Thursday, May 29, 2008

Inside a DOS attack

Over the memorial day weekend in the US - Revision3's website was shut down by a DOS attack which shutdown their website, RSS feeds, and corporate email. They decided to investigate what/who caused the attack - their investigation reads like a mystery thriller. What's really disturbing is that how the originator (MediaDefender) system decided to innundate a system with "pings" when Revision3 removed some back-door entries into the system. The question really is that while IP rights are important and should be enforced, how do you justify taking down a legit business thru a DOS attack because they removed certain back-doors (which were probably illegal in the first place) from their system?

First, they willingly admitted to abusing Revision3’s network, over a
period of months, by injecting a broad array of torrents into our
tracking server. They were able to do this because we configured the
server to track hashes only – to improve performance and stability.
That, in turn, opened up a back door which allowed their networking
experts to exploit its capabilities for their own personal profit.

Second, and here’s where the chain of events come into focus, although
not the motive. We’d noticed some unauthorized use of our tracking
server, and took steps to de-authorize torrents pointing to
non-Revision3 files. That, as it turns out, was exactly the wrong thing
to do. MediaDefender’s servers, at that point, initiated a flood of SYN
packets attempting to reconnect to the files stored on our server. And
that torrential cascade of “Hi”s brought down our network.

Grodsky admits that his computers sent those SYN packets to Revision3,
but claims that their servers were each only trying to contact us every
three hours. Our own logs show upwards of 8,000 packets a second.

No comments: