WikiLeaks armors itself to survive cyberattacks

As its operations have come under increasing financial and political pressure, WikiLeaks has quietly bolstered its electronic defenses in an attempt to become more difficult to censor.

In the last few days, the portion of WikiLeaks' infrastructure that relied on a company in Reno, Nev., has been shifted outside the United States to a provider in Toronto. Instead of employing only one company to direct traffic to Wikileaks.ch, currently the organization's primary Web site, 14 providers are now being used to provide redundancy in case of legal or extralegal attack.

The reconfiguration comes as WikiLeaks founder Julian Assange was arrested today on sexual assault-related charges in London--charges that he strenuously denies and says are politically motivated--and was denied bail. An extradition hearing has been scheduled for December 14.

Since WikiLeaks began releasing confidential U.S. State Department cables last month, at a pace that seems guaranteed to maximize the embarrassment for Washington officialdom, an increasing number of service providers have distanced themselves. The list includes Amazon.com, PayPal, Visa, EveryDNS, and, as CNET was the first to report yesterday, MasterCard. It's also been the target of a flood of denial-of-service attacks designed to overwhelm its infrastructure so other visitors can't get through.

Some politicians have called on companies to sever their connections with WikiLeaks, making it more risky for WikiLeaks to rely on U.S.-based infrastructure. Sen. Joseph Lieberman of Connecticut, who heads the Homeland Security Committee, said last week that: "No responsible company--whether American or foreign--should assist WikiLeaks in its efforts to disseminate these stolen materials." And one congressman wants WikiLeaks to be designated a "terrorist" organization, which would make it a crime for any company or individual to provide it with material support.

As part of its technological countermeasures undertaken since Friday, WikiLeaks has turned to servers operated by the Swedish Pirate Party, which previously signaled support for the document-sharing effort in August. And the number of mirror sites continues to grow at the pace of one every few minutes, topping 1,000 this afternoon.

The countermeasures are designed to keep WikiLeaks' constellation of Web sites--including Wikikeaks.is, Wikileaks.fr, Wikileaks.de, Wikileaks.nl, and Wikileaks.no--online in case of a denial-of-service attack or other, less direct, pressure.

Like nearly every Web site, WikiLeaks relies on two different infrastructure pieces to function: a link with the Internet's Domain Name System, or DNS, and a hosting provider. Because both components have recently come under pressure, WikiLeaks has been armoring both. (DNS providers translate between the human-readable address CNET.com and the numeric address 216.239.113.101.)

As of last Friday, Wikileaks.ch was using only one DNS provider, swebflex.ch, which left it vulnerable to legal attacks and denial of service attacks. As of this afternoon, it's using 14 of them for redundancy:

Wikileaks.ch. ns1.twisted4life.com.
Wikileaks.ch. elrido.no-ip.org.
Wikileaks.ch. dns2.easydns.net.
Wikileaks.ch. s2.s3cr3t.de.
Wikileaks.ch. dns1.syshack.org.
Wikileaks.ch. ns2.easydns.com.
Wikileaks.ch. lou.porcus.ch.
Wikileaks.ch. marmotta.brabbel.ch.
Wikileaks.ch. ns1.buzzernet.net.
Wikileaks.ch. dns.wikileaks.ch.
Wikileaks.ch. v217241437.yourvserver.net.
Wikileaks.ch. dns2.syshack.org.
Wikileaks.ch. ns1.pcdog.ch.
Wikileaks.ch. arjeplog.scnr.ch.

Similarly, WikiLeaks.nl used Nevada-based rollernet.us for DNS service last week and was hosted in Sweden at only one IP address. Now it's using Toronto-based EasyDNS for DNS service and, for Web hosting, no fewer than five different IP addresses in the Netherlands.

Mark Jeftovic, president of EasyDNS, wrote in a blog post yesterday that he's cautiously optimistic about surviving distributed denial-of-service (DDoS) attacks aimed at his company's servers.

"When it became apparent that one or more WikiLeaks domains were headed here, we alerted Prolexic to the situation and they're on alert," he wrote. "So far, we haven't seen any attack traffic across our name servers and it would be nice if it stayed that way." (Prolexic provides protection against DDoS attacks.)

Successful DDoS attacks can irk customers, especially at smaller DNS providers, once they realize their site is unreachable after a server becomes overloaded.

So it was not much of a surprise that EveryDNS, part of Dyn.com of Manchester, N.H., pulled the plug after an especially serious attack last week. "Wikileaks.org has become the target of multiple distributed denial of service attacks," EveryDNS said. "These attacks have, and future attacks would, threaten the stability of the EveryDNS.net infrastructure, which enables access to almost 500,000 other Web sites."

Meanwhile, in what appears to be a symbolic gesture, Wikileaks.org remains offline--the group hasn't chosen to redirect it away from EveryDNS to, say, a European provider. Another consideration, of course, is that the master server, called registry, for the .org, .com, and .net domains are run by U.S.-based companies. That makes it safer for the group to rely on Wikileaks.ch.

Thuy Ledinh, a representative for the Public Interest Registry of Reston, Va., which operates the .org registry, told CNET today that the organization has not been pressured by the feds to make Wikileaks.org permanently disappear from the Internet.

We "have not been contacted by any governmental authorities regarding the domain," Ledinh said.