If you’ve been following the news lately, you’ve probably heard that WikiLeaks has been feeling the heat after publishing confidential cables between the U.S. State Department and its overseas missions. But many of the technical details behind these current events might be confusing.
For example, almost everyone knows by now that WikiLeaks had been using Amazon’s Web Services to host its Website. It chose to use Amazon apparently because its prior Web hosts became subject to a denial-of-service (DOS) attack. But what exactly does that mean?
Such attacks have many variations. The archetypal example involves the use of as many as several million individual computers spread throughout the Internet. At some point, the people operating those computers inadvertently downloaded and installed software that allowed their computers to be manipulated surreptitiously from elsewhere. These computers then became part of a “botnet,” which some distant master could then activate at a later time for malicious purposes.
The compromised computers could, for example, send a connection request to the servers of the targeted Website. The Website’s file servers are, of course, configured to establish such connections. But the attacker purposefully arranges things so the connections are requested but never completed. If the servers are inundated with too many such requests, they will not be able to service the legitimate requests for connections from people who genuinely want to visit the site.
The assault on WikiLeaks.org differed from this scenario, though. It was a denial-of-service attack, but not a distributed one. It appears that an online vigilante who calls himself “The Jester," using a single computer running software tool of his own making, targeted WikiLeaks.org and succeeded in temporarily silencing it.
When this happened to WikiLeaks, it decided to use Amazon Web Services. Amazon soon booted it off its servers, though, ostensibly because WikiLeaks violated Amazon’s terms of service, although the impetus may have been questioning Amazon received from the staff of Senator Joe Lieberman (I-Conn.), chairman of the senate’s Homeland Security and Governmental Affairs Committee.
WikiLeaks’ troubles keeping its Website online didn’t end there. Next up was the notice it got from EveryDNS.net that it was to be terminated. EveryDNS.net provides domain name system (DNS) lookups. WikiLeaks had been using this company’s name servers to translate the human-readable “WikiLeaks.org” into the numerical code—the Internet Protocol or IP address—needed to find the Website’s servers on the Internet.
Actually, if you had tried to surf over to WikiLeaks.org before this happened, it’s unlikely that your computer would have queried EveryDNS.net’s name servers to get such a translation. Your Internet Service Provider (ISP) probably had WikiLeak.org’s IP address already stored on its own name servers. That’s the usual way things work. But the information on your ISP’s name servers gets periodically refreshed from the authoritative sources that each Website owner specifies. So at some point, your ISP’s computers would need to consult EveryDNS.net to find out how to route its customers to WikiLeaks.org’s servers. EveryDNS.net itself became subject to a DDOS attack, at which point it decided that it couldn’t responsibly keep trying to service WikiLeaks, which would have threatened its ability to provide similar service to other Websites.
How did WikiLeaks fare after all that? Its response to Amazon ousting it was simply to shift Website hosting to OVH in France and Bahnhof in Sweden (which it had used previously). It found alternative name servers, too, 13 of them at this writing. And it began using the WikiLeaks.ch domain name instead of WikiLeaks.org, for reasons that are not entirely clear.
One possibility is that WikiLeaks felt jittery about further name-server disruptions. To understand why that might be the case, you should know that in 2008, a U.S. District Court handling a civil suit against WikiLeaks issued a order to Dynadot, the US company that registered the WikiLeaks.org domain name. A domain-name registrar acts as an intermediary between the person or organization that sets up the domain name and the company that maintains and operates the relevant top-level domain’s name servers—here the .org name servers.
The idea was to force WikiLeaks offline by coercing its domain-name registrar to delete all records of it existing. That court order was quickly reversed and the suit dropped, but the threat of such actions was probably still weighing on WikiLeaks. So you can understand why at this point it might not want to depend on any company in the United States for hosting, maintaining its domain-name servers, or even for registering its domain name. But why switch from WikiLeaks.org to WikiLeaks.ch?
That’s still a bit of a mystery, but I can speculate. First I have to confess that my earlier description of what happens when your ISP needs to update its name server didn’t tell the whole story. In fact, the ISP’s name server starts by sending a query to a name server that handles the relevant top-level domain, .org in the case of WikiLeaks.org. The .org name server then provides an IP address for the name server that knows the IP address of WikiLeaks.org.
The name servers for the .org top-level domain are run by a U.S. company called the Public Interest Registry. In theory, the Public Interest Registry could configure the .org name servers not to point to the name servers for WikiLeaks.org. That seems a remote possibility, but you can certainly understand why WikiLeaks might want to avoid any such vulnerability. Switching to WikiLeaks.ch means that the name servers that begin the process of translating its domain name into an IP address are controlled from Switzerland rather than the United States. That better insulates WikiLeaks from the influence of U.S. courts or government agents.
What’s more, a Google search of “WikiLeaks” now turns up a numerical IP address for WikiLeaks.ch, perhaps because so many others have linked directly to this IP address. So it’s difficult to see how any attack on or suppression of name servers could at this point cut off the site.
And even if WikiLeaks itself were to go offline, the information it has put out would hardly be suppressed. Unlike most other publishers, which guard their offerings, WikiLeaks has urged others to copy its content, giving detailed instructions for doing so on its Website. This creates what are called “mirrors”—multiple sites with different names in different places that all look and work like WikiLeaks.ch. As of 10 December, WikiLeaks.ch shows that there are 1559 mirror sites scattered around the globe, a number that grows day by day.
It just goes to show, I suppose, what we’ve all known for a long time: For good or bad, once someone pours a bunch of juicy information into cyberspace, there’s no putting it back in the bottle.
David Schneider is a senior editor at IEEE Spectrum. His beat focuses on computing, and he contributes frequently to Spectrum's Hands On column. He holds a bachelor's degree in geology from Yale, a master's in engineering from UC Berkeley, and a doctorate in geology from Columbia.