WikiLeaks ousted by Amazon, moves to Europe

Amazon has finally pulled the plug on WikiLeaks, leaving the whistle-blowing website unavailable until the traffic was redirected to Europe. WikiLeaks first directed the traffic to Sweden, and then included a second server in France. WikiLeaks announced the move on their Twitter stream:

The United States Senate Committee on Homeland Security and Government Affairs subsequently issued a press release announcing that Amazon had severed ties with WikiLeaks. The introduction to this announcement clearly states that Amazon.com decided to terminate its relationship with WikiLeaks, although the government may have spurred this decision by reportedly asking, "Are there plans to take the site down?"

The committee contacted Amazon on Tuesday after reading press reports that the WikiLeaks site was being hosted by Amazon. The site was taken down by Amazon the following morning. This could suggest that the government was able to exert some influence on the decision – WikiLeaks had been using Amazon's EC2 hosting service since October, when the Iraq War Logs were published. The cablegate site also used EC2 from the moment it was launched on Sunday.

Incidentally, two sentences in Committee Chairman Joe Lieberman's statement may have been added as an afterthought, or added by someone else, as it appears in a slightly different colour to the rest of the text in the statement:

The chairman encouraged foreign companies to make the same decision as Amazon, although whether this will happen remains to be seen.

WikiLeaks is now served from two IP addresses in Europe: one is hosted by Bahnhof Internet in Sweden, and the other is at OVH in France. Both www.wikileaks.org and cablegate.wikileaks.org are being served from these IP addresses, and have been showing good response times since the move.

Real-time performance graphs for both sites are available here:

HTML5 reaches 1% of the web

Despite still being developed, HTML5 is already in use on more than 1% of the world's websites.

Netcraft's December Web Server Survey found the HTML5 DOCTYPE on 1.06% of homepages. An additional 0.05% of sites made use of new HTML5 features without explicitly declaring the correct DOCTYPE.

HTML5 is the next major revision of the HTML standard, and looks set to supersede HTML 4.01 and XHTML 1.1 with its support for video and audio playback. Microsoft has recently shifted its strategy on Silverlight as a cross-platform solution and now wants to implement standards-based HTML5 really, really, really well in Internet Explorer 9.

Earlier this year, Google also announced that it was shifting effort towards bringing their now-deprecated Gears API capabilities into HTML5 standards. Google's Chrome browser uses the same WebKit rendering engine as Apple browsers, with Apple boasting support for HTML5 on each of its new mobile devices and Macs.

Desktop browser support for the full set of new features in HTML5 is still rather patchy, although it should be noted that the HTML5 specification is still a working draft and subject to change. Many web designers will be reluctant to use the newest features just yet, as a significant fraction of their visitors will be unable to enjoy the content as it was intended. This is clearly demonstrated by the rarity of HTML5 elements such as canvas (appearing directly on only 0.012% of homepages), video (0.011%) and audio (0.003%).

December 2010 Web Server Survey

In the December 2010 survey we received responses from 255,287,546 sites.

This month's largest change in market share was seen by nginx, which gained 0.59 percentage points and now serves 6.62 percent of the hostnames in the web server survey. The increase of 1.85M hostnames is mainly due to 656k Savvis hostnames moving from lighttpd to nginx, and 452k new hostnames on BurstNet.

The biggest losses in market share this month were seen by Microsoft, which lost 0.48 percentage points (but gained 85,564 hostnames), and lighttpd, which lost 0.32 percentage points. Many of the 761K hostnames lost by lighttpd can be explained by the large number of Savvis hostnames moving to nginx. The other major web server vendors all gained hostnames whilst losing small amounts of market share.

Open source HTTP accelerator Varnish gained 545k hostnames. A recent blog post on the varnish site identifies WikiLeaks as one particularly prominent user of the software, with both cablegate.wikileaks.org (performance graph) and warlogs.wikileaks.org (performance graph) served by Apache via Varnish.

Other highly popular sites such as Facebook, Twitter and eBay are also on record as being users of Varnish, although this is not evident from their server banners.

Total Sites Across All Domains
August 1995 - December 2010

Total Sites Across All Domains, August 1995 - December 2010


Market Share for Top Servers Across All Domains
August 1995 - December 2010

Graph of market share for top servers across all domains, August 1995 - December 2010


Developer November 2010 Percent December 2010 Percent Change
Apache 148,085,963 59.36% 151,516,152 59.35% -0.01
Microsoft 56,637,980 22.70% 56,723,544 22.22% -0.48
nginx 15,058,114 6.04% 16,910,205 6.62% 0.59
Google 14,827,157 5.94% 14,933,865 5.85% -0.09
lighttpd 2,070,300 0.83% 1,308,935 0.51% -0.32
Continue reading

WikiLeaks attack escalates

A few hours ago, we reported that cablegate.wikileaks.org was under attack. This attack has shifted its focus onto www.wikileaks.org, which is now being deluged with more than 10 gigabits of traffic per second, causing the site to become unavailable to visitors.

Since our earlier report, cablegate.wikileaks.org has been reconfigured to use a single IP address and is working normally – at least for now. The attackers may have diverted their efforts towards attacking www.wikileaks.org, as this is likely to be the first port of call for many of the site's visitors.

Real-time performance graphs for both sites are available here:

Cablegate under DDoS attack

WikiLeaks is currently under another distributed denial of service (DDoS) attack. This time the target appears to be cablegate.wikileaks.org – the website which hosts the leaked US embassy cables.

When the cablegate site was launched on Sunday, WikiLeaks' main website at www.wikileaks.org was subjected to a similar attack, causing it to go offline for several hours. The cablegate site itself was not affected by those attacks.

Today's attack is still ongoing, and has caused noticeable downtime over the past couple of hours:

The cablegate hostname is still configured to use three different IP addresses on a round-robin basis, essentially acting as a load balancer, although this does not appear to have prevented the current attack from succeeding. The performance graph shows the site may have been attacked over shorter periods earlier in the week, even though it has only made available a small fraction of the 250,000 cable messages. The attacks are likely to be symbolic more than anything else, as several large media groups have already been supplied with the full set of leaked messages.

A real-time performance graph for cablegate.wikileaks.org can be viewed here.

WikiLeaks attacked during launch of cablegate

WikiLeaks experienced some website downtime last night, coinciding with its release of the US embassy cables at cablegate.wikileaks.org.

Just before the latest leak was released to the world via their new "cablegate" site last night, WikiLeaks tweeted that they were under a mass distributed denial of service attack, but defiantly stated that "El Pais, Le Monde, Speigel, Guardian & NYT will publish many US embassy cables tonight, even if WikiLeaks goes down".

Twitter user th3j35t3r claimed to be carrying out the denial of service attack against www.wikileaks.org, although in a tweet that has since been deleted, th3j35t3r stated that it was not a distributed attack. If WikiLeaks believed the attack to be distributed, it could suggest that other parties had also been carrying out separate attacks at the same time.

th3j35t3r's Twitter profile lists his location as "Everywhere" and he describes himself as a "Hacktivist for good. Obstructing the lines of communication for terrorists, sympathizers, fixers, facilitators, oppressive regimes and other general bad guys.".

th3j35t3r's Twitter feed lists dozens of other sites that have also been taken down, mainly communicated through "TANGO DOWN" messages posted via the XerCeS Attack Platform. The "tango down" phrase is used by special forces and is often heard in FPS games such as Rainbow 6 and Call of Duty, where it is used to describe a terrorist being eliminated.

Referring to the success of the attack, th3j35t3r also tweeted, “If I was a wikileaks 'source' right now I'd be getting a little twitchy, if they cant protect their own site, how can they protect a src? "

The main www.wikileaks.org site appeared to bear the brunt of the attack, suffering patchy or slow availability for several hours. Last night, the site was hosted from a single IP address, but has since been configured to distribute its traffic between two Amazon EC2 IP addresses on a round-robin basis. One of these instances is hosted in the US, while the other is in Ireland.

Meanwhile, cablegate.wikileaks.org has so far escaped any significant downtime. This site has used 3 IP addresses since its launch, probably in anticipation of being attacked or deluged with legitimate traffic. Two of these IP addresses are at Octopuce in France, which also hosts the single IP address now used by warlogs.wikileaks.org. Ironically, the third IP address being used to distribute secret US embassy cables is an Amazon EC2 instance hosted in – you guessed it – the US.

Performance graphs are available here: