Page MenuHomePhabricator

September 2019 DoS attacks [Public]
Open, HighPublic

Description

From 2019-09-06 17:50 UTC to 02:40 the next day, Wikimedia websites were affected by a denial-of-service attack.

The attack targeted different datacenters at different times. The Amsterdam datacenter was the most heavily affected, so users in Europe were the most likely to experience problems.

The attack saturated some network links, and thus caused some users to see timeouts or slow service across all hosted wikis.

Throughout the attack, the SRE team were working hard to restore service. Reports from individual affected users are not required -- monitoring systems recorded the effects of the attack at all times.

Blog post: https://wikimediafoundation.org/news/2019/09/07/malicious-attack-on-wikipedia-what-we-know-and-what-were-doing/


How to: Report a connectivity issue

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
Xqt added a subscriber: Xqt.Fri, Sep 6, 11:49 PM

I've contacted the UK National Cyber Security Centre about this and had a response. Is there an official contact I should use.

It looks like the perpetrator https://twitter.com/UKDrillas has moved on from wikipedia to targeting Twitch streams.

MJL added a subscriber: MJL.Sat, Sep 7, 4:58 AM
MJL added a comment.Sat, Sep 7, 5:01 AM
This comment was removed by MJL.
tstarling renamed this task from ERR_CONNECTION_TIMED_OUT on multiple WikiMedia sites to September 2019 DoS attack.Sat, Sep 7, 5:27 AM
tstarling updated the task description. (Show Details)
tstarling lowered the priority of this task from Unbreak Now! to High.Sat, Sep 7, 5:29 AM
This comment was removed by Incnis_Mrsi.

Probably early days but do we have any statistics on how large the attack was etc?
Maps of where the traffic came from?

Looks like attackers have stopped for now, but may be back tomorrow.

I've had a good response from NCSC they have also contacted the Dutch equivalent.

As to what we know? Attackers are pretty open about what they are doing

Nope, reflection sucks. Anyone who goes down to amplification attacks is pretty much asking for it. it's also pretty much useless now since a lot of upstreams employ good ACL and firewall rules. IOT is where it's at right now.

Not a 0day. Just some new devices we loaded off of an old PoC, but like you mentioned, it's a meme how all EU traffic is directed to a 20G AMS-IX link. Like 20G in 2019. Pretty funny.

I've contacted the UK National Cyber Security Centre about this and had a response. Is there an official contact I should use.
It looks like the perpetrator https://twitter.com/UKDrillas has moved on from wikipedia to targeting Twitch streams.

Please forward to legal@wikimedia.org if you haven't already.

geraki added a subscriber: geraki.Sat, Sep 7, 9:13 AM

Feel free to delete the comment if my trouble has nothing to do with the incident, but a hour ago Ī̲ found myself unable to hear any TCP reply from text-lb.eqiad.wikimedia.org[208.80.154.224] querying it from exactly one IP.

Replied by email.

@Habitator_terrae: Please file a separate task and be more specific in that new task what "doesn't work" means. See https://www.mediawiki.org/wiki/How_to_report_a_bug - thanks a lot! :)

@Aklapper: If I (German IP) for example want to see the Pageviews in the German Wikipedia (for example the at the German Mainpage linked https://de.wikipedia.org/wiki/Wikipedia:Hauptseite#footer-info-copyright-stats pageviews https://tools.wmflabs.org/pageviews?pages=Wikipedia:Hauptseite&project=de.wikipedia.org ) there I only see an "Page not found" error. It seems to be the same problem as this, because it is also a Wikimedia website which isn't aviable.

Dzahn added a subscriber: Dzahn.Sat, Sep 7, 12:08 PM
Lofhi added a subscriber: Lofhi.Sat, Sep 7, 12:52 PM

How certain is that the attack—if it was noticeable at all—was the root cause of the esams outage? My analysis of Grafana plots and personal experience led to following conclusions:

  1. About 17:44 some network hardware in Amsterdam failed, presumably a router. Varnish and backends stayed idle.
  2. About 18:04 a change in the dyna.wikimedia.org resolving threw Old-World users to eqiad, and the event is reflected in a strong activity surge recorded in Ashburn.
  3. About 18:24 European admins restarted the crashed device and the Foundation switched dyna.wikimedia.org back.
  4. The problematical device suffered more failures, but dyna.wikimedia.org remained at text-lb.esams.wikimedia.org.
BBlack added a subscriber: BBlack.Sat, Sep 7, 1:08 PM

It was definitely the attack, not a device failure. We won't generally release fine-grained details about an attack publicly, at least not this early and while threats and mitigations continue to be an ongoing concern. While attempting to investigate and mitigate various phases and variants of the attack during various windows of time yesterday, we did take various network engineering steps which shifted global traffic around between our edges, some of which can lead to the confusing analysis results above.

How certain is that the attack—if it was noticeable at all—was the root cause of the esams outage? My analysis of Grafana plots and personal experience led to following conclusions:

  1. About 17:44 some network hardware in Amsterdam failed, presumably a router. Varnish and backends stayed idle.
  2. About 18:04 a change in the dyna.wikimedia.org resolving threw Old-World users to eqiad, and the event is reflected in a strong activity surge recorded in Ashburn.
  3. About 18:24 European admins restarted the crashed device and the Foundation switched dyna.wikimedia.org back.
  4. The problematical device suffered more failures, but dyna.wikimedia.org remained at text-lb.esams.wikimedia.org.

From the attackers twitter

We've stopped hitting Wikipedia's AMS-IX link to prove authenticity.
We'll resume hitting at 22:45 BST+0
Stay tuned =)

A couple of other times they stopped and restarted. You can see spikes in server logs which correspond to their announced activity.

Vort added a subscriber: Vort.Sat, Sep 7, 1:48 PM

When attack started, I was able to access Wikipedia from time to time.
But now only possibility for me to access it is using Tor (my actual location is Ukraine).
If you banned my addresses as security measure, please unban them.

@Vort You probably need to send more information but on what wiki? What's the exact error?

Vort added a comment.Sat, Sep 7, 2:13 PM

@Aklapper here it is: T232254. Please hide it since it contains private data.

Marostegui added a subtask: Restricted Task.Sat, Sep 7, 2:18 PM
Dalba added a subscriber: Dalba.Sat, Sep 7, 2:27 PM
Krinkle updated the task description. (Show Details)Sat, Sep 7, 2:39 PM
Paladox added a subscriber: Paladox.Sat, Sep 7, 3:05 PM
CDanis closed subtask Restricted Task as Resolved.Sat, Sep 7, 3:06 PM
RhinosF1 closed subtask Restricted Task as Resolved.Sat, Sep 7, 3:34 PM
Aschmidt removed a subscriber: Aschmidt.Sat, Sep 7, 7:05 PM
Aschmidt added a subscriber: Aschmidt.

Is there any idea on when the Wikimedia websites will act normally again? Oddly enough I only had this issue with Microsoft Edge and not with the Ecosia browser while using them at the same time, could this have a technical reason?

Is there any idea on when the Wikimedia websites will act normally again? Oddly enough I only had this issue with Microsoft Edge and not with the Ecosia browser while using them at the same time, could this have a technical reason?

Most people have had no issues for a while now

Is there any idea on when the Wikimedia websites will act normally again? Oddly enough I only had this issue with Microsoft Edge and not with the Ecosia browser while using them at the same time, could this have a technical reason?

Can you provide more information about the issues you are experiencing by following: https://wikitech.wikimedia.org/wiki/Reporting_a_connectivity_issue
Thank you!

Aschmidt removed a subscriber: Aschmidt.Sat, Sep 7, 7:33 PM
Aschmidt added a subscriber: Aschmidt.
Aschmidt removed a subscriber: Aschmidt.
Izno added a subscriber: Izno.Sat, Sep 7, 9:33 PM

Message received from UK National Cyber Security Centre. Is there any info we could send to them.

Hi Richard,
Are you aware of any further incidents against Wikipedia or degradation of service since the original reported incident?
Also do you know if there are any logs available regarding the incident or any IoC’s that can be sent to us?
Kind regards,
Nick U
NCSC Incident Management Team

Reedy added a subscriber: Reedy.Sun, Sep 8, 7:30 PM

Message received from UK National Cyber Security Centre. Is there any info we could send to them.

Hi Richard,
Are you aware of any further incidents against Wikipedia or degradation of service since the original reported incident?
Also do you know if there are any logs available regarding the incident or any IoC’s that can be sent to us?
Kind regards,
Nick U
NCSC Incident Management Team

WMF-Legal are in communication with them. You don't need to respond on their behalf. Thanks

Just forwarded some information to legal/ca@ regarding UKDrillas' next host (now the twitter fun has ended)

RhinosF1 raised the priority of this task from High to Unbreak Now!.Sun, Sep 8, 11:37 PM

Attacker has confirmed on twitter he's back, ops reporting connectivity issues and multiple reports of issues on twitter

bd808 lowered the priority of this task from Unbreak Now! to High.Sun, Sep 8, 11:38 PM
bd808 added a subscriber: bd808.

Down grading from UBN! to High. The actions that we can take are being taken.

Note we don't actually use phabricator for the actual incident response on something like this. There's no need to mess with priorities or send notifications here :)

Krinkle renamed this task from September 2019 DoS attack to September 2019 DoS attack [Public].Sun, Sep 8, 11:56 PM
Krinkle added a subtask: Restricted Task.
CDanis closed subtask Restricted Task as Resolved.Mon, Sep 9, 2:02 PM
Patriccck renamed this task from September 2019 DoS attack [Public] to September 2019 DoS attacks [Public].Thu, Sep 12, 12:34 PM