Janus’ Musings

Just another WordPress.com weblog

Inside a DOS attack

leave a comment »

Over the memorial day weekend in the US – Revision3’s website was shut down by a DOS attack which shutdown their website, RSS feeds, and corporate email. They decided to investigate what/who caused the attack – their investigation reads like a mystery thriller. What’s really disturbing is that how the originator (MediaDefender) system decided to innundate a system with “pings” when Revision3 removed some back-door entries into the system. The question really is that while IP rights are important and should be enforced, how do you justify taking down a legit business thru a DOS attack because they removed certain back-doors (which were probably illegal in the first place) from their system?

First, they willingly admitted to abusing Revision3’s network, over a
period of months, by injecting a broad array of torrents into our
tracking server. They were able to do this because we configured the
server to track hashes only – to improve performance and stability.
That, in turn, opened up a back door which allowed their networking
experts to exploit its capabilities for their own personal profit.

Second, and here’s where the chain of events come into focus, although
not the motive. We’d noticed some unauthorized use of our tracking
server, and took steps to de-authorize torrents pointing to
non-Revision3 files. That, as it turns out, was exactly the wrong thing
to do. MediaDefender’s servers, at that point, initiated a flood of SYN
packets attempting to reconnect to the files stored on our server. And
that torrential cascade of “Hi”s brought down our network.

Grodsky admits that his computers sent those SYN packets to Revision3,
but claims that their servers were each only trying to contact us every
three hours. Our own logs show upwards of 8,000 packets a second.


Written by janusmusings

May 30, 2008 at 1:05 am

Posted in Technology

Tagged with

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: