, , , , ,

By Rady Ananda

For two days this month, WordPress.com, which hosts a tenth of the world’s websites drawing nearly 300 million unique visitors a month, suffered the largest distributed denial-of-service attack in its six-year history. Six separate attacks on March 3 and 4, mostly originating from China, targeted a single Chinese-language site hosted by WP.

On March 3rd, WordPress founder Matt Mullenweg told TechCrunch (also hosted by WP), “There’s an ongoing DDoS attack that was large enough to impact all three of our datacenters in Chicago, San Antonio, and Dallas.”

In its VIP blog post, WP advised, “The size of the attack was multiple gigabits per second and tens of millions of packets per second,” reported TC.

WP tech-defender, Automattic, said the attack was in the 4-6 Gbit range, but is dwarfed by a 2008 attack of 8 gigabits per second. However, the March 2011 attack lasted much longer and involved different tactics.

The DDoS attacks began at 2:10AM PST on March 3rd, but the largest one, eight hours later, overwhelmed “the network links and network routers, switches, and servers with ‘junk packets’ in what is called a TCP flood.” Then, at 3AM PST on March 4th:

“[T]he attackers switched tactics. Rather than a TCP flood, they switched to a HTTP resource consumption attack. Enlisting a bot-net consisting of thousands of compromised PCs, they made many thousands of simultaneous HTTP requests in an attempt to overwhelm our servers. The source IPs were completely different than the previous attacks, but mostly still from China.”

The graph above shows the size of the attack in packets per second. (Larger image here.) The below graph shows the size of the attack in bits per second, affecting bandwidth:

Initially, WP’s founder believed the attack was politically motivated, according to Mullenweg’s email to TechCrunch:

“This is the largest and most sustained attack we’ve seen in our 6 year history. We suspect it may have been politically motivated against one of our non-English blogs but we’re still investigating and have no definitive evidence yet.”

Automattic denies this in its March 7th post, without offering any reason for its change in perception.

Digital Trends reports:

“The country has increasingly found itself accused of issuing these types of attacks or attempting to infiltrate confidential online information. Earlier this year, the WikiLeak’s release of diplomatic cables revealed that the Chinese government was responsible for hacking Google, and security firm McAfee recently issued a report indicating that Chinese hackers were guilty of launching cyberattacks against US fuel companies for years.”

The New York Times reports that cell phone users in China who use the word “protest” find themselves disconnected, adding:

“A host of evidence over the past several weeks shows that Chinese authorities are more determined than ever to police cellphone calls, electronic messages, e-mail and access to the Internet in order to smother any hint of antigovernment sentiment. In the cat-and-mouse game that characterizes electronic communications here, analysts suggest that the cat is getting bigger, especially since revolts began to ricochet through the Middle East and North Africa, and homegrown efforts to organize protests in China began to circulate on the Internet about a month ago.”

For about two hours on March 22nd, WP members were denied access to the admin pages, unable to post content. One WP administrator claimed this was due to “an unrelated network maintenance issue.” Sites were not equally affected, however. On my Food Freedom blog, we lost an entire column of content, while at COTO Report, all content remained visible. WP notes on its Health Status page for that day:

20:34 GMT WordPress.com started experiencing performance issues. Within 15 minutes the condition had become severe, primarily affecting publishing and administration.

21:24 GMT WordPress.com performance problems with the front end resolved, but publishing and adminstration were still unavailable.

22:50 GMT WordPress.com publishing was made read-only to prevent customers being disconnected while authoring content.

00:56 GMT WordPress.com systems fully recovered.

WordPress hosts over 18 million sites, including some ultra mainstream ones like CNN, the Los Angeles Times, TED, Time Magazine, CBS and the National Football League. Though two-thirds of all blogs are in English, over 120 languages are represented. Users post a half million blogs each day.

Partnership with sites like YouTube, Google Video, Flickr and PhotoBucket, which enable easily embedded content, no doubt contributes to WP popularity. Simplified platforms also allow users to easily share WP content with social media sites like Facebook and Twitter.

Elance’s 2010 year-end report for online employment trends noted: “WordPress experts rose an impressive 15% quarter-over-quarter, moving up three highly coveted spots to #2, trailing only behind PHP programmers. This marks the first time that any content management system has moved into the top three skills in demand by businesses.”

Indeed. WordPress administrators noted, “We weather DDoS attacks every day on WP.com and 99.9% of them have no user impact.”