Internet Performance Delivered right to your inbox

WikiLeaks: Moving Target


This has been an exciting month for those of us who study the Internet’s infrastructure and think about ways to keep it running (and growing). Did I say exciting? Maybe “exhausting” would be more accurate. From China, to Iran, to the US Congress, everyone seems to be wondering how best to control the Internet and bring it in line with local law.

And then came the latest iteration of the WikiLeaks drama.

Love them or hate them, you have to admit that these folks are effective at creating and sustaining an audience for their content. Their glacially slow release of secret information, a few tastes each day, is calculated to feed a media storm that could easily last for months.

If nothing else, the massive amounts of traffic they are attracting, and the efforts of actors unknown to shut them down, have created a unique laboratory for studying Internet resilience.wikileaks_logo.png

Consider their primary website: They lost their Web hosting, their payment services, and ultimately the use of the domain name itself, all while coming under withering DDoS attacks and intermittent nation-level blacklisting. And yet, WikiLeaks stays up, taunting their adversaries with their jaunty hourglass and hourly tweets of coming attractions.

How are they staying on the Internet? Why haven’t their adversaries shut them down already?

I guess the short answer is that the harder you hit them, the bigger they get.

For the long answer, you need to examine their DNS and BGP configurations: the mapping from domain names (like to IP addresses (like, and from IP addresses to the providers who host them. These are the protocols that make the Internet survivable, and after a somewhat shaky start, it’s clear that WikiLeaks is exploiting them very effectively to stay alive.

Termination of Service

In recent months,’s content had lived happily in just a few IP address blocks, hosted by Bahnhof and PRQ (two Swedish ISPs with … let’s say … liberal policies for the content they host), and French provider Cursys. Then, when the cables were first released at the end of November, WikiLeaks added additional hosting in Amazon’s EC2 cloud (presumably to cope with the tremendous volumes of traffic being generated in the first days of the release).


It was not to last — Amazon evicted them on December 1st for terms of service violations. In response, they diversified by hosting the domain in two different IP blocks: one in France, hosted by OVH, and another in Sweden, hosted by Bahnhof.

A couple days later, on December 3rd, EveryDNS (their DNS provider) shut them off, refusing to supply a valid IP address to queries for Today, if you ask the .org root for the authoritative DNS servers for, you still get back the same four EveryDNS servers … but they won’t answer.

Why didn’t WikiLeaks just change DNS providers for the .org site? That’s a bit of a mystery — we’d note only that the sponsoring registrar is a California company, Dynadot, who apparently doesn’t know what to do with the hot potato.

Thus endeth the first phase of WikiLeaks’ “rustication.”

Respawning Globally

Remember, when EveryDNS made their call to turn off DNS for the domain on December 3rd, the WikiLeaks IP address space was still routed and their servers were still alive (though intermittently unavailable due to tremendous inbound DDoS attacks). When the domain stopped resolving, WikiLeaks simply diversified into alternative ccTLDs (country code top level domains) and pointed those names towards existing IP addresses, or added new hosting.


The country-level domain for Germany ( has Swedish hosting from PRQ in Sweden and 1&1 in Germany; the European Union (, Finland (, the Netherlands (, Poland (, Sweden (, and Tonga ( have been pointed at the existing block, hosted by Bahnhof in Sweden. But just to make good and sure, additional country-level domains for Austria (, the Cocos Islands (, and Switzerland (, held by the Swiss Pirate Party) came up on Bahnhof’s block over the weekend. Norwegian has hosting from French OVH and Swedish Bahnhof, and Luxembourg ( marches to its own drum, getting hosting from local provider Root SA. (There are probably some I’m missing, and the set continues to mutate daily, adding additional hosting in different countries to continuously reduce vulnerability to takedown.)

To prevent a repeat performance of the EveryDNS experience, the Swiss site seems to have been selected for heavy reinforcement through DNS diversification. If you ask for the authoritative servers for today, you’ll find no fewer than 14 different authoritative nameservers, spread across eleven different autonomous systems, in eight different countries, from Switzerland to Canada to Malaysia. And if you ask any of those 14 servers where to find, they’ll point you to one of three differently routed IP blocks, containing web server IP addresses with diverse geolocation: (originated by Serverius, in the Netherlands), (originated by Bahnhof, in Sweden), and (originated by OVH in France).

Are you getting the picture yet?


748 volunteer mirrors of can be found all over the US and Europe, with a few dozen elsewhere.

Taking away WikiLeaks’ hosting, their DNS service, even their primary domain name, has had the net effect of increasing WikiLeaks’ effective use of Internet diversity to stay connected. And it just keeps going. As long as you can still reach any one copy of WikiLeaks, you can read their mirror page, which lists over 1,000 additional volunteer sites (including several dozen on the alternative IPv6 Internet). None of those is going to be as hardened as against DNS takedown or local court order — but they don’t need to be.

Within a couple days’ time, the WikiLeaks web content has been spread across enough independent parts of the Internet’s DNS and routing space that they are, for all intents and purposes, now immune to takedown by any single legal authority. If pressure were applied, one imagines that the geographic diversity would simply double, and double again.

And we’re only considering the website itself, not the torrented data files, which ensure that cryptographically signed copies of the website and its backing data are dispersed beyond all attempts to recall or suppress the information they contain. That’s an Internet infrastructure subject for another day.

Diversification: Not Without Its Problems

If you think for a moment, you’ll realize that this rapid growth does create some potential problems with trust — when you click through to one of the myriad wikileak-look-alike sites out there, which ones are “real?” They all look pretty familiar, and share the same content at first glance. But there’s no mechanism in place to allow you to know that you’re looking at an unaltered, reasonably real-time mirroring of the official website (which is, of course, no longer available for comparison). Is that incredible cable about the existence of alien bodies in New Mexico real, or is it a joke?

The torrents don’t suffer from this problem, because they are signed, and the WikiLeaks public key was distributed long ago. But when I visit, to pick a random example from the WikiLeaks mirror page,, am I really reading the Real Deal? For that matter, which of the dozens of official WikiLeaks sites are the Real Deal?

We can already see that enterprising souls who care more about ad revenue than Internet freedom have ‘parked’ other WikiLeaks ccTLD domains. I’m looking at you, Belgium, Chile, Colombia, India, Spain, Japan, Russia, Slovakia, and Niue (.nu).
The Wikia Inc folks are hanging onto,, and

My favorite example here would be, which looks like this:



This is a volatile conflict, with people who feel strongly about freedom on both sides, and who aren’t hesitant to talk about this as a cyberwar. I’m not going to go there. From a more dispassionate infrastructure standpoint, though, we can make a few observations.


First, even without considering the possibility of alternatives to the current DNS infrastructure, it’s evident that the country-level distribution of authority inherent in the ccTLD system has provided enough political cover to keep an extremely controversial site running. Everyone has laws that make certain kinds of content illegal, but there is no global agreement across jurisdictions about the definition of illegal content.

Second, it’s apparent that search and social infrastructure (Google and Twitter) now play a key role in re-spawning content that gets blocked in any one place, and drawing even more attention to the surviving copies. If suppressed content automatically goes viral, the Internet’s construction basically guarantees that that content will have a home for the rest of time. If you attack DNS support, people will tweet raw IP addresses. If you take down the BGP routes to web content, people will put up more mirrors, or switch to overlay networks to distribute the data. You can’t burn down the Library of Alexandria any more— it will respawn in someone’s basement in Stockholm, or Denver, or Beijing.

Finally, we can predict that in the future, enforcement of local laws will take place almost exclusively at the consumer edge of the Internet. Providers of content can change jurisdictions, but consumers generally cannot — and this asymmetry drives the creation of national domain blacklists and monitoring of access to illegal content within access networks. The day isn’t far off, if it isn’t here already, when your ISP will be set to work making lists of the naughty and nice. Get your proxies ready!

An earlier version of this blog incorrectly identified the owners of the,, and domains. We regret the error.

Share Now

Whois: Jim Cowie

Jim Cowie was the Chief Scientist at Dyn. Previously, Jim was the founder and CTO of Renesys, the Internet Intelligence Authority, which Dyn acquired in 2014.