Amazon.co.uk, Amazon.de, Amazon.fr, Amazon.it and Amazon.at suffered approximately half an hour of downtime at around 21:15 GMT. The cause is not yet apparent, although all of these sites share one thing in common: they are all hosted at Amazon's data centre in Ireland.
Amazon's service health dashboard reported elevated error rates and latencies for the EC2 APIs in the EU-WEST-1 region, so many other sites may have been affected (Amazon accounts for more than a third of all web-facing computers in Ireland).
The Anonymous group behind Operation Payback had intended to carry out another attack against Amazon after last week's attempt failed to have any impact on Amazon.com. However, the websites and IRC servers operated by Anonymous suggest that the current target is still mastercard.com.
Real-time performance graphs for these Amazon sites can be viewed at http://uptime.netcraft.com/perf/reports/performance/wikileaks
MasterCard.com has been taken down after a second distributed denial of service attack by Anonymous. The first attack occurred 3 days ago, after which Visa and PayPal were also successfully attacked.
MasterCard's payment processing systems were affected during the first DDoS attack on Wednesday, with many consumers reporting that they were unable to pay for goods online. Businesses reported a corresponding drop in trade during that first attack.
Anonymous struck out against MasterCard after the credit card giant announced a move to ensure that WikiLeaks would not be able to accept payments using MasterCard-branded products. Anonymous also tried to attack Amazon.com in retaliation for terminating WikiLeaks' EC2 web hosting services, but the first attempt did not succeed.
This second attack against MasterCard was announced in IRC channels, on Twitter and on http://anonops.eu. The group's previous website was suspended on Wednesday. The new site is hosted at OVH in France, where wikileaks.ch is also hosted.
IRC remains an important component in the group's command and control structure. Thousands of volunteers have installed the LOIC attack software, which receives its next attack instructions from the group's IRC network.
The total number of computers involved in these attacks is unclear, as some volunteers have been experiencing difficulties connecting to the IRC network and so have been running the software manually. Additional volunteers have also been using a browser-based version of the attack tool, which can be run without having to install any software. Some of the previous attacks have involved at least 2,000 computers.
The group's IRC network has continued to grow and is now spread across 18 servers. Not only does this allow more users to connect, but it also makes the IRC network more resilient to attacks and other outages.
This latest attack against MasterCard was initially directed towards www.mastercard.com. A few hours later, the target was changed to mastercard.com, which was served from a different IP address. When www.mastercard.com became accessible again, the homepage contained the following statement ...
"MasterCard has made significant progress in restoring full-service to its corporate website. Our core processing capabilities have not been compromised and cardholder account data has not been placed at risk. While we have seen limited interruption in some web-based services, cardholders can continue to use their cards for secure transactions globally."
... however, its corporate website at mastercard.com then became innaccessible due to the DDoS attack.
Real-time performance graphs for www.mastercard.com, mastercard.com and several other sites involved in the WikiLeaks attacks can be monitored at http://uptime.netcraft.com/perf/reports/performance/wikileaks
Moneybookers.com is the latest site to be taken down by the ongoing WikiLeaks-related attacks.
The attack was organised to start at 09:20 GMT on Friday, but did not appear to have any immediate impact; however, the site eventually succumbed shortly after 11:00.
This latest attack was announced in advance on Operation Payback's Twitter stream. Moneybookers had previously collected WikiLeaks donations, but closed down their account after WikiLeaks was put on an official US watchlist and an Australian government blacklist.
Real-time performance graphs for www.moneybookers.com and several other sites involved in the WikiLeaks attacks can be monitored at http://uptime.netcraft.com/perf/reports/performance/wikileaks
The scheduled attack against Amazon.com has been called off after it failed to make any impact on the site's performance.
The Anonymous group decided the "hive" of computers in its botnet was not big enough to take on the might of Amazon, who are evidently quite good at providing highly scalable web hosting services, not just on their own website, but also on their EC2 service. Their European datacenter, which formerly hosted the WikiLeaks website, accounts for more than a third of all internet-facing web servers in Ireland.
Operation Payback still intend to carry out a distributed denial of service attack against Amazon.com, but appear unable do so without more volunteers taking part in their botnet. The botnet currently contains around 2000 computers, each of which can receive attack commands from the group's IRC network.
Operation Payback has announced its next attack, which will target www.amazon.com. It will be interesting to see whether Amazon can withstand the type of DDoS attacks that successfully brought down Visa.com and MasterCard.com over the past 24 hours.
PayPal was the most recent target – first paypal.com, and then api.paypal.com – in an apparent attempt to prevent retailers accepting payments via PayPal. Many websites and consumers are still reporting difficulties making payments with credit cards and PayPal funds.
The Anonymous group claims that Amazon is selling the leaked cables. Amazon.co.uk is currently selling a Kindle e-book of the first 5000 cables (ironically encrypted and with DRM), although it is not apparent whether this is genuine:
Operation Payback has acknowledged that the attack against Amazon may be more difficult than any other recent attack. However, the voluntary botnet used in the attacks has continued to grow in size, making it easier to take down larger sites.
Operation Payback has suffered a few setbacks during the attacks. Its website was suspended yesterday, and its previous Twitter account was suspended overnight. The group is currently announcing targets via IRC and its new Twitter account, @AnonOpsNet.
The group is still without a website, and so has become increasingly dependent on its Internet Relay Chat network, both as a point of contact, and as a way of controlling the botnet. The group's IRC servers were refusing connections due to too many users being connected, but this problem was later resolved and the IRC network is currently spread across 10 IP addresses.
Real-time performance graphs for www.amazon.com and several other sites involved in the WikiLeaks attacks can be monitored at http://uptime.netcraft.com/perf/reports/performance/wikileaks
The attack is due to begin at approximately 16:00 GMT today (Thursday).
Despite its economic woes, Ireland is the country with the largest growth* this year in number of public-facing web servers in Netcraft's hosting provider server count. However, this is mostly due to large growth at Amazon's Elastic Compute Cloud (EC2) service.
Amazon started offering its EC2 service in the EU in December 2008, via a datacenter in Dublin. Since then it has been the fastest-growing hosting company in Ireland. Amazon's cloud hosting now makes up more than a third of all internet-facing web servers in Ireland, with three times more web servers hosted than the next largest hosting location.(more...)