So, the WikiLeaks Twitter account is claiming that their website is suffering “a mass distributed denial of service attack”. Given the sensitivity of the documents they are apparently planning to release, many will believe that this is action by the US Government to prevent the documents’ release.

While that might not be an invalid assumption, several facts need to be considered:

  • The only people claiming that their website is under attack is WikiLeaks themselves — there has not (as of the time of writing, 5pm GMT on Sunday) been any independent verification of this from other parties such as network or hosting providers. Remember, /etc/init.d/apache stop is the ultimate way to deny service to your website…
  • There may have been a legal takedown. WikiLeaks have been shuffling IP hosting quite a bit recently. If the jurisdiction your infrastructure is in believes there is a legal reason for you not to be able to serve your content, then all bets are off. Undue censorship? Possibly — but that’s not a discussion for this blog.
  • There might actually be a DDoS, but not initiated by who you believe it would be. It would certain serve certain constituencies of people Very Nicely, Thank You for USGov to be “framed” for this; and note that this would indeed include WikiLeaks themselves. Given the recent comprehensive analysis of the Stuxnet malware by Symantec (you should also read the full report. which is an incredibly well-prepared piece of work) — we may well be into the days of state-sponsored cyber-warfare, although this is currently very much at the “targetted” end of the spectrum, rather than indiscriminate.

One of the things that Ed Skoudis taught me about monitoring systems and security on my SANS Incident Handling course several years ago, and which I’ve never forgotten, is: “Never assume that everything is ok!” I would venture to add to that: “Never assume that the most obvious cause is the actual cause.”

Evidence, evidence, evidence! Make sure you can prove your theories before betting the ranch (or your job!) on them!

In all likelihood, we will never actually know what has gone on with WikiLeaks today — mainly because it serves WikiLeaks not to tell anyone. But, this is definitely a case, as I watch Twitter jumping to conclusions as it is wont to do, where, I suspect, the most obvious cause is not in fact what is going on here.