MediaDefender attacks Revision3



  • MediaDefender.  Remember them? They're the guys that had gigabytes of internal emails leaked, some of it leading to the conclusion that they'd set up Miivi.com to entrap torrenters.

    Well, now they're back, and they've hit a new low.  They DDOS'd Revision3's perfectly legal BitTorrent servers. 

    First, they willingly admitted to abusing Revision3’s network, over a period of months, by injecting a broad array of torrents into our tracking server. They were able to do this because we configured the server to track hashes only – to improve performance and stability. That, in turn, opened up a back door which allowed their networking experts to exploit its capabilities for their own personal profit.

    Second, and here’s where the chain of events come into focus, although not the motive. We’d noticed some unauthorized use of our tracking server, and took steps to de-authorize torrents pointing to non-Revision3 files. That, as it turns out, was exactly the wrong thing to do. MediaDefender’s servers, at that point, initiated a flood of SYN packets attempting to reconnect to the files stored on our server. And that torrential cascade of “Hi”s brought down our network.

    Grodsky admits that his computers sent those SYN packets to Revision3, but claims that their servers were each only trying to contact us every three hours. Our own logs show upwards of 8,000 packets a second.

    “Media Defender did not do anything specific, targeted at Revision3″, claims Grodsky. “We didn’t do anything to increase the traffic” – beyond what they’d normally be sending us due to the fact that Revision3 was hosting thousands of MediaDefender torrents improperly injected into our corporate server. His claim: that once we turned off MediaDefender’s back-door access to the server, “traffic piled up (to Revision3 from MediaDefender servers because) it didn’t get any acknowledgment back.”

    It’s as if McGruff the Crime Dog snuck into our basement, enlisted an army of cellar rats to eat up all of our cheese, and then burned the house down when we finally locked him out – instead of just knocking on the front door to tell us the window was open.

     Read more here.



  • I like the part where they say the FBI is already involved. It would be great if this turned into a CRIMINAL matter. If not, Revision3 should slap their ass with a civil lawsuit.

    And technically, isn't is a Denial of Service attack and not a Distributed Denial of Service attack if only one source network is involved? Mr. Louderback, the author of the blog post, never says DDOS.



  • @redct said:

    It’s as if McGruff the Crime Dog snuck into our basement, enlisted an army of cellar rats to eat up all of our cheese, and then burned the house down when we finally locked him out – instead of just knocking on the front door to tell us the window was open.

    It might just be because it's past midnight, but while the story itself is pretty disturbing, the McGruff analogy is absoloutely hilarious. The mental cartoon it conjures up is fantastic - particularly the part with an outraged McGruff flinging a molotov cocktail through the second story window.



  • @redct said:

    Our own logs show upwards of 8,000 packets a second.

    *snip*

    “Media Defender did not do anything specific, targeted at Revision3″, claims Grodsky. “We didn’t do anything to increase the traffic”

    I love those "I didn't do anything" "here are the logs you liar" moments.

    It's like when a user locked out the Admin account (that they don't have access permission to use) here a week ago. I knew who it was, and asked him nicely - and privately - what he thought he was doing, he emailed my boss claiming I was unfairly accusing him of evil, death and murder*, and my boss asked what was going on and I provided him with the logs. And Mr "Well, I just needed to fix one price and I thought it would be best for everyone if I just guessed the Admin passwords and did it myself" gets a little chat with HR about (a) Trying to edit prices without permission, (b) Trying to "hack" the pricing console and (c) telling lies to cover his behind and trying get someone else in trouble to save himself.

    I couldn't help but enjoy an evil laugh at that point.

    Of course the changes of justice prevailing here are probably not quite as high, but we can hope.

    *well you'd think that was what I'd accused him of from the tone of his email



  • @PeriSoft said:

    It might just be because it's past midnight, but while the story itself is pretty disturbing, the McGruff analogy is absoloutely hilarious. The mental cartoon it conjures up is fantastic - particularly the part with an outraged McGruff flinging a molotov cocktail through the second story window.

    Nah. It's 8:35am now, and I also find it hilarious.



  •  IMO, it's not inconceivable for this to have been caused by incompetence.  It's pretty easy to accidentally create a flood of traffic if you screw up your retry code, and run it on a large number of clients.

    Regardless, mallicious or not, MediaDefender still had no business touching Revision3's servers in the first place.



  • @AbbydonKrafts said:

    @PeriSoft said:
    It might just be because it's past midnight, but while the story itself is pretty disturbing, the McGruff analogy is absoloutely hilarious. The mental cartoon it conjures up is fantastic - particularly the part with an outraged McGruff flinging a molotov cocktail through the second story window.

    Nah. It's 8:35am now, and I also find it hilarious.

     

    Yeah, I just checked the thread at 10am my time, and it's still pretty funny.



  • If this were some random kid, he'd probably get years of prison time. Something tells me that MediaDefender will just get this case to "go away."



  • it could not have been incompetence because prior to the flood they had broken into R3's tracker and posted illegitimate torrents.... R3 removing these unauthorized torrents triggered the attack 



  • @Kazan said:

    they had broken into R3's tracker and posted illegitimate torrents.
     

    Problem is, they didn't "break in". R3's tracker was wide open and anyone could post stuff on it. Go figure that someone like MediaDefender would be all over it to flood the torrentspace with bad ones, especially if they seem to be seeded by a legitimate company that can't be linked to MediaDefender. 



  • @Brendan Kidwell said:

     Mr. Louderback, the author of the blog post, never says DDOS.
     

     Actually, if you click on the image of the network switches, you can see written clearly on the LCDs it says "Blocking DoS attack".  So it IS mentioned in the article, hehe.



  • @Soviut said:

    you can see written clearly on the LCDs it says "Blocking DoS attack".  So it IS mentioned in the article, hehe.

    No, it's not. DDoS != DoS. It wasn't distributed, such as in a botnet attack.


Log in to reply