[ISN] Technical aspects of the DDoS attacks upon the Church of Scientology

• Previous message: InfoSec News: "[ISN] Linux Advisory Watch: January 25th, 2008"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

http://www.news.com/8301-10789_3-9858552-57.html

By Robert Vamos
Defense in Depth
January 25, 2008 

Dr. Jose Nazario of Arbor Networks has been looking at the technical 
side of the distributed denial of service (DDoS) attacks upon domain 
registered to the Church of Scientology International. In general he 
finds that while there have been a lot of DDoS attacks, the early ones 
were mild. They were, however, stronger than the DDoS attacks upon 
various Estonian sites last spring. As a protective measure, the Church 
of Scientology has since moved its domain to a more protected space.

Prior to the move, Nazario found that on January 19, there were 488 DDoS 
events, all of which appear to come from one IP address, "indicating," 
said Nazario, "that this is not a huge, broadly sourced attack (i.e. it 
may not have registered on other ISPs systems)." He also notes that the 
types of attacks he saw on Saturday were "common, garden-variety DDoS 
attacks."

Nazario's other findings include:

    Maximum PPS rates seen: nearly 20,000 pps (packets per second), with 
    an average attack size of 15,000 pps.

    Maximum bandwidth seen per attack: 220 Mbps, with an average attack 
    size of 168 Mbps. This is on the high side of an attack, but 
    significantly smaller than the largest ones we commonly see 
    nowadays.

    Maximum duration of a single attack: 1.8 hours, which is on the long 
    end of common, but the average attack lasted just under half an 
    hour.

On January 21, the Church of Scientology moved its domain to Prolexic 
Technologies, a company that protects Web sites from DDoS attacks. 
Attacks against the site have increased, with a major assault on 
Thursday night at 6 p.m. EST.

Nazario says "I went looking and was unable to detect attacks against 
the Scientology Web site in particular. The new IP address of the CoS 
Web site is located within the Prolexic DDoS service network. It's 
difficult for (Arbor Networks) to detect these attacks in particular 
from the milleiu of DDoS attacks" inside the Prolexic service.


___________________________________________________      
Subscribe to InfoSec News
http://www.infosecnews.org/mailman/listinfo/isn 

• Previous message: InfoSec News: "[ISN] Linux Advisory Watch: January 25th, 2008"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Mon Jan 28 2008 - 00:26:40 PST