IDG News Service - The Arab satellite television network Al-Jazeera suffered a second day of sustained distributed denial-of-service (DDOS) attacks against its English- and Arabic-language Web sites today.
The attacks have pushed the network, which is based in Doha, Qatar, off the Web for the time being and have forced Al-Jazeera to increase bandwidth for the sites and step up security in a desperate effort to get back online.
"All of our Web sites are down. The U.S. [Web site] is out of order, and the Europe [Web site] is under attack. We come up for five or 10 minutes, and then the attacks bring us down again," said Salah AlSeddiqi, IT manager at Al-Jazeera.
AlSeddiqi and others describe a powerful and coordinated attack on Al-Jazeera's Web sites that began on Tuesday, shortly after the network published photos of U.S. soldiers who had been taken prisoner by Iraqi forces inside Iraq. Al-Jazeera was hit with traffic in excess of 200M bit/sec. -- and up to 300M bit/sec., he said.
The network's Web sites typically receive traffic in the range of 50M bit/sec. or 60M bit/sec. With the commencement of hostilities, however, traffic to Al-Jazeera's sites had spiked to more than 150M bit/sec., AlSeddiqi said.
Joanne Tucker, managing editor of Al-Jazeera's English language Web site (which was inaccessible at midafternoon today), described the attacks as Domain Name System (DNS) flood attacks. DNS flood attacks send a high volume of Internet traffic to the name servers that are responsible for a particular Web domain, rendering those servers unresponsive.
In response to the attacks, Al-Jazeera attempted to increase its bandwidth allocation, but the attackers scaled their efforts to meet the increase, according to AlSeddiqi.
As a result of the sustained attacks, the Qatar company that managed the site told Al-Jazeera today that its U.S.-based hosting company said it could no longer continue to host the sites because of the effect of the attacks on other customer Web sites, AlSeddiqi said.
That company, DataPipe, a service of Hoboken Web Services LLC in Hoboken, N.J., said in a statement that it provided hosting services to the Qatar company that managed the Al-Jazeera site but had ended its relationship with that company. DataPipe didn't have a contract or a relationship with Al-Jazeera itself, the company said.
Al-Jazeera was told that its site would continue to be hosted only until the end of March, AlSeddiqi said.
The recent attacks and that decision by one of its Web hosting companies has IT staff at Al-Jazeera suspicious of larger forces that may be at work. "We feel it's an organization with know-how and money. They have very powerful machines to do [the attack] and someone to pay for the bandwidth," AlSeddiqi said.
Tucker expressed concerns that the attacks may be part of a coordinated effort to silence the network for coverage that has been critical of the U.S.-led war in Iraq. "It's a strategy to block access to the site to legitimate visitors. The problem is that any content or information that doesn't boost U.S. morale or unify public opinion might be perceived as a threat to the war effort," Tucker said.
A security expert familiar with Al-Jazeera's troubles said the news network appeared to be suffering both from an Internet Relay Chat (IRC) "bot" attack and from increased demand resulting from the outbreak of hostilities in Iraq and the launch of its English language site.
IRC bot attacks use IRC chat channels to send coordinated attack instructions to networks of compromised machines worldwide, according to Johannes Ullrich, chief technology officer at the Internet Storm Center at the SANS Institute in Bethesda, Md.
While the volume of traffic to Al-Jazeera's Web sites was high, a network of between 1,000 and 5,000 compromised machines could easily generate that level of traffic, Ullrich said. Such networks aren't uncommon. Some IRC bot networks contain more than 10,000 zombie machines, he said.
Casting doubt on the suggestion that the attacks had to originate from a large, well-funded source, Ullrich said the IRC bots could easily be coordinated by a single user with knowledge of the network and the right commands to issue. "There are probably plenty of people who can do something like [the Al-Jazeera DDOS attack] just for the fun of it. I just got DDOSed last night," Ullrich said.
Others familiar with such attacks say they are common and have many origins.
"We have a number of customers who come to us with concerns like [Al-Jazeera's]. Effectively, they're experiencing a virtual sit-in," said Andy Ellis, chief security architect at Akamai Technologies Inc., an e-business infrastructure provider in Cambridge, Mass.
While 200M bit/sec. is high volume for a single Web site to suffer, Ellis said that he knew of larger attacks.
In addition, it's common for DDOS attacks to be targeted at routers or DNS servers that service a number of different Web sites, according to Ullrich. Hosting companies will frequently decide to stop hosting the site that's attracting the unwanted attention in order to maintain service to its other customers, he said.
"The sad thing is that there's very little they can do. If you have 10,000 or 20,000 machines attacking you and they're constantly changing, the only thing you can do is get more bandwidth -- essentially buy your way out of the attack," Ullrich said.
Other companies, including many prominent U.S. news Web sites, opt to use private networks, such as Akamai's, which blunt the force of DDOS attacks by spreading the hosted Web site content out to thousands of host servers and then routing each request to a server close to the request source.
Akamai's network also uses load balancing to direct traffic away from servers that are experiencing high demand, as in a DDOS attack, Ellis said.
An Akamai spokesman declined to comment on whether the company had been contacted by Al-Jazeera or whether it would be willing to host Al-Jazeera's Web sites.
While it works to crawl out from under the DDOS attack, Al-Jazeera is continuing to update content on its English-language site. The network is also moving forward with the development of a fully-featured English language Web site that will include more than just war coverage, according to Tucker.
The company hopes to be back online soon, and the launch of its full English-language site is on schedule for mid-April, Tucker said.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
