The Arab satellite television network Al-Jazeera suffered a second day of sustained distributed denial of service (DDOS) attacks against its English and Arabic language Web sites on Wednesday.
The attacks have pushed the network, which is based in Doha, Qatar, off the Web for the time being and forced Al-Jazeera to increase bandwidth for the sites and step up security in a desperate effort to get back online.
“All of our Web sites are down. The U.S. (Web site) is out of order and the Europe (Web site) is under attack. We come up for five or 10 minutes and then the attacks bring us down again,” said Salah AlSeddiqi, IT manager at Al-Jazeera.
Seddiqi and others describe a powerful and co-ordinated attack on Al-Jazeera’s Web sites that began on Mar. 25, shortly after the network published photos of U.S. soldiers who had been taken prisoner by Iraqi forces inside Iraq.
Beginning on Tuesday, Al-Jazeera was hit with traffic in excess of 200Mbps second and up to 300Mbps, he said.
The network’s Web sites typically receive traffic in the range of 50 or 60Mbps. With the commencement of hostilities, however, traffic to Al-Jazeera’s sites had spiked to more than 150Mbps, AlSeddiqi said.
The attacks were described as a Domain Name System (DNS) flood attack by Joanne Tucker, managing editor of Al-Jazeera’s English language Web site, whose address is http://english.aljazeera.net.
DNS flood attacks send a high volume of Internet traffic to the name servers that are responsible for a particular Web domain, rendering those servers unresponsive.
In response to the attacks, Al-Jazeera attempted to increase its bandwidth allocation, but the attackers scaled their efforts to meet the increase, according to AlSeddiqi.
As a result of the sustained attacks, the Qatar company that managed the site told Al-Jazeera on Wednesday that its U.S.-based hosting company said it could no longer continue to host the sites because of the effect of the attacks on other customer Web sites, AlSeddiqi said.
That company, DataPipe, a service of Hoboken Web Services LLC in Hoboken, New Jersey, said in a statement that it provided hosting services to the Qatar company that managed the Al-Jazeera site, but had ended its relationship with that company.
DataPipe did not have a contract or a relationship with Al-Jazeera itself, the company said.
Al-Jazeera was told that its site would continue to be hosted only until the end of March, AlSeddiqi said.
The recent attacks and the decision by one of its Web hosting companies has IT staff at Al-Jazeera suspicious of larger forces that may be at work.
“We feel it’s an organization with know-how and money. They have very powerful machines to do (the attack) and someone to pay for the bandwidth,” AlSeddiqi said.
Tucker expressed concerns that the attacks may be part of a co-ordinated effort to silence the network for coverage that has been critical of the U.S.-led war in Iraq.
“It’s a strategy to block access to the site to legitimate visitors. The problem is that any content or information that doesn’t boost U.S. morale or unify public opinion might be perceived as a threat to the war effort,” Tucker said.
A security expert familiar with Al-Jazeera’s troubles said the news network appeared to be suffering both from an Internet Relay Chat (IRC) “bot” attack and from increased demand due to the outbreak of hostilities in Iraq and the launch of its English language site.
IRC bot attacks use IRC chat channels to send co-ordinated attack instructions to networks of compromised machines worldwide, according to Johannes Ullrich, chief technology officer for the Internet Storm Center at the SANS Institute.
While the volume of traffic to Al-Jazeera’s Web sites was high, a network of between 1,000 and 5,000 compromised machines could easily generate that level of traffic, Ullrich said.
Such networks are not uncommon. Some IRC bot networks contain over 10,000 zombie machines, he said.
Casting doubt on the suggestion that the attacks had to originate from a large, well-funded source, Ullrich said that the IRC bots could easily be co-ordinated by a single user with knowledge of the network and the right commands to issue.
“There are probably plenty of people who can do something like (the Al-Jazeera DDOS attack) just for the fun of it. I just got DDOS’d last night,” Ullrich said.
Others familiar with such attacks say they are common and have many origins.
“We have a number of customers who come to us with concerns like (Al-Jazeera’s). Effectively they’re experiencing a virtual sit in,” said Andy Ellis, chief security architect at Akamai Technologies Inc., an e-business infrastructure provider in Cambridge, Mass.
While 200Mpbs is high volume for a single Web site to suffer, Ellis said that he knew of larger attacks.
In addition, it is common for such DDOS attacks to be targeted at routers or DNS servers that service a number of different Web sites, according to Ullrich.
Hosting companies will frequently decide to stop hosting the site that is attracting the unwanted attention in order to maintain service to its other customers, he said.
“The sad thing is that there’s very little they can do. If you have 10,000 or 20,000 machines attacking you and they’re constantly changing, the only thing you can do is get more bandwidth — essentially buy your way out of the attack,” Ullrich said.
Other companies, including many prominent U.S. news Web sites, opt to use private networks such as Akamai’s which blunt the force of DDOS attacks by spreading the hosted Web site content out to thousands of host servers, then routing each request to a server close to the request source.
Akamai’s network also uses load balancing to direct traffic away from servers that are experiencing high demand, as in a DDOS attack, Ellis said.
An Akamai spokesman declined to comment on whether the company had been contacted by Al-Jazeera or whether it would be willing to host Al-Jazeera’s Web sites.
While it works to crawl out from under the DDOS attack, Al-Jazeera is continuing to update content on its English language site. The network is also moving forward with the development of a fully-featured English language Web site that will include more than just war coverage, according to Tucker.
The company hopes to be back online soon and said that the launch of its full English language site is on schedule for mid-April, Tucker said.
