In the first test of WikiLeaks’ resiliency since a staff rebellion earlier this year, the organization recovered within hours from a distributed denial-of-service attack during its rollout of leaked State Department cables Sunday. But experts who monitored the disruptive traffic say the attack was relatively modest in size.

WikiLeaks’ main web address and its “cablegate” site were unreachable as the organization’s media partners published their first analyses from a massive trove of a quarter-million U.S. diplomatic cables Sunday afternoon. Hours earlier, WikiLeaks wrote on Twitter: “We are currently under a mass distributed denial-of-service attack.”

But Arbor Networks, which analyzes malicious network traffic crossing the internet’s backbones, reports that the DDoS generated between 2 and 4 Gbps of disruptive traffic, slightly above the average for all DDoS attacks, but well below the peak 60 to 100 Gbps consumed by truly massive attacks against other websites over the last year.

“The traffic that we’re looking at going to the network where WikiLeaks was hosted at the time the attack started is 12 to 15 gigs per second, so 2 to 4 gigs on top of that is not much,” says Jose Nazario, a senior security researcher at Arbor.

The DDoS tested WikiLeaks’ mettle in the wake of a staff rebellion earlier this year that cost the organization a key technical volunteer responsible for its complex bulletproof backend. The volunteer had set up a censorship-resistant system that decoupled WikiLeaks’ document archives from its public internet IP addresses, allowing the site to jump back to life within an hour of losing its hosting.

When that volunteer resigned in September, along with spokesman Daniel Domscheit-Berg and other staffers, WikiLeaks’ founder Julian Assange was given two weeks to “prepare an alternative setup,” the volunteer said in an interview last month. After that, “we pulled off all the technology developed for WikiLeaks and handed the remaining people the machines. We only took with us that which was developed by us.”

More WikiLeaks Cablegate Coverage

[RSSImport display=”5″ feedurl=”http://www.wired.com/dangerroom/tag/wikileaks/feed/” before_desc=”

” displaydescriptions=”FALSE” after_desc=” ” html=”TRUE” truncatedescchar=”50″ truncatedescstring=” … ” truncatetitlechar=” ” truncatetitlestring=” … ” before_date=” ” date=”TRUE” after_date=” ” date_format=”F j, g:i A” before_creator=” ” creator=”false” after_creator=” ” start_items=” ” end_items=” ” start_item=” ” end_item=” ” target=”” rel=”” charsetscan=”TRUE” debug=”FALSE” before_noitems=” ” noitems=”No items, feed is empty.” after_noitems=” ” before_error=” ” error=”Error: Feed has a error or is not valid” after_error=” ” paging=”FALSE” prev_paging_link=”« Previous” next_paging_link=”Next »” prev_paging_title=”more items” next_paging_title=”more items” use_simplepie=”FALSE” ] [RSSImport display=”5″ feedurl=”http://www.wired.com/threatlevel/tag/wikileaks/feed/” before_desc=”

” displaydescriptions=”FALSE” after_desc=” ” html=”TRUE” truncatedescchar=”50″ truncatedescstring=” … ” truncatetitlechar=” ” truncatetitlestring=” … ” before_date=” ” date=”TRUE” after_date=” ” date_format=”F j, g:i A” before_creator=” ” creator=”false” after_creator=” ” start_items=” ” end_items=” ” start_item=” ” end_item=” ” target=”” rel=”” charsetscan=”TRUE” debug=”FALSE” before_noitems=” ” noitems=”No items, feed is empty.” after_noitems=” ” before_error=” ” error=”Error: Feed has a error or is not valid” after_error=” ” paging=”FALSE” prev_paging_link=”« Previous” next_paging_link=”Next »” prev_paging_title=”more items” next_paging_title=”more items” use_simplepie=”FALSE” ]

The volunteer’s account was confirmed by other former WikiLeaks staffers. “No machines that had been donated to WikiLeaks were removed,” says former staffer Herbert Snorrason, an Icelandic university student. Instead, “the software systems and web systems” were taken out of service.

WikiLeaks’ original website with its archive of leaked documents from around the world has remained offline ever since, while WikiLeaks has focused on the high-profile U.S. leaks linked, with varying degrees of certainty, to Bradley Manning, the 22-year-old former intelligence analyst charged with accessing and disclosing diplomatic cables and other classified files. WikiLeaks launched the Iraq war logs and the State Department cable leaks from dedicated web pages with itinerant hosting.

Despite the issues, WikiLeaks was able to recover from Sunday’s DDoS attack relatively swiftly.

The traffic, directed at WikiLeaks’ Swedish hosting provider Bahnhof, began at approximately 10:05 a.m. EST and originated from “a handful of sources,” says Arbor’s Nazario. Though modest in size, the attack was effective because it opened TCP connections to WikiLeaks’ servers and kept them open, like jamming a switchboard.

WikiLeaks responded by redirecting its web addresses to cloud servers in France and Ireland. The organization announced a functional “cablegate” site shortly after 4 p.m. EST, six hours after the attack began. The site launched with 219 diplomatic cables, and WikiLeaks says it plans to release the entire cache “in stages” over the coming months.

A self-described “hacktivist” called Jester has taken credit for the DDoS. Jester has a history of launching similar attacks against websites said to be linked to radical Islam. He wrote on Twitter that he targeted WikiLeaks “for threatening the lives of our troops and ‘other assets.'”

See Also: