The Internet Archive has come back online, in slightly degraded mode, after repelling an October 9 DDoS attack and then succumbing to a raid on users' data.
For several days after the attack, the Archive loaded into the basic page depicted below.
Archive.org's distress homepage – Click to enlarge
At the time of writing (0400 Wednesday UTC, 2100 Tuesday PT), The Register has seen the site sometimes load that page, but sometimes load another that's closer to the Archive's usual busy home page – but omits many items.
It's unclear why the site is switching between the two (and yes, we cleared caches and used multiple browsers).
On October 13 the org's digital librarian, Brewster Kahle, advised that the Archive's services were "coming back up when they can, safely. e.g. Email working."
A day later, on the afternoon of October 14, Pacific Time, Kahle proclaimed the Wayback Machine – the service that preserves snapshots of web pages – was "running strong."
But he added: "Still working to bring archive items & other services online safely."
Network visibility outfit Netscout has shared its view of the incident, suggesting the DDoS ran for around three hours and twenty minutes and saw around five gigabits per second of traffic directed towards the site.
Netscout analysis of Internet Archive DDoS – Click to enlarge
Netscout's analysts watched that traffic target three IP addresses used by the Archive, and wrote "The DDoS attacks were mostly composed of two attack vectors: TCP RST floods and HTTPS application layer attacks."
- 'Critical' CUPS vulnerability chain easy to use for massive DDoS attacks
- Internet Archive blames 'environmental factors' for overnight outages
- Elon Musk claims live Trump interview on X derailed by DDoS
- FBI, CISA remind US voters that DDoS attacks can't touch election systems
The org also "discovered characteristics and shared open ports indicative of Mirai variants." Readers may recall that Mirai is nasty malware that subverts Linux-based devices and turns them into a botnet. Netscout asserted, with moderate confidence, that the attack came from "a modern Mirai variant … which incorporates packet-spoofing features."
For what it's worth, Akamai also recently spotted new Mirai variants.
Netscout also reckons much of the DDoS traffic involved "a well-known home entertainment and IoT product."
Most of the hosts spewing traffic at the Archive were devices "in Korea and China, followed by Brazil."
No actor has been named as driving the DDoS.
Kahle and the Archive have not yet detailed the incident, or any steps taken to harden the site against future heists. Fair enough – they've been busy getting back online. But the 31 million users whose data leaked – and the millions more users of the Archive – will likely be keen to know more before too much time passes. ®