks in 2018, the numbers have increased during the first part of this year, according to a Kaspersky report. The total number of attacks climbed by 84 percent in the first quarter of 2019 compared to the fourth quarter of 2018, Kaspersky says. In addition, the number of attacks that lasted more than 60 minutes doubled quarter-over-quarter.
Kaspersky researchers attributed the fall in DDoS attack numbers at the end of 2018 to a market vacuum in botnet distribution. The researchers say the supply deficit was linked to the clamping down on DDoS attacks, the closure of sites selling related services and the arrest of some major players over the past year.
"Now it seems the vacuum is being filled: Such explosive growth in the indicators is almost certainly due to the appearance of new suppliers and clients of DDoS services," the Kaspersky report states.