This weekend I noticed Revision3 was not online. Turns out they were the victim of a DoS attack. Any emphasis added is mine.
In this case it was pretty easy to see exactly what our shadowy attacker was so upset about. It turns out that those zillions of SYN packets were addressed to one particular port, or doorway, on one of our web servers: 20000. Interestingly enough, that’s the port we use for our Bittorrent tracking server. It seems that someone was trying to destroy our bittorrent distribution network.
Maybe not a huge deal, right, especially since they’re not pirating anything except their own shows? Oh wait, it gets loads better.
A bit of address translation, and we’d discovered our nemesis. But instead of some shadowy underground criminal syndicate, the packets were coming from right in our home state of California. In fact, we traced the vast majority of those packets to a public company called Artistdirect (ARTD.OB). Once we were able to get their internet provider on the line, they verified that yes, indeed, that internet address belonged to a subsidiary of Artist Direct, called MediaDefender.
Putting aside the company’s outrageous use of our servers for their own profit, and the large difference between one connection every three hours and 8,000 packets a second, I’m still left to wonder why they didn’t just tell us our basement window was unlocked. A quick call or email and we’d have locked it up tighter than a drum.
I really shouldn’t make conclusions from just one side of the story, but this does illustrate huge issues for companies involved in any sort of cyber security. How ethical is it to DoS unwanted systems or services, i.e. attacking the attacker (and did you verify they really are an attacker)? Why was MediaDefender injecting bad torrents into a legitimate torrent service, and how is that any different from an evil hacker doing it?
Oh, and this can be interesting especially if some of MediaDefender’s customers are Revision3 competitors.