MediaDefender, a company best known for their work for the MPAA has apparently admitted to being responsible for a massive Denial of Service (DoS) attack that occured last weekend in which a server used to host BitTorrent trackers was effectively shut down. The server, which belongs to a company called Revision3, is used for legal distribution of video files.
According to Revision3 CEO Jim Louderback, the problem started when someone at the company noticed that their server was being used by an outside party to provide unauthorized BitTorrent trackers. He later found out that the outside party in question was, in fact, MediaDefender. Once they cut off access to these trackers, and also to the back door which allowed MediaDefender to illegally use their server they were hit with the DoS attack. This effectively shut them down for a good part of the weekend, and due to the Memorial Day holiday on Monday they weren't able to recover until Tuesday.
After figuring out that the origin of the DoS attack was a MediaDefender IP address Louderback talked to Dimitri Villard, CEO of MediaDefender's parent company, and Vice President of Operations at MediaDefender, Ben Grodsky. The following is his description of the conversation:
First, they willingly admitted to abusing Revision3’s network, over a period of months, by injecting a broad array of torrents into our tracking server. They were able to do this because we configured the server to track hashes only – to improve performance and stability. That, in turn, opened up a back door which allowed their networking experts to exploit its capabilities for their own personal profit.
Second, and here’s where the chain of events come into focus, although not the motive. We’d noticed some unauthorized use of our tracking server, and took steps to de-authorize torrents pointing to non-Revision3 files. That, as it turns out, was exactly the wrong thing to do. MediaDefender’s servers, at that point, initiated a flood of SYN packets attempting to reconnect to the files stored on our server. And that torrential cascade of “Hi”s brought down our network.
Grodsky admits that his computers sent those SYN packets to Revision3, but claims that their servers were each only trying to contact us every three hours. Our own logs show upwards of 8,000 packets a second.
“Media Defender did not do anything specific, targeted at Revision3?, claims Grodsky. “We didn’t do anything to increase the traffic” – beyond what they’d normally be sending us due to the fact that Revision3 was hosting thousands of MediaDefender torrents improperly injected into our corporate server. His claim: that once we turned off MediaDefender’s back-door access to the server, “traffic piled up (to Revision3 from MediaDefender servers because) it didn’t get any acknowledgment back.”
Putting aside the company’s outrageous use of our servers for their own profit, and the large difference between one connection every three hours and 8,000 packets a second, I’m still left to wonder why they didn’t just tell us our basement window was unlocked. A quick call or email and we’d have locked it up tighter than a drum.
It’s as if McGruff the Crime Dog snuck into our basement, enlisted an army of cellar rats to eat up all of our cheese, and then burned the house down when we finally locked him out – instead of just knocking on the front door to tell us the window was open.
This isn't the first time MediaDefender has been involved in a shady operation. Just last year they were caught distributing a trojan through their own torrent tracker site. The program searched the computers of unsuspecting downloaders for pirated content and reported back to them if anything suspicious was found. Although they called it an accident at the time, internal emails later distributed via BitTorrent confirmed the company's malicious intentions and lack of concern over allegations of legal wrongdoing.
Louderback says the FBI is already looking into the matter. Unlike past allegations this one is coming from a company rather than a bunch of private individuals. Hopefully they'll finally be held accountable to the same standards as the rest of us for a change.
After figuring out that the origin of the DoS attack was a MediaDefender IP address Louderback talked to Dimitri Villard, CEO of MediaDefender's parent company, and Vice President of Operations at MediaDefender, Ben Grodsky. The following is his description of the conversation:
First, they willingly admitted to abusing Revision3’s network, over a period of months, by injecting a broad array of torrents into our tracking server. They were able to do this because we configured the server to track hashes only – to improve performance and stability. That, in turn, opened up a back door which allowed their networking experts to exploit its capabilities for their own personal profit.
Second, and here’s where the chain of events come into focus, although not the motive. We’d noticed some unauthorized use of our tracking server, and took steps to de-authorize torrents pointing to non-Revision3 files. That, as it turns out, was exactly the wrong thing to do. MediaDefender’s servers, at that point, initiated a flood of SYN packets attempting to reconnect to the files stored on our server. And that torrential cascade of “Hi”s brought down our network.
Grodsky admits that his computers sent those SYN packets to Revision3, but claims that their servers were each only trying to contact us every three hours. Our own logs show upwards of 8,000 packets a second.
“Media Defender did not do anything specific, targeted at Revision3?, claims Grodsky. “We didn’t do anything to increase the traffic” – beyond what they’d normally be sending us due to the fact that Revision3 was hosting thousands of MediaDefender torrents improperly injected into our corporate server. His claim: that once we turned off MediaDefender’s back-door access to the server, “traffic piled up (to Revision3 from MediaDefender servers because) it didn’t get any acknowledgment back.”
Putting aside the company’s outrageous use of our servers for their own profit, and the large difference between one connection every three hours and 8,000 packets a second, I’m still left to wonder why they didn’t just tell us our basement window was unlocked. A quick call or email and we’d have locked it up tighter than a drum.
It’s as if McGruff the Crime Dog snuck into our basement, enlisted an army of cellar rats to eat up all of our cheese, and then burned the house down when we finally locked him out – instead of just knocking on the front door to tell us the window was open.
This isn't the first time MediaDefender has been involved in a shady operation. Just last year they were caught distributing a trojan through their own torrent tracker site. The program searched the computers of unsuspecting downloaders for pirated content and reported back to them if anything suspicious was found. Although they called it an accident at the time, internal emails later distributed via BitTorrent confirmed the company's malicious intentions and lack of concern over allegations of legal wrongdoing.
Louderback says the FBI is already looking into the matter. Unlike past allegations this one is coming from a company rather than a bunch of private individuals. Hopefully they'll finally be held accountable to the same standards as the rest of us for a change.
