By Robert Vamos
Defense in Depth
January 25, 2008
Dr. Jose Nazario of Arbor Networks has been looking at the technical
side of the distributed denial of service (DDoS) attacks upon domain
registered to the Church of Scientology International. In general he
finds that while there have been a lot of DDoS attacks, the early ones
were mild. They were, however, stronger than the DDoS attacks upon
various Estonian sites last spring. As a protective measure, the Church
of Scientology has since moved its domain to a more protected space.
Prior to the move, Nazario found that on January 19, there were 488 DDoS
events, all of which appear to come from one IP address, "indicating,"
said Nazario, "that this is not a huge, broadly sourced attack (i.e. it
may not have registered on other ISPs systems)." He also notes that the
types of attacks he saw on Saturday were "common, garden-variety DDoS
Nazario's other findings include:
Maximum PPS rates seen: nearly 20,000 pps (packets per second), with
an average attack size of 15,000 pps.
Maximum bandwidth seen per attack: 220 Mbps, with an average attack
size of 168 Mbps. This is on the high side of an attack, but
significantly smaller than the largest ones we commonly see
Maximum duration of a single attack: 1.8 hours, which is on the long
end of common, but the average attack lasted just under half an
On January 21, the Church of Scientology moved its domain to Prolexic
Technologies, a company that protects Web sites from DDoS attacks.
Attacks against the site have increased, with a major assault on
Thursday night at 6 p.m. EST.
Nazario says "I went looking and was unable to detect attacks against
the Scientology Web site in particular. The new IP address of the CoS
Web site is located within the Prolexic DDoS service network. It's
difficult for (Arbor Networks) to detect these attacks in particular
from the milleiu of DDoS attacks" inside the Prolexic service.
Subscribe to InfoSec News