WordPress.com Hit by Extremely Large Denial-of-Service Attack

Everyone wants to know which blog was the target of the largest denial-of-service attack in the six-year history of the popular blogging platform WordPress.com. The attack affected a number of A-list sites like CNN, BBC and TED.

WordPress.com, a popular blogging platform, was hit by a large DDoS (distributed denial-of-service) attack that affected connectivity to a number of its blogs.

The attack appeared to have begun just before 11 a.m. EST on March 3 and lasted for about two hours, according to a status page on parent company Automattic's site. WordPress.com is a hosted blog platform with a number of large customers, including TED, CNN, BBC, Red Hat and Flickr.

Wordpress.com is currently reporting "normal" service on its site and on its Twitter feed, but that it will be monitoring the situation closely. The attack is the "largest" WordPress.com has ever seen, Automattic told TechCrunch, whose site is hosted on WordPress.com.

"You have no idea how hard it was to get this post up," wrote TechCrunch's Alexia Tsotsis.

The "non-trivial" attack appears to have subsided, but the company is working with the upstream provider on measures to prevent such attacks from affecting connectivity, according to a blog post for WordPress.com's VIP customers, reposted on Twitter.

For ISPs (Internet service providers), DDoS mitigation includes throttling down bandwidth and filtering out packets from users and IP addresses, Jason Hoffman, co-founder and chief scientist at cloud provider Joyent, told eWEEK. Along with available quality of service tools, ISPs can write firewall and load balancer rules that can filter out and kill suspicious packets, he said.

As for its "extreme size," the DDoS attack was "multiple Gigabits per second and tens of millions of packets per second," according to the VIP blog post.

"It could flare up again later, which we're taking proactive steps to implement," WordPress founder Matt Mullenweg told TechCrunch. The DDoS attack impacted all three Automattic data centers in Chicago, San Antonio and Dallas, he said. It also affected Automattic's other services: IntenseDebate, BBQ Pit and Akismet API.

Mullenweg said the sustained attack "may have been politically motivated" against a non-English blog, but declined to provide any other information. "We're still investigating and have no definitive evidence yet," he said.

It remains unclear where the attack originated, since there are a number of groups other than hacktivist Anonymous that use DDoS attacks to disrupt services. In fact, groups like Anonymous don't have the manpower or bandwidth to launch a truly massive DDoS attack because many of its participants are using the LOIC (Low Orbit Ion Cannon) tool to launch DDoS attacks from general consumer ISPs through DSL or cable modem services, said Hoffman. A botnet with "high hundred-thousands to millions" of computers would be required for sustained attacks, he said. For example, a large botnet dubbed Vecebot knocked blogs belonging to Vietnamese dissidents offline last fall.

A recent Harvard University study found that 280 independent media and human-rights Websites were hit with 140 attacks between September 2009 and August 2010, and researchers asserted that these numbers are probably only a small portion of actual attacks.

There appears to be some sporadic performance issues still occurring on WordPress.com, but the site for the most part appears to be normal. WordPress.com had some issues with performance around 6 a.m. EST, which it managed to resolve, according to the site's Twitter feed. Automattic did not comment on whether the performance issues were related to the DDoS attack, which occurred about six hours later.