Technical aspects of the DDoS attacks upon the Church of Scientology

Dr. Jose Nazario of Arbor Networks has been looking at the technical side of the distributed denial of service (DDoS) attacks upon domain registered to the Church of Scientology International. In general he finds that while there have been a lot of DDoS attacks, the early ones were mild. They were, however, stronger than the DDoS attacks upon various Estonian sites last spring. As a protective measure, the Church of Scientology has since moved its domain to a more protected space.

Prior to the move, Nazario found that on January 19, there were 488 DDoS events, all of which appear to come from one IP address, "indicating," said Nazario, "that this is not a huge, broadly sourced attack (i.e. it may not have registered on other ISPs systems)." He also notes that the types of attacks he saw on Saturday were "common, garden-variety DDoS attacks."

Nazario's other findings include:

Maximum PPS rates seen: nearly 20,000 pps (packets per second), with an average attack size of 15,000 pps.

Maximum bandwidth seen per attack: 220 Mbps, with an average attack size of 168 Mbps. This is on the high side of an attack, but significantly smaller than the largest ones we commonly see nowadays.

Maximum duration of a single attack: 1.8 hours, which is on the long end of common, but the average attack lasted just under half an hour.

On January 21, the Church of Scientology moved its domain to Prolexic Technologies, a company that protects Web sites from DDoS attacks. Attacks against the site have increased, with a major assault on Thursday night at 6 p.m. EST.

Nazario says "I went looking and was unable to detect attacks against the Scientology Web site in particular. The new IP address of the CoS Web site is located within the Prolexic DDoS service network. It's difficult for (Arbor Networks) to detect these attacks in particular from the milleiu of DDoS attacks" inside the Prolexic service.