Inside the Attack that Crippled Revision3
As many of you know, Revision3’s servers were brought down over the Memorial Day weekend by a denial of service attack. It’s an all too common occurrence these days. But this one wasn’t your normal cybercrime – there’s a chilling twist at the end. Here’s what happened, and why we’re even more concerned today, after it’s over, than we were on Saturday when it started.
It all started with just a simple “hi”. Now “hi” can be the sweetest word in the world, breathlessly whispered into your ear by a long-lost lover, or squealed out by your bouncy toddler at the end of the day. But taken to excess – like by a cranky 3-year old–it gets downright annoying. Now imagine a room full of hyperactive toddlers, hot off of a three hour Juicy-Juice bender, incessantly shrieking “hi” over and over again, and you begin to understand what our poor servers went through this past weekend.
On the internet, computers say hi with a special type of packet, called “SYN”. A conversation between devices typically requires just one short SYN packet exchange, before moving on to larger messages containing real data. And most of the traffic cops on the internet – routers, firewalls and load balancers – are designed to mostly handle those larger messages. So a flood of SYN packets, just like a room full of hyperactive screaming toddlers, can cause all sorts of problems.
For adults, it’s typically an inability to cope, followed either by quickly fleeing the room, or orchestrating a massive Teletubbies intervention. Since they lack both legs and a ready supply of plushies, internet devices usually just shut down.
That’s what happened to us. Another device on the internet flooded one of our servers with an overdose of SYN packets, and it shut down – bringing the rest of Revision3 with it. In webspeak it’s called a Denial of Service attack – aka DoS – and it happens when one machine overwhelms another with too many packets, or messages, too quickly. The receiving machine attempts to deal with all that traffic, but in the end just gives up.
(Note the photo of our server equipment responding to the DoS Attack)
In its coverage Tuesday CNet asked the question, “Now who would want to attack Revision3?” Who indeed? So we set out to find out.
Internet attacks leave lots of evidence. In this case it was pretty easy to see exactly what our shadowy attacker was so upset about. It turns out that those zillions of SYN packets were addressed to one particular port, or doorway, on one of our web servers: 20000. Interestingly enough, that’s the port we use for our Bittorrent tracking server. It seems that someone was trying to destroy our bittorrent distribution network.
Let me take a step back and describe how Revision3 uses Bittorrent, aka BT. The BT protocol is a peer to peer scheme for sharing large files like music, programs and video. By harnessing the peer power of many computers, we can easily and cheaply distribute our huge HD-quality video shows for a lot less money. To get started, the person sharing that large file first creates a small file called a “torrent”, which contains metadata, along with which server will act as the conductor, coordinating the sharing. That server is called the tracking server, or “tracker”. You can read much more about Bittorrent at Wikipedia, if you really want to understand how it works.
Revision3 runs a tracker expressly designed to coordinate the sharing and downloading of our shows. It’s a completely legitimate business practice, similar to how ESPN puts out a guide that tells viewers how to tune into its network on DirecTV, Dish, Comcast and Time Warner, or a mall might publish a map of its stores.
But someone, or some company, apparently took offense to Revision3 using Bittorrent to distribute its own slate of shows. Who could that be?
Along with where it’s bound, every internet packet has a return address. Often, particularly in cases like this, it’s forged – or spoofed. But interestingly enough, whoever was sending these SYN packets wasn’t shy. Far from it: it’s as if they wanted us to know who they were.
A bit of address translation, and we’d discovered our nemesis. But instead of some shadowy underground criminal syndicate, the packets were coming from right in our home state of California. In fact, we traced the vast majority of those packets to a public company called Artistdirect (ARTD.OB). Once we were able to get their internet provider on the line, they verified that yes, indeed, that internet address belonged to a subsidiary of Artist Direct, called MediaDefender.
Now why would MediaDefender be trying to put Revision3 out of business? Heck, we’re one of the biggest defenders of media around. So I stopped by their website and found that MediaDefender provides “anti-piracy solutions in the emerging Internet-Piracy-Prevention industry.” The company aims to “stop the spread of illegally traded copyrighted material over the internet and peer-to-peer networks.” Hmm. We use the internet and peer-to-peer networks to accelerate the spread of legally traded materials that we own. That’s sort of directly opposite to what Media Defender is supposed to be doing.
Who pays MediaDefender to disrupt peer to peer networks? I don’t know who’s ponying up today, but in the past their clients have included Sony, Universal Music, and the central industry groups for both music and movies – the RIAA and MPAA. According to an article by Ars Technica, the company uses “its array of 2,000 servers and a 9GBps dedicated connection to propagate fake files and launch denial of service attacks against distributors.” Another Ars Technica story claims that MediaDefender used a similar denial of service attack to bring down a group critical of its actions.
Hmm. Now this could have been just a huge misunderstanding. Someone could have incorrectly configured a server on Friday, and left it to flood us mercilessly with SYN packets over the long Memorial Day weekend. If so, luckily it was pointed at us, and not, say, at the intensive care unit at Northwest Hospital and Medical Center But Occam’s razor leads to an entirely different conclusion.
So I picked up the phone and tried to get in touch with ArtistDirect interim CEO Dimitri Villard. I eventually had a fascinating phone call with both Dimitri Villard and Ben Grodsky, Vice President of Operations at Media Defender.
First, they willingly admitted to abusing Revision3’s network, over a period of months, by injecting a broad array of torrents into our tracking server. They were able to do this because we configured the server to track hashes only – to improve performance and stability. That, in turn, opened up a back door which allowed their networking experts to exploit its capabilities for their own personal profit.
Second, and here’s where the chain of events come into focus, although not the motive. We’d noticed some unauthorized use of our tracking server, and took steps to de-authorize torrents pointing to non-Revision3 files. That, as it turns out, was exactly the wrong thing to do. MediaDefender’s servers, at that point, initiated a flood of SYN packets attempting to reconnect to the files stored on our server. And that torrential cascade of “Hi”s brought down our network.
Grodsky admits that his computers sent those SYN packets to Revision3, but claims that their servers were each only trying to contact us every three hours. Our own logs show upwards of 8,000 packets a second.
“Media Defender did not do anything specific, targeted at Revision3″, claims Grodsky. “We didn’t do anything to increase the traffic” – beyond what they’d normally be sending us due to the fact that Revision3 was hosting thousands of MediaDefender torrents improperly injected into our corporate server. His claim: that once we turned off MediaDefender’s back-door access to the server, “traffic piled up (to Revision3 from MediaDefender servers because) it didn’t get any acknowledgment back.”
Putting aside the company’s outrageous use of our servers for their own profit, and the large difference between one connection every three hours and 8,000 packets a second, I’m still left to wonder why they didn’t just tell us our basement window was unlocked. A quick call or email and we’d have locked it up tighter than a drum.
It’s as if McGruff the Crime Dog snuck into our basement, enlisted an army of cellar rats to eat up all of our cheese, and then burned the house down when we finally locked him out – instead of just knocking on the front door to tell us the window was open.
In the end, here’s what I know:
- A torrential flood of SYN packets rained down on Revision3’s network over Memorial Day weekend.
- Those packets – up to 8,000 a second – came primarily from computers controlled by MediaDefender, who is in the business of shutting down illegal torrent sites.
- Revision3 suffered measurable harm to its business due to that flood of packets, as the attacks on our legitimate and legal Torrent Tracking server spilled over into our entire internet infrastructure. Thus we were unable to serve videos and advertising through much of the weekend, and into Tuesday – and even our internal email servers were brought down.
- Denial of service attacks are illegal in the US under 12 different statutes, including the Economic Espionage Act and the Computer Fraud and Abuse Act.
Although I can only guess, here’s what I think really happened. Media Defender was abusing one of Revision3’s servers for their own purposes – quite without our approval. When we closed off their backdoor access, MediaDefender’s servers freaked out, and went into attack mode – much like how a petulant toddler will throw an epic tantrum if you take away an ill-gotten Oreo.
That tantrum threw upwards of 8,000 SYN packets a second at our servers. And that was enough to bring down both our public facing site, our RSS server, and even our internal corporate email – basically the entire Revision3 business. Smashing the cookie jar, as it were, so that no one else could have any Oreos either.
Was it malicious? Intentional? Negligent? Spoofed? I can’t say. But what I do know is that the FBI is looking into the matter – and it’s far more serious than toddlers squabbling over broken toys and lost cookies.
MediaDefender claims that they have taken steps to ensure this won’t happen again. “We’ve added a policy that will investigate open public trackers to see if they are associated with other companies”, promised Grodsky, “and first will make a communication that says, hey are you aware of this.”
In the end, I don’t think Media Defender deliberately targeted Revision3 specifically. However, the company has a history of using their servers to, as Ars Technica said, “launch denial of service attacks against distributors.” They saw us as a “distributor” – even though we were using Bittorrent for legitimate reasons. Once we shut them out, their vast network of servers were automatically programmed to implement a scorched earth policy, and shut us down in turn. The long Memorial Day weekend holiday made it impossible for us to contact either Media Defender or their ISP, which only exacerbated the problem.
All I want, for Revision3, is to get our weekend back – both the countless hours spent by our heroic tech staff attempting to unravel the mess, and the revenue, traffic and entertainment that we didn’t deliver.
If it can happen to Revision3, it could happen to your business too. We’re simply in the business of delivering entertainment and information – that’s not life or death stuff. But what if MediaDefender discovers a tracker inside a hospital, fire department or 911 center? If it happened to us, it could happen to them too. In my opinion, Media Defender practices risky business, and needs to overhaul how it operates. Because in this country, as far as I know, we’re still innocent until proven guilty – not drawn, quartered and executed simply because someone thinks you’re an outlaw.
- Jim Louderback
CEO - Revision3
UPDATE
We’ve received several requests for some technical data to illustrate the specifics of the attack. So we’ve provided a text file with some more “under the hood” data.
This file represents every packet we identified as being part of the DoS for a period of time less than .02 *seconds* on Monday morning. If you count, there’s a total of 96 packets. (We removed 12 legitimate packets from the trace). We used a combination of tcpdump and wireshark to gather this information. (this particular trace is from tcpdump)
View the text file: rev3packettrace.txt
01
samureye Says:May 29th, 2008 at 8:05 am
I really hope you guys are suing them.
02
herkamer Says:May 29th, 2008 at 8:11 am
Thanks for the detailed report, Jim. I’m glad you guys are back. I do hope you are taking legal action. If there is anything the community can do, let us know.
03
kadesoto Says:May 29th, 2008 at 8:11 am
Wow, Jim, I never knew you were such a fantastic writer. Your update was both a joy and a shame to read.
04
careyd Says:May 29th, 2008 at 8:12 am
Jim, thanks for the great post. This is just unbelievable. I can see you’re choosing your words very carefully above, but I’m sure you’re very angry about this (justifiably so). I certainly hope you cooperate with the FBI and get action on their front, but certainly also start preparing a private suit as well. You certainly appear to have actionable data for a strong case against Media Defender.
Media Defender exists because of a reasonable idea (content protection) gone horribly awry on the implementation and execution side of things. Unfortunately, I think they were founded on the wrong premise, therefore they may need to cease to exist so something more pragmatic and reasonable could replace them.
05
davedonohue Says:May 29th, 2008 at 8:13 am
What a sh*tty way to spend a holiday weekend, Jim. BitTorrent is used for so many legal purposes - yours, live music distribution, Linux distribution, etc. - that I’m amazed that any organization assumes public trackers to be used for illegal purposes.
Good luck. People will definitely take an interest in this. Coincidentally, some hackers just defaced Comcast’s home page, allegedly retaliating against BitTorrent throttling.
06
esophagus Says:May 29th, 2008 at 8:20 am
I guess I didn’t hear the phone conversation you guys had, but I have a hard time believing this wasn’t intentional.
Hope the FBI does something, and you guys take legal action (against MediaDefender) if they don’t.
07
colligan Says:May 29th, 2008 at 8:21 am
Wow, Jim, wow …
For those who think “old media” is sitting around letting “new media” take over …
Wow.
Paul
08
kmonson Says:May 29th, 2008 at 8:26 am
Unbelievable. Sounds like, at best, Revision3 was collateral damage in a broader cyber-terrorism scheme. Once you’re done suing these guys out of business, I hope they get locked up.
09
A Cautionary Tale From Revision3 | Paul Colligan’s Profitable Podcasting Says:May 29th, 2008 at 8:33 am
[...] A Cautionary Tale From Revision3Posted on 7:33 am by Paul Colligan Before you go any further, read this post from Jim Louderback from Revision3 on how he spent his weekend. [...]
10
tokenuser Says:May 29th, 2008 at 8:56 am
This needs to go out as a press release so that it will be picked up by mainstream media. Its a clear example of vigilante justice, and one that I hope that the FBI slams MediaDefender over.
Just how hard will that house of cards fall? RIAA? MPAA? Individual companies?
11
Kichigai Mentat Says:May 29th, 2008 at 8:58 am
Jim, I hope you sue them. What they did was reckless and irresponsible, and someone needs to send MediaDefender a lesson that performing illegal acts to fight other illegal acts is NOT right (two wrongs don’t make a right). BitTorrent has plenty of legitimate uses, and Revision3 is one of my favorite examples (along with Blizzard and various Linux distributors). What MediaDefender is straight up FUD, and it is causing harm to users/distributors of Torrents who use them for legitimate purposes. I’m sorry that any of this had to happen to you, but I hope some good comes out of the harm that was done not only to your company, but also to those who patronize your company.
12
usmarinesjz Says:May 29th, 2008 at 9:03 am
Well I guess this pokes holes at MediaDefender’s “legitimate business practices.” Shame on MD for these actions. Hopefully Revision3 shows them the error of they’re way (Legally of course).
13
laxmanang Says:May 29th, 2008 at 9:07 am
Thanks for the post, I seriously hope that Rev3 sues the hell out of them.
14
crobarian Says:May 29th, 2008 at 9:13 am
I’m with everyone else. Sue! Sue! Sue! This can’t be accidental. You can sue for loss of revenue due to the illegal actions of Media Defender.
15
rocinante2000 Says:May 29th, 2008 at 9:16 am
I am at a loss for words. You hear the horror stories, but these actions are totally and utterly insane. MD are acting like a mall security guard that uses deadly force because your driving through the parking lot to pick up your significant other from work and they think red cards are illegal. Please don’t let this slide under the rug Jim/Rev3.
16
dalesd Says:May 29th, 2008 at 9:17 am
I hope you guys sue the pants off these bullies. Get the EFF involved. I bet those guys wold love to sink their teeth into MediaDefender.
Also, this would make a good topic for Systm.
“How to run your own Torrent Tracker.”
and/or
“How to defend yourself against a DoS attack”
17
robbpf Says:May 29th, 2008 at 9:19 am
Jim,
Nicely put and it is very much appreciated that you took the time to write up and outline exactly what happened…not necessarily for Rev3 but for the tech community as a whole. I hope Rev3 and the FBI come down hard on MediaDefender, this type of behavior shouldnt be tolerated.
18
themadmonkeyman Says:May 29th, 2008 at 9:20 am
Seriously Jim, please don’t let them away with this.
They committed a serious crime, period. When hackers inside the US DoS large sites and get caught, they go to prison. What makes Media Defender any different?
Because they have the backing of the RIAA? Absolute nonsense.
They are criminals, sue.
19
FiddlinLady Says:May 29th, 2008 at 9:22 am
Wow Jim - very classy response to a horrid situation.
Nice job & best of luck in whatever path you take for resolution.
20
Media Defender launches illegal DoS attack on Revision 3 | Technology Viewer Says:May 29th, 2008 at 9:27 am
[...] Inside the Attack that Crippled Revision3 [...]
21
TPNDrew Says:May 29th, 2008 at 9:29 am
While this appears to be an “accident” I would hope that MediaDefender would be held responsible for the money and time spent trying to cope with this issue. In all honesty, I have no doubt that this was an intentional act by a company who is overstepping it’s bounds.
22
CrunchGear » Archive » Revision 3 says RIAA/MPAA anti-piracy company responsible for recent outage Says:May 29th, 2008 at 9:33 am
[...] You guys watch Revision 3, right? Diggnation, Tekzilla (my personal favorite), Totally Rad, etc. The company was DoS’d last week, and you’ll never guess who was responsible. [...]
23
t12121 Says:May 29th, 2008 at 9:34 am
In my opinion, they should sue the company accident or not. I mean they lost countless hours “fixing” the problem. They lost revenue from not being able to broadcast their shows on a holiday weekend. Saying “oops where sorry” isn’t a excuse not a reason, Revision3 should demand a public apology, bandwidth costs, and lost revenue.
Well that is just my 2 cents worth.
24
smes Says:May 29th, 2008 at 9:42 am
Media Defender has a reputation for taking such reckless, callous, and slightly ignorant action. The only way they would really learn is through an assbeating in court. Calculate the lost revenue for the weekend (its bound to be big considering its a long weekend in the US) and sue the bastards.
25
Jude Says:May 29th, 2008 at 9:46 am
Jim, The only response to put these type of businesses inline is to sue them out of existence. It’s a sad reality. We didn’t make the rules but we need to play by them.
26
Endnu et fejltrin fra pladeindustrien « Når nørder keder sig Says:May 29th, 2008 at 9:48 am
[...] Endnu et fejltrin fra pladeindustrien Lagt i Diverse by tn8or på maj 29th, 2008 Faldt lige over http://revision3.com/?p=153 [...]
27
triumph Says:May 29th, 2008 at 9:49 am
Hit them in the only place they understand - the pocketbook. Whether criminal or simply grossly negligent, you have sustained measurable financial losses and they should be held responsible for their actions. Sue all of their John Does. Please.
28
ZenOfJazz Says:May 29th, 2008 at 9:52 am
Looking at what you’ve said, I’d say that MediaDefender has been using your server, to try to serve media files, either in an attempt to induce copyright infringement in others, and capture addresses of those who download them, or to seed falsified copies of media files, in an attempt to poison the bittorrent networks. The DoS reprisal sounds like a typical response they would issue, if they had been discovered, and banned from a torrent server. Seems like a brilliant move: In an attempt to destroy illegal media sharing, steal computer resources, cause denial of service attacks, and otherwise defraud legitimate businesses with legitimate uses of P2P.
Sue them HARD. Pursue any and ALL legal charges against them. Show them that if they’re going to take such a high handed course (being police, judge and jury all in one) that it will have a unacceptably HIGH price, when they’re wrong.
Sorry they ruined your Memorial Day weekend.
29
ctbmp Says:May 29th, 2008 at 9:55 am
I should hope that you referred this matter to the appropriate authorities. I’m hardly an expert, but it seems like at least some part of the activities mentioned might be illegal in the U.S.
30
rowlodge Says:May 29th, 2008 at 9:57 am
thats not good.
31
albybum Says:May 29th, 2008 at 9:58 am
As has been previously stated (and quite obvious), this behavior is reckless, underhanded and malicious.
The hardest/most effective way to hit them is in the pocket. For your own sake, and the rest of us doing legitimate distribution, I hope you take legal action against them.
32
bsbnyc Says:May 29th, 2008 at 10:00 am
To the extent you are looking for it, Kudos for your work to approach this in a sane, even-handed, and transparent way.
It’s hard to see companies like MediaDefender as the white hats in these matters. They typically assume that mantle only because they are backed by rights-holders, “defending” copyright. But whose rights, and what organizations, deserve to be the collateral damage to protecting copyright?
-Ben
33
antii Says:May 29th, 2008 at 10:03 am
Wow, thank you so much for this awesome research. If it is ok I want to add this as an example in my senior project on file-sharing. I will e-mail you for permission.
34
phospholipid Says:May 29th, 2008 at 10:04 am
i don’t understad how mediadefender can even sell those services? i mean, if dos attacks are illegal, how can that be part of what they sell? forget the lying. i mean, 8000/sec is not an accident. it’s clearly part of their scheme. so, ultimate, does that make their customers complicit in illegal activity as well?
as you mentioned, that sh1t is *dangerous*. i work in medical computing, and more and more research institutions are using bt to move large data sets - proteins, DNA, databases…
please, please sue them. i’ll come to court naked and pretend i’m on their board. oh, please sue them.
35
gregf Says:May 29th, 2008 at 10:06 am
I really hope you guys seek legal action as well. They should not be doing this and getting away with it. Even if you were to be distributing illegal torrent files, what they are doing is wrong as well.
36
noblearc Says:May 29th, 2008 at 10:10 am
Yeah, it’s all my fault. I pointed out that Rev3’s tracker was being used to announce pirated files (like a copy of the movie Rambo, before it was released on DVD) on the forums, and someone at Rev3 turned off that part of the tracker, and then MediaDefender’s servers went crazy. See the discussion that happened before hand at http://revision3.com/forum/showthread.php?p=369753
(Sorry!)
37
zeusgodman Says:May 29th, 2008 at 10:13 am
MediaDefender’s bank account needs to be DoS attacked!
38
boogermynoogie Says:May 29th, 2008 at 10:23 am
Lol those people at mediadefender must be retarded like the SCO group. Dumb tossers, both of it is dead basically but they keep messing with other people. I gonna setup a new torrent site soon on SIPRNET servers and send the link to them to DDoS it
39
Anything + Everything » Revision3 Servers Brought Down By MediaDefender DoS Attack Says:May 29th, 2008 at 10:24 am
[...] Get the full story direct from Revision3’s CEO Jim Louderback here. [...]
40
Nullset Says:May 29th, 2008 at 10:25 am
The Dangers of Blunt Force
If you are interested in the complex issues of ownership, IP rights and enforcement mechanisms, this detailed saga about the recent DDoS attack at Rev3 is a gripping read.
41
Glugory Says:May 29th, 2008 at 10:26 am
Jim, I really hope you and/or Patrick Norton go TWiT this week and talk more about this. I always knew that MediaDefender was a shady company. Apart from the FBI involvement, are you guys pursuing legal action against them?
42
Spectrum Says:May 29th, 2008 at 10:37 am
MediaDefender. Right.
They’re acting like Co$ with this DoS/BS.
43
Dr. Jarod S Says:May 29th, 2008 at 10:38 am
I think that MediaDefender should be shutdown
44
mydickhertz Says:May 29th, 2008 at 10:40 am
I do hope you are suing them. I believe, any financially responsible management would have to sue them for costs associated with the attack (at a minimum).
45
zabbawack Says:May 29th, 2008 at 10:43 am
Burn them at the stake!!!!!
46
orbital303 Says:May 29th, 2008 at 11:02 am
Wow this is crazy. I hope you prosecute them and sue them out of existence as they and their clients all deserve. We all know who their clients are, at least some of the major ones. No one deserves this and this will continue to happen. They’ve already admitted to committing crimes.
Please do this not only for you and your company for for everyone else out there, for the public good.
47
coolguy Says:May 29th, 2008 at 11:03 am
As far as exploiting vulnaribility in your tracker, thats illigal. They should be finded.
As far as the DoS attack goes they are responsible either ways. It was either deliberate or due to negligence. You can sue them for either.
48
nextgenxbox Says:May 29th, 2008 at 11:10 am
It’s nobody’s fault noblearc… don’t worry about it.
–
I sure hope Rev3 sues them!!!
49
Brandon Paddock's Blog - Desktop Search and more » Blog Archive » Two wrongs make a… start-up? Says:May 29th, 2008 at 11:11 am
[...] just read this post on the Revision3 blog from their CEO, describing a massive Denial of Service attack perpetrated against them over the [...]
50
thatblokerob Says:May 29th, 2008 at 11:13 am
Thanks Jim, great explanation and detail. They sound like cowboys.
51
Quintushalls Says:May 29th, 2008 at 11:21 am
SUE THEM!!! Media defender is evil and you have a great case! Please sue!!
52
phoenixp3k Says:May 29th, 2008 at 11:23 am
Impressive read. The actions of Media Defender are down right devious…
Media Defender… *puke*
53
Inside the Attack that Crippled Revision3 Says:May 29th, 2008 at 11:26 am
[...] Inside the Attack that Crippled Revision3 [...]
54
OwlBoyDotCom Says:May 29th, 2008 at 11:29 am
You guys need to attack them back legally.
55
MediaDefender = Spawn of Satan | Way Too Much Information About Randy Peterman Says:May 29th, 2008 at 11:30 am
[...] took down Revision3’s servers over the long weekend because of various problems - but read this article and judge for yourself - a company that violates laws to do business is just asking for a take down [...]
56
EricSusch Says:May 29th, 2008 at 11:31 am
Sounds like MediaDefender owes you guys some money. If you sue them you’ll be able to depose them. I bet they’ve done this to other companies before.
57
that canadian girl Says:May 29th, 2008 at 11:35 am
MediaDefender DoS attack on Revision3: Stop screwing with new media
Earlier today, I saw Jim Louderback, CEO at Revision3, tweeting that there had been an outage at Rev3 this weekend and he could now shed light on the issue. Honestly, I hadn’t noticed the downtime. I’ve got Diggnation, The Totally Rad Show …
58
wilfink Says:May 29th, 2008 at 11:37 am
Yaay Cogent for giving bandwidth to these shitheads. I guess I should be surprised that the same ISP who’ll sell bandwidth to spammers also sells it to companies that have the explicit purpose of DoS’ing other web sites.
Methinks the respectable ISPs on the internet should re-evaluate their peering relationships with Cogent.
59
artfuldodga Says:May 29th, 2008 at 11:37 am
I do hope you plan on suing the hell out of MediaDefender and any company directly assoicated with it (ie) Financing MediaDefender.
What they have done and been doing is inexcuseable.
60
phogan Says:May 29th, 2008 at 11:46 am
Please do the internet a favor and use this as excuse to take them out.
Anti-piracy is one thing, mafia tactics is quite another matter. They are a nuisance to everyone, as you’ve found out.
I noticed the downtime I was frequently unable to connect to the Revision3 website much less get to the content.
61
FVB > Revision3, MediaDefender and the Robot Wars Says:May 29th, 2008 at 11:49 am
FVB > Revision3, MediaDefender and the Robot Wars
Over the last couple years I’ve diligenced a few network security products that are the internet equivalent of automated unmanned air vehicles (UAVs). They offer the ability to scan the [network] horizon for enemy behavior and take aggressive, automa…
62
funkyjunk3 Says:May 29th, 2008 at 11:51 am
HARMFUL GROSS NEGLIGENCE
Even if the humans at MediaDefender had no idea their fat pipe and server army had declared open season on Revision3, this is gross negligence. If some dude’s guard dog jumped fence and killed a woman and her child, you can bet the woman’s family would sue and get the dude’s ass served to him by the judge.
You should do the same. MediaDefender neglected to not only keep their meddling crap torrents out of your tracker (which is illegal), they grossly neglected to keep their servers from steamrolling your server. You have a very strong case against them, and I would go after them to fullest extent allowable by Law.
63
georgia_tech_swagger Says:May 29th, 2008 at 11:58 am
Clearly only one thing is appropriate here: Death to MediaDefender.
64
kyledylanconner Says:May 29th, 2008 at 12:00 pm
As well as most people here, I hope you sue the hell outta’ them as well.
Sorry that happened.
65
Web 2.0 Announcer Says:May 29th, 2008 at 12:13 pm
Inside the Attack that Crippled Revision3
[...]As many of you know, Revision3?s servers were brought down over the Memorial Day weekend by a denial of service attack. It?s an all too common occurrence these days. But this one wasn?t your normal cybercrime ? there?s a chilling twist at the end….
66
davewhittle Says:May 29th, 2008 at 12:19 pm
Hey, Jim - my respect for you, which was already way high, just skyrocketed into the stratosphere. You’re handling this perfectly.
Wish I could say the same thing about how I handled the way Microsoft executed that character assassination campaign when I was at IBM…Many suggested I sue, but I didn’t want the headache of taking on the deep pockets at Microsoft.
Anyway, I hope we’ll see justice served in this case.
Good luck!
Dave Whittle
67
markum Says:May 29th, 2008 at 12:29 pm
For me, the fact that your site can be taken down for an entire weekend really taints the site. I won’t want to get all involved in some show and then suddenly find out that, during the time I’ve set aside to watch, the site is unavailable. I think this attack has damaged much more than just your revenues for the one weekend. Your site reputation has suffered. Down site = lame site = me no visit.
68
zebtron Says:May 29th, 2008 at 12:29 pm
The govt really needs to both understand and keep tabs on companies like MediaDefender, who seems to cause more trouble than they are preventing.
I really hope you explore a civil lawsuit in addition to any criminal finding the FBI discover.
69
morouxshi Says:May 29th, 2008 at 12:31 pm
MediaDefender needs to be removed from the internet. Rev3 do the right thing, take them down!
70
SansPantalons Says:May 29th, 2008 at 12:32 pm
I truly hope it results in far more than just a lawsuit. We’ve known for some time that Mediadefender was working outside the borders of legality on behalf of the entertainment industry.
Nothing would please me more than to see Mediadefender’s corporate heads dropping the soap in a Federal prison.
71
mooking Says:May 29th, 2008 at 12:35 pm
Sue there balls off.
72
crobarian Says:May 29th, 2008 at 12:43 pm
Well, sent emails to all major news agencies. Let’s see how long it will take them to report on this, if they ever do.
73
sporb Says:May 29th, 2008 at 12:46 pm
sue’em!
and good job Jim, now I can see why you’re the CEO.
74
AlaskaLoneWolf Says:May 29th, 2008 at 12:48 pm
I wonder if Mediadefender had considered the long-term backlash from their actions. And, I hate to sound cliche’, but if you mess with a Tiger, you end up getting the teeth. I imagine Rev3 crushin’ them like a little blood-sucking mosquito. (Splat!)
75
wcg66 Says:May 29th, 2008 at 12:50 pm
Jim,
Great post. I think having a local CA company doing this is far more ominous than some Russian gangsters’ hackers. The fact that this is even conceivably acceptable to investors in MediaDefender or its customers is completely asinine. I think it’s just the tip of the iceberg in terms of what the RIAA/MPAA is doing or are willing to do. It’s not about copyrights or protecting content it’s about good old power and money.
Attacking even a pure piracy tracker in this way is illegal. Useing illegal means to fight illegal operations is still wrong. Anyway, enough ranting.
Love the shows - favourites are Tekzilla, TRS and Diggnation. Keep ‘em coming.
76
cameroncook Says:May 29th, 2008 at 12:51 pm
JIm,
Way to rally the team in a time of crysis.
MD’s business model is lame, the corporations that employ them are lame.
That type of thinking is incorrect and it is unfortunate that it is in industries bloated with so much money.
It appears that society has no use for Media Defender, they definitely offer nothing to society.
I hope the good will of many catches up with them.
Cheers!
77
crobarian Says:May 29th, 2008 at 12:55 pm
Well, looks like CNET News has picked up the story: http://news.cnet.com/8301-10784_3-9954863-7.html?tag=nefd.lede
No response for them from Media Defender.
78
zedza Says:May 29th, 2008 at 12:56 pm
If you just Google the tracker’s address, you can see that it was tracking a lot more pirated content than just Rambo: http://tinyurl.com/424ab5
If they’d kept on top of what their servers were doing (or if they didn’t turn a blind eye to it) then this wouldn’t have happened.
79
crobarian Says:May 29th, 2008 at 1:09 pm
@zedza Don’t you think those are the illegal torrents that Media Defender put on there?
80
ekivemark Says:May 29th, 2008 at 1:13 pm
It makes you wonder that if Media Defender is injecting tainted copyright material in to the BT network for what amounts to the purpose of entrapment then Revision3 might find itself at the center of a class action suit.
Other members of the BT network should consider this. I am sure there are lawyers that would jump at this, especially if the media companies are funding these activities. At the very least this would keep the spotlight turned on so that dubious behavior is curtailed.
So why not sue them for the resources they have consumed across the network for the entire time they have been conducting these shameful and likely illegal business practices. It is not just your lost weekend and lost revenue but they have been unlawfully consuming Revision3 and others resources through these practices.
Jim - very well written and thanks for bringing this to light.
81
zedza Says:May 29th, 2008 at 1:35 pm
@crobarian - I don’t know. It looks like there were pirated torrents tracked on there as way back as 2005.
http://tinyurl.com/43r3fg
(Just click the “Trackers & scrape stats” link to see it.)
82
For my more nerdly readers . . . by JakeStapleton.com Says:May 29th, 2008 at 3:28 pm
[...] http://revision3.com/?p=153 [...]
83
siliziumleben Says:May 29th, 2008 at 4:03 pm
09:37:34.000149 IP 38.107.161.75.30342 > 209.237.233.169.20000: S 1273125819:1273125819(0) win 64240
the initial window size of 64240 and mss of 1460 indicate Windows XP or 2000 pro as source.
64240:128:1460:1:-1:1:1:48:Windows XP Pro, Windows 2000 Pro
(from http://www.stearns.org/p0f/devel/p0f.fp)
84
briansanderson Says:May 29th, 2008 at 4:12 pm
Jim,
Thanks for the update. I only have 2 words to say “Sue em”. It is illegal what they did so bury them.
Brian
85
revision3 | Lasts information Says:May 29th, 2008 at 4:17 pm
[...] Inside the Attack that Crippled Revision3As many of you know, Revision3’s servers were brought down over the Memorial Day weekend by a denial of service attack. It’s an all too common occurrence these days. But this one wasn’t your normal cybercrime – there’sa chilling twist …Revision3 » blog - http://revision3.com [...]
86
revision3 | Hottags Says:May 29th, 2008 at 4:18 pm
[...] pay per click advertising Inside the Attack that Crippled Revision3As many of you know, Revision3’s servers were brought down over the Memorial Day weekend by a [...]
87
O’DonnellWeb - This is not a homeschooling blog » Blog Archive » links for 2008-05-29 Says:May 29th, 2008 at 4:30 pm
[...] Revision3 the music industry attacks servers it doesn’t like (tags: music security) [...]
88
thecheat Says:May 29th, 2008 at 4:31 pm
PLEASE bring them down!
This is a perfect time to strike AGAINST a company that always picks on the little guy, except this time they screwed up and got a big one. Take em out Rev3, please, for all of us underdogs!
89
Pixel_Pusher Says:May 29th, 2008 at 4:35 pm
At the risk of sounding cheesy… I’ve gotta say, as a civil liberties nut I’m personally offended by this. Thankfully there are legal options in this matter, and that Revision3 is one of few MediaDefender victims who have the means to pursue them. I’m hoping this sets a major legal precedent — this company and its cohorts are taking their own interpretations of copyright law into action without authority or merit. They all need to be taken down a peg or six.
90
carlosos Says:May 29th, 2008 at 4:53 pm
This is unbelievable and I hope the person responsible for the DDOS attack will go in jail and the company sued. By the log it looks like not just one computer attacked but multiple servers from MediaDefender.
91
gregreher Says:May 29th, 2008 at 4:59 pm
Please do everything within your power to fight this. Having been on the same end of a similar attack a number of years ago, the amount of work required just to get your business back up and running is immeasurable. I wish you luck and will continue to follow this as it further unfolds.
92
init.sh » [HOWTO] Survive a DoS attack from MediaDefender Says:May 29th, 2008 at 5:07 pm
[...] I just don’t know how to describe what happened to Revision3 over the Memorial Day weekend. Here, read for yourself. [...]
93
Fonsie H Says:May 29th, 2008 at 5:26 pm
I agree with Mr.Louderback, why didn’t they just
ask Rev.3.
It’s not like Rev.3 is some sort of underground site that
is putting out illegal product.
Mediadefender sounds like one stupid company, and should
be sued.
Back on this site i still notice some very long load times
for the main page and videos of the shows i watch.
Hope everything gets back on track.
94
sidzilla Says:May 29th, 2008 at 5:47 pm
Jim,
I urge you to take action against Media Defender AND THEIR EMPLOYERS! Everyone is advising action against Media Defender, however they are the hired gun. Their tactics are well known to their clients due to the targets of their lawsuits using these tactics as part of their defense strategies. Media Defender acts on behalf of these companies in a criminal manner, working in the capacity of an unlicensed private investigator in many states, using outright illegal tactics. This affects not only law abiding companies like yours, but targets law abiding citizens by darkening the sky with lawyers and using a war of attrition to extort settlements from them. They need to be stopped, and they need to be held accountable for these actions. You can do this for the people who can’t mount an offensive against these animals. Thanks!
95
CyVaquero Says:May 29th, 2008 at 5:56 pm
MediaDefender is a gun-for-hire vigilante company. I was extremely disappointed in the fact that Federal charges weren’t brought with their self-incriminating email leak, but I guess it takes more than that to get the Feds to move. Apparently, you CAN take justice in your own hands and hack and infect with impunity under the guise of fighting those doing the same. It was just a matter of time before these guys stepped on their own d****, I am counting at least three major federal statutes that carry serious sentences/fines involved in this attack.
Any lawyers out there care to chime in on what all federal/state laws were broken based on the facts presented here?
If my boss was killed would I be legitimately allowed to exact punishment on the perpetrators/much less with collateral damage without legal retribution?
And no I don’t P2P or condone pirated material.
96
CyVaquero Says:May 29th, 2008 at 6:07 pm
Oh, to answer Fonsie - they didn’t just call Rev3 because they were using Rev3’s systems without Rev3’s knowledge or permission to do their work - that is illegal in and by itself.
California Penal Code SECTION 502
That’s just the state’s statute, Federal hacking statutes are legendary, I don’t know if FCC would get involved as both companies are in California and state lines may not have been crossed in the illegal access and subsequent DoS.
97
revision3 | Information Blog Says:May 29th, 2008 at 6:14 pm
[...] Inside the Attack that Crippled Revision38 hours ago by Jim Louderback As many of you know, Revision3’s servers were brought down over the Memorial Day weekend by a denial of service attack. It’s an all too common occurrence these days. But this one wasn’t your normal cybercrime – there’sa chilling twist …Revision3 » blog - http://revision3.com [...]
98
mdnk2 Says:May 29th, 2008 at 6:36 pm
it’s hard to ignore points made by zedza and noblearc… initially i was shocked at the alleged audacity of what MD (apparently) did.
but to run a bt tracker with what appears to be copyrighted materials for upwards of three years seems to be tantamount to serious negligence on behalf of the admins. or, as another commenter pointed out, turning a blind eye.
either case doesn’t shine favorably on rev3, and i eagerly await some verifiable evidence that this WASN’T the case from jim / rev3. why was this activity allowed to go on for years? are we to believe all of this activity was mediadefender?
99
blanc10 Says:May 29th, 2008 at 6:50 pm
Jim, If you set up a donate button, I’m willing to donate money to help you sue these idiots. I take an attack on this company personally and I am personally insulted by all this bull.
100
deepb Says:May 29th, 2008 at 6:55 pm
First - nice article, but I don’t care much for your “babies saying ‘hi’” analogy. It’s more along the lines of having hundreds (or thousands) of people calling the local Domino’s Pizza over and over again for a period of time, hanging up as soon as someone answers.
Second - even if Rev3 was tracking child porn or snuff films, that doesn’t give MD the right to break the law in an attempt to stop it, or prevent it from happening again. Luckily (for everyone except MD), this is something the FBI understands quite well.
101
pbyhistorian Says:May 29th, 2008 at 7:06 pm
kadesoto: Wow, Jim, I never knew you were such a fantastic writer.
Jim was a professional writer in the computer industry for many years. I used to wonder if he sometimes wrote Spencer F. Katt at PC Week.
I worked for Jim back then but I really gained respect for him later; he always seems to be doing something good in the news. I was surprised to find him involved in this story, but I won’t be at all surprised if he becomes a champion here.
Best of luck, Jim. I’m not familiar with Revision3 but I do know how painful such a vicious attack is. Your network guys must have been heroic!
102
Floris Says:May 29th, 2008 at 7:15 pm
Perhaps they finally recovered from their scam practises that became public, got new funding and are back to take revenge .. after all, digg.com was plastered with front-page articles about how they abuse their powers and all on the payroll of the horrible movie and music industry, and hiding behind plausible denyability.
http://digg.com/tech_news/MediaDefender_defenders_post_info_results_analysis_and_laugh_out_loud?t=9253856
http://digg.com/security/Hackers_Smack_Anti_Piracy_Firm_MediaDefender_Again_and_Again
even kevin & alex discussed the events here on revision3’s diggnation show .. sounds like motive to me ..
http://digg.com/television/Kevin_Rose_and_Alex_Discuss_Mediadefender_on_Diggnation
more ..
http://digg.com/tech_news/The_Pirate_Bay_finds_proof_of_foul_play_in_MediaDefender_leak
http://digg.com/tech_news/MediaDefender_E_Mail_Ranks_BitTorrent_Site_Protection
http://digg.com/odd_stuff/MediaDefender_Damage_Control_Cease_and_Desist
http://digg.com/tech_news/MediaDefender_defenders_post_info_results_analysis_and_laugh_out_loud
http://digg.com/tech_news/ThePirateBay_org_files_charges_against_media_companies
etc ..
There’s obviously history with digg/rev3 and could be payback. If they claim not .. then it just shows the poor and illegal practises.
103
FBI Investigating MediaDefender for DoS-ing Revision3 | JustinFlood.com Says:May 29th, 2008 at 7:16 pm
[...] Inside the Attack that Crippled Revision3 [...]
104
The Lazy Canadian » Blog Archive » It was an accident, I swear. Says:May 29th, 2008 at 7:18 pm
[...] Shortly after that, someone who worked there pulled the plug on it, and said: “while it means revision3’s tracker will be more complex and less robust, i have implemented whitelisting. let the server crashes begin again” And that’s exactly what happened. [...]
105
gkast1 Says:May 29th, 2008 at 9:16 pm
Yes, sue them.
And ask the Court for a Preliminary Injunction keeping them OFF the Net!
106
geekdave Says:May 29th, 2008 at 9:19 pm
I hope that the FBI is going to do the “Right Thing” with this case.
The RIAA must be doing some kind of half-assed shock and awe campaign these days.
I think that the RIAA needs to see this case as a lesson learned…
Is there a petition that can be filled out that could be transmitted to them so that someone there especially Villard and Grodsky that might help to get the point across?
Thanks for all the great content and the attention to your customers. rev3 is one of my best and favorite sources of information, and entertainment.
107
revision3 | hottrends Says:May 29th, 2008 at 9:56 pm
[...] Inside the Attack that Crippled Revision312 hours ago by Jim Louderback As many of you know, Revision3’s servers were brought down over the Memorial Day weekend by a denial of service attack. It’s an all too common occurrence these days. But this one wasn’t your normal cybercrime – there’sa chilling twist …Revision3 » blog - http://revision3.com [...]
108
boogermynoogie Says:May 29th, 2008 at 11:10 pm
Sounds like it’s time for a big slice of http://www.prolexic.com
109
SilverBlade Says:May 29th, 2008 at 11:13 pm
Give them hell, Revision 3! Take them down!
110
segagman Says:May 29th, 2008 at 11:41 pm
Ok as you said if
“Denial of service attacks are illegal in the US under 12 different statutes, including the Economic Espionage Act and the Computer Fraud and Abuse Act.”
then wouldn’t
“According to an article by Ars Technica, the company uses “its array of 2,000 servers and a 9GBps dedicated connection to propagate fake files and launch denial of service attacks against distributors.”
By breaking the law? So they break the law to stop law breakers? Are they above the law?
I say contact EFF at http://www.eff.org/about/contact
and fight fire with fire because user rights are being controlled by ma$$ media
111
segagman Says:May 30th, 2008 at 12:21 am
o yea i bet this has the same effect as did the bust on the pirate bay
http://tinyurl.com/46feys
and only help but make
http://revision3.com
bigger and more popular BECAUSE i have seen links to revision3 in passing but i read about this on slashdot and as you can see i am now registered posting comments
all so if the mpaa or riaa is reading this please refer to this link
http://tinyurl.com/2q9j9y
112
WereCatf Says:May 30th, 2008 at 1:22 am
Hi there Jim!
I just wanted to say that I find these kinds of illegal attacks against others as a seriously infuriating and perhaps a dangerous thing. No company should be above the law, and even if they were attacking an illegal tracker they’re still breaking the law themselves. As it appears you are now in a position to send a message that P2P software can and is used for legal distribution also, not only for piracy. I seriously wish you will sue pants and shirt off of MediaDefender! Also of note is that if any regular citizen had done this DOS attack he/she would already be on the way to jail..but no company should be allowed to do it either just because they have the money.
-Nita
113
Web 2.0 Announcer Says:May 30th, 2008 at 2:27 am
Revision3
[...][...]
114
Web 2.0 Announcer Says:May 30th, 2008 at 2:28 am
MediaDefender attakcs Rev3, FBI is now investigating. I hope MD burns in hell.
[...]http://revision3.com/blog/2008/05/29/inside-the-attack-that-crippled-revision3
Saved By: John Ulrich | View Details | Give Thanks[...]
115
ckrieger Says:May 30th, 2008 at 3:38 am
Go get ‘em Rev3…MediaDefender is officially my most hated commercial company.
116
ckrieger Says:May 30th, 2008 at 3:40 am
I hope the FBI nabs your hypocritical behinds MD.
117
AlexAimee Says:May 30th, 2008 at 3:54 am
I hope you have the resources to cope with the damage done to you guys and gals @ rev3. MD wasn’t acting legally and for this they should be sue’d.
DDoS is like murder for humans, it’s intended to disrupt a technical infrastructure and bring the provider of the service down. Many technical components can get seriously physically damaged at such an attack, and if someone knows this and still does it, it fullfills the requirement of low motives which in turn is in human affairs a sign for murder instead of homicide.You could call it technocide if it was a living thing. those people know they will do damage, sometimes the structures are FUBAR after that, and thats unforgivable. Because there is human life involved (other then that the owner loses a lot of money) ther can be no death sentence, but the judgement should be harsh and drastic. like an enactment of a ban to ever use again a computer.
Maybe you think i’m to harsh in my reaction, or just plain lunatic, but it’s just my 2ct…
118
MPAA Dogs Hack Diggnation Says:May 30th, 2008 at 5:08 am
[...] attack dogs hurt innocent people, look no further than this. Revision3 CEO Jim Louderback reports that a denial of service attack — a cybercrime — that took down his business for two [...]
119
phuc_head Says:May 30th, 2008 at 5:42 am
if you are hacking someone else’s server you should be held responsible if “something goes wrong” people sue other home owners if they slip on the sidewalk in front of the owners house, even if it was DURING the ice storm and get away from with it. revision3 definitely has the right to recoup damages and even if it was accidental there should be some legal issues with the fact that they were hacking into a legitimate business site and in so doing caused that site to go down, and the should not have a leg to stand on in the “we only send 3 SYN an hour” excuse they were caught in the logs NOT doing that, even if it was a coding bug, it is not what you PLANNED it is what happens that you are responsible for.
-phuc
120
blackrabbi Says:May 30th, 2008 at 5:46 am
“Countless hours by your heroic staff”??! Jahahahaaa!
A semi-competent admin could have blocked those few sources of SYN packets at your edge router in minutes.
Was the 320KB/s of traffic saturating your connection? Then you get your upstream to filter them.
The next thing to do would have been to file complaints with the upstreams of the attackers (while under attack… a little late now but still worthwhile). Did you open an abuse ticket with Cogent?
Next you need to investigate why multiple servers including your “internal corporate email” were taken out. This indicates lousy network architecture. You also need to investigate why ANY servers were taken out. Seems there is a weakness in your load balancing system. If port 20000 was not being used as you say, then all those packets should have been dropped on the floor, with an RST packet going back out every once in a while.
Maybe you should write a thank-you note to Media Defender for this wake-up call… just kidding, but seriously, you think that was bad? Think about what would happen to you under proper DoS attack from a bot network? You have now advertised several weaknesses, best to address them ASAP.
On another note, the community could use more information about what are vaguely indicated as fake torrents being put on your servers by Media Defender. TIA
121
drowbot0181 Says:May 30th, 2008 at 5:50 am
Could this really be an accident, as MD is claiming? Maybe retalliation for the “Digg This” incident awhile back?
122
forrie Says:May 30th, 2008 at 6:46 am
I’m not buying MediaDefender’s response - it’s a poor excuse for them to run attacks with (apparently) no oversight in the first place. Sue them and their hosting provider(s), send a very clear message.
Furthermore, would be good if there were some collective reverse-investigation of these companies’ IP space (which they continue to buy up) - great for router blackholing and firewall filters
123
s0cket Says:May 30th, 2008 at 7:08 am
@blackrabbi
Dude stop acting like you know your ass from a hole in the ground.
320KB/s? Where do you get that retarded number?
8000 syn packets a second champ. Lets do a little math. Your average SYN packet is about 520 bytes. 520 x 8 to get bits equals 4160 bits of data. 4160 bits x 8000 equals about 33.2 Mbit/s … Which is not a trivial amount of bandwidth.
Yes “black holing” the DoS at the edge router would of been the best idea. But that still wouldn’t of stopped the upstream from sending the data and saturating the uplink. Depending on the size of the uplink and current traffic loads it most likely was enough to throw the whole network into chaos.
If I wasn’t worried about the bandwidth and just wanted to keep the server up until the upstream carrier could black hole their route into our network I would of just enabled SYN cookies on the server and sit back and laugh.
The point here is Media Defender as per normal is operating outside the law. Screw the FBI. Call your LAWYER Jim and have him file a complaint in district court TODAY.
124
TheElf Says:May 30th, 2008 at 7:13 am
Sorry, it is the first time I visit your site, mostly because I have read about the story of this DoS / DDoS attack on a hungarian news portal. I realy, realy don’t know what to say about the possibility of a such incident, to me the problem is clear.
When a student shares a file with a fellow student, even if it is illegal in most part of world, there is no money involved. That can’t finance terrorism or organized crime, such claims from RIAA, MPAA, or other similar organizations seems pretty false.
But what we see here is simple: Injecting fake data to a system, hacking, doing a DoS / DDoS attack is against the law, anyone who does it is a criminal. And any organization or other organized group of people specializes in such activities is a prime example of organized crime.
Sony, RIAA, MPAA and their members, the publishers who finance them and the customers who buy their product and finance the whole activity also finance organized crime.
Do you think the people who help one criminal refulses others? This kind of organized crime is likely to have connections to organized crime. So when you watch a movie, buy a CD or DVD there is a link between you and Mr Osama Bin Laden.
RIAA and MPAA suggests stoping that links on your side.
Such copyright enforcement groups target legit sites too, often break various laws, and they often ignore the laws. And also ignore the fact: In several countries people pay an empty media fee that is here to cover the losses from copying.
To make backup copies is a right granted by law, use your music on different devices, etc. is normal. You pay the money to be able to copy if you don’t make profit on it.
Probably I spent more on empty media tax than the value of the copyrighted music / vidoes, etc I have at home, and yet most of them are originals. If I like something, I want the original. And I want to finance the next CD, DVD, etc. with my purchase. And I want to make sure the good folks will get more of the empty media tax based on good sales data.
But when Joe Student is harrashed by them, and for him needing a legal defense, stoping these harrashment is a problem he will stop sharing.
But you as a customer won’t choose publishers, since they wronged you, you won’t buy bad quality products to test, you won’t go to buy originals. You will look for paysites that sell access to warez.
The money you spend at this very moment on warez is something you could and would spend on originals, and this money also supports counterfeiting and organized crime.
But the problem didn’t start with Joe Student, it started by publishers and their representatives often breaking the law to stop him and send you to criminals.
I can understand that in USA there isn’t such fees on empty media (including CDs, DVDs, Memory Cards for your camera, MP3 players, storage built into your other media players, etc), I can understand that some money is lost with Joe Student downloding albums, even if he pays the empty media fee. I can understand that Internet leads to more copying than old clubs where people shared music, and recording from radios and TVs combined (yes even VHS is here).
But, when I make my photos and pay the music industry for that.
When I make backups on DVDs from various data and the movies industry gets good money on that.
When the same is true for the company I work at and all companies…
The picture can be different. If they adjust the fees a bit, or I should pay some more for the bandwidth and they get a cut I can accept that.
If you, in the USA would pay the same, and there wouldn’t be imported CDs, DVDs without these fees, and you would have same rights I would be more than happy.
But when MPAA, RIAA openly supports criminal organizations like MD, and they call people criminal for copying a CD when they pay a lot of money in empty media fee for licences and that fees end up at the publishers and their organizations worldwide…
And they say when we get music / video we should make sure we don’t support organized crime.
I have to ask: Should I buy a CD anytime soon?
Also their numbers are flawed, skewed, forged.
How could a student spend 10 times of their familys total income on music? So the total value of downloaded music isn’t lost money, since if the student wouldn’t have money for it, they couldn’t and wouldn’t buy it. So their calculation of damaged ignores some pretty clear facts because they want boosted numbers.
They also ignore the facts that CDs and DVDs led to boosted sales since they were hard to copy and you didn’t want to copy them to low quality casettes, etc.
Shouldn’t we check total number of CDs and DVDs sold to the good old times with casettes and VHS? And also check their manufacturing costs?
How come they failed to tell their investors and their retailers that the technical problems with copying CDs and DVDs won’t last forever and they knowingly used data that ignored known facts to get support of investors and retailers and now when the problems with their numbers became evident they place blame on everyone?
And should we see other competition, like smaller bands who can now sell a few CDs when you see their gigs?
Should we speak about how legal Internet TV and Radio competes with DVD and CD sales. Yes, they compete for your time.
Should we speak about how less time we spend with music and video thanks to Video Games?
How comes they ignore all of thes facts and all the researches done by neutral parties and how come that they speak about organized crime? Even in countries where Joe Student pays good money to be allowed to copy his CDs?
They don’t care for what is right what is wrong. They don’t care for the copyright which originally protected rights of authors from publishers (and their groups) and the law granted rights for backup, etc. They don’t care for rights of customers.
They care only about one thing: if they lie, attack, harrash, destroy they can make more money, and can scam authors, investors, retailers alike.
In organized crime like this, there aren’t mistakes, accidents. There are ONLY victims.
Sometimes you become a victim because you are at wrong place at wrong time.
If you swim with sharks, you should be prepared to be eaten by them.
MPAA, RIAA, etc. are the shark in the pond of media industry, and you are swimming with them.
This way you can understand what happened.
And if you want to stay in this pond, time to take a harpoon with you…
125
viewpacific Says:May 30th, 2008 at 7:24 am
Go get’m Jim!
These guys pe*d in the wrong soup bowl.
Your gripping account reads like a polished script from Home Alone or Kindergarten Cop. Hey, maybe you can get Schwartzenegger to weigh in on this?
Sorry the inspriration this time was from an attack on your livelihood.
I’m not sure how MediaDefender can give you back your lost weekend, but maybe their creative clients - UM, Sony, RIAA, etc. - can come up with something. In any case, you’re likely to get another writing award.
Damn the 8000/s torpedos and full steam ahead!
126
adderx99 Says:May 30th, 2008 at 8:47 am
I sincerely hope that Rev3 sues MediaDefender. according to http://news.cnet.com/8301-10784_3-9954863-7.html?tag=nefd.lede this statement, MediaDefender claims they did nothing wrong. however, ignorance is not a defense. They trespassed without permission on Rev3 severs, regardless of whether the severs had an unlocked backdoor or not. You cant walk into someones house and start eating food out of someones fridge just because the door was unlocked. Their servers, whether intentionally or not, DID cause in Jim’s words ‘measurable harm’ to Rev3, by method of a DOS. I have been a loyal fan of all of Rev3 shows, since late 2005. This attack is appalling, and in a corporate world, to effectively shut down another business’s business is unforgivable. For MediaDefender to simply say, “uh sorry, our servers did it, not us, but its ok, we’re sorry. see everything is ok now.” is just unacceptable. I will be disapointed with Rev3 if they decide not to peruse criminal charges.
127
m60462a Says:May 30th, 2008 at 9:12 am
I couldn’t agree more with the other folks suggesting a lawsuit against MediaDefender. “Oops,.. won’t happen again” just doesn’t cut it. I hope Revision3 doesn’t settle out of court. This kind of garbage needs to be exposed.
128
adderx99 Says:May 30th, 2008 at 9:15 am
also, i would like to note: i wonder if this is standard operating procedure for MediaDefender. (1) Find torent indexing server (2) assume said index sever has illegal content (obviously rev3’s sever did not) (3) Tresspass on said sever, and upload spoofed media (4) If said server attempts to block media uploads, nuke said sever into oblivion with an illegal attack.
If this is the shady business model for MediaDefender, a lot of explaining is due, and the funders of MediaDefender need to be held financially responsible as well, just as the hirer of a hit-man would be held legally accountable as well.
129
fallenerrant Says:May 30th, 2008 at 9:33 am
@s0cket,
Man, you already covered most of my points I had in relation to blackrabbi’s post. Only thing left that I can add towards blackrabbi is that MD has 2000 servers and a 9Gbps pipe, which can probably outperform all but the biggest botnets. It’s not like a zombie’d computer can start performing badly while someone’s using it if the botnet operator is running an attack, the user would notice something’s wrong and at least reboot if not take steps involving updates and virus scans that may remove his control of the machine, so the zombie can only use a small portion of the pipe and processor. 2000 servers all running as many VMs as they can, dedicated to attacking a site is going to cause problems. As s0cket has already mentioned towards you, even setting up an ip black hole at the router wouldn’t have necessarily kept the service up and available.
I do have to admit I was feeling surprised and confused that even the mail server went down from this, unless you use VMs on a single physical server it’s rather perplexing how this happened. If it doesn’t require you to reveal too much about your network I’d like to hear about how the DoS took down the mail server if you can spare the words.
Outside of the technical stuff, I have to say you’re handling this all rather well, much better than I would be were I in the same situation. Still, I’d definitely sue them regardless of how well I was taking it, and it seems a lot of people agree with me that you should sue them.
130
Future of News - Tägliche Hard- und Softwarenews Says:May 30th, 2008 at 10:35 am
MediaDefender legt legalen BitTorrent-Tracker lahm
Teile und genieße
…
131
MPAA Dogs Hack Diggnation | gadgetsnews.info Says:May 30th, 2008 at 11:27 am
[...] attack dogs injured innocent people, look no further than this. Revision3 CEO Jim Louderback reports that a denial of service attack — a cybercrime — that took down his business for two [...]
132
rudiredshoes Says:May 30th, 2008 at 11:50 am
Way to go Jim, what a mess to have to deal with. Definitely take legal action, we can’t have these terrorist running about like headless vigilantes closing down anything they feel like.
Put them out of business and their CEO in jail.
Hopefully the FBI will show they have the balls to deal with this kind of corporate terrorism.
All the best,
From a European fan.
133
josephk Says:May 30th, 2008 at 12:44 pm
I think you should take this opportunity to evaluate your protection from DoS attacks. Those BigIP 1500’s(or are they LC’s?) are limited in terms of what they can do to protect your servers from attack(unless you like writing iRules and if you have LC’s you have almost no options for that). It seems like you hit the memory constraints of the lower box during the attack which means you may want to lower your SynCheck values to protect your servers at a lower number of connections (default I think is 16384).
You could specify rate limits for SYN’s in your on-site router(assuming you have one:D)either generically outbound per interface if you have a capable edge device, or even specfically inbound on the uplink from your BIP’s.
If I had my way I would put one or more netscreen SSG’s in transparent mode on the perimeter to immediately have granular control over different kinds of DoS attacks that are commonly used with little or no work necessary on changing your routing.
While 8,000 SYN’s may seem like a lot I’d love to see how many SYN’s were sent to your web server after this story was posted to slashdot:)
134
McRadge Says:May 30th, 2008 at 1:36 pm
Regardless that they claim that this was just a mistake thease arschlöcher! are doing self-administered justice. This is highly illegal. Sue their ärsche for that!!!
135
noig3 Says:May 30th, 2008 at 4:54 pm
The fact that you have publicly stated that you are not going to pursue legal action because you “do not have the resources or time” is pretty disheartening. This was wrong, and to let them get away with it at your expense is a good example of laziness taking precedence over what is right imho. Sorry to take a moralists view but this is ridiculous. You are essentially giving them carte blanche to do this to someone else, possible a smaller operation that is just getting started.
I guess you do not mind seeing this happen again. That is pretty lame of you to be so complacent as to let it ride by “sending them a bill” to which they probably will say “F*** you”.
It is your responsibility now to take action to get these f**king bullies out of the way so other providers of legitimate, licensed content can distribute their works to the world.
By blatantly ignoring this you are saying that corporations have the right to impede the distribution of works of art in the public domain and works of art which are not public domain but licensed legally because “they made a mistake”.
This wasn’t a mistake. This was illegal. And now you, as the CEO of a f**king media company has given the OK to these bullies to do this to other providers of digital works of art.
And yes, I signed up just to say this because I think that you as a CEO should be a champion for digital distribution of art rather than a lazy and complacent person who is going to let it ride because you just can’t seem to find the time.
You are doing a disservice to your users and a disservice to the people to support and promote the distribution of digital works over tcp/ip networks.
136
lexein Says:May 30th, 2008 at 6:49 pm
Please release a complete list of IP addresses of all machines which attacked you. Thank you.
137
jayp83 Says:May 30th, 2008 at 10:38 pm
Man I wish I had a botnet!
I wonder if we couldn’t just get together and ping the be-jesus out of their servers as a Rev3 army?
Perhaps it’s time to hold an IRC meeting and discuss such matters…
138
sschinke Says:May 30th, 2008 at 11:13 pm
s0cket, fallenerrant,
The minimum size of a TCP syn packet is 432 _bits_, not 520 _bytes_.
TCP header: 20 bytes
IP header: 20 bytes
Ethernet frame: 14 bytes
54 bytes * 8 bits = 432 bits.
At 8,000 packets-per-second, that is 3,456,000 bits per second (432,000 bytes per second). While I could understand that much traffic breaking a tracker or anything else listening on a specific TCP port, that really doesn’t sound like enough traffic to damage an entire network (barring architechtural issues).
My guess is that much more than 8,000 packets-per-second were being sent ~3Mbps sounds like something is saturated (Dual t-1s?).
In response to blackrabbi, though, it is important to note that port 20000 was being used: it was hosting a tracker. This wasn’t just a bandwidth consumption attack (though that bandwidth consumption would be what hosed Rev3’s other services), it was a targetted syn flood on an open port.
Not everyone has the type of relationship with their upstream provider that will result in succesful filtering of this type of attack. Particularly not on a long weekend. Many providers will be just as happy to get a better billing cycle into the mix (assuming 95/5 billing).
Regards,
Sam
139
chupatumama Says:May 30th, 2008 at 11:45 pm
Will the shows be talking about these events (and the ones to come) or will there be a gag order?
If this was some 14 year old script ki