MediaDefender's BitTorrent-Based DOS Takes Down Revision3

Sandman1971 writes "Over the long Memorial Day weekend, Revision3 was the target of a malicious Denial Of Service Attack which brought R3 to its knees. After investigating the matter, it was discovered that the source of the attacks came from MediaDefender, the famed company hired by the MPAA and RIAA to try and stop the spread of illegal file sharing. The kicker? Revision3 was taken down for running a bittorent tracker to distribute its own legal content."

Re:Criminal investigation?

[Em+Adespoton]

I take it you didn't RTFA; the FBI is currently investigating the issue with R3's assistance.

Re:Criminal investigation?

[ozamosi]

According to this, it's on the way.

Re:Criminal investigation?

[Bourbonium]

Again, please RTFA Coward. The torrents on Revision3's servers were their own content, but one R3 member found a torrent named something like RAMBO_axxo on their tracker on May 25 and reported it to the admins. They immediately took it down and then found the backdoor that MediaDefender had been using to post fake torrent hashes on their servers. Once the backdoor was closed, MediaDefender's servers began the DOS attack as an automatic response. Louderback says that the FBI is already investigating. I expect the EFF will get involved as well as this story develops.

Re:Where did they get the firepower?

[mrbah]

They have a 9 gigabit connection dedicated to launching illegal DoS attacks. I wish I was joking.

Re:Where did they get the firepower?

[Bourbonium]

The story is all over the place now. You can read about it at CNET at http://news.cnet.com/coops-corner/?tag=cnetfd.blogs
as well as Valleywag http://valleywag.com/393955/revision3-ceo-antipiracy-group-attacked-our-network

Here's the blog post

[eddan]

I was able to grab the blog post:

As many of you know, Revision3's servers were brought down over the Memorial Day weekend by a denial of service attack. It's an all too common occurrence these days. But this one wasn't your normal cybercrime - there's a chilling twist at the end. Here's what happened, and why we're even more concerned today, after it's over, than we were on Saturday when it started.

It all started with just a simple "hi". Now "hi" can be the sweetest word in the world, breathlessly whispered into your ear by a long-lost lover, or squealed out by your bouncy toddler at the end of the day. But taken to excess - like by a cranky 3-year old-it gets downright annoying. Now imagine a room full of hyperactive toddlers, hot off of a three hour Juicy-Juice bender, incessantly shrieking "hi" over and over again, and you begin to understand what our poor servers went through this past weekend.

On the internet, computers say hi with a special type of packet, called "SYN". A conversation between devices typically requires just one short SYN packet exchange, before moving on to larger messages containing real data. And most of the traffic cops on the internet - routers, firewalls and load balancers - are designed to mostly handle those larger messages. So a flood of SYN packets, just like a room full of hyperactive screaming toddlers, can cause all sorts of problems.

For adults, it's typically an inability to cope, followed either by quickly fleeing the room, or orchestrating a massive Teletubbies intervention. Since they lack both legs and a ready supply of plushies, internet devices usually just shut down.

That's what happened to us. Another device on the internet flooded one of our servers with an overdose of SYN packets, and it shut down - bringing the rest of Revision3 with it. In webspeak it's called a Denial of Service attack - aka DoS - and it happens when one machine overwhelms another with too many packets, or messages, too quickly. The receiving machine attempts to deal with all that traffic, but in the end just gives up. (Note the photo of our server equipment responding to the DoS Attack)

In its coverage Tuesday CNet asked the question, "Now who would want to attack Revision3?" Who indeed? So we set out to find out. Internet attacks leave lots of evidence. In this case it was pretty easy to see exactly what our shadowy attacker was so upset about. It turns out that those zillions of SYN packets were addressed to one particular port, or doorway, on one of our web servers: 20000. Interestingly enough, that's the port we use for our Bittorrent tracking server. It seems that someone was trying to destroy our bittorrent distribution network.

Let me take a step back and describe how Revision3 uses Bittorrent, aka BT. The BT protocol is a peer to peer scheme for sharing large files like music, programs and video. By harnessing the peer power of many computers, we can easily and cheaply distribute our huge HD-quality video shows for a lot less money. To get started, the person sharing that large file first creates a small file called a "torrent", which contains metadata, along with which server will act as the conductor, coordinating the sharing. That server is called the tracking server, or "tracker". You can read much more about Bittorrent at Wikipedia, if you really want to understand how it works.

Revision3 runs a tracker expressly designed to coordinate the sharing and downloading of our shows. It's a completely legitimate business practice, similar to how ESPN puts out a guide that tells viewers how to tune into its network on DirecTV, Dish, Comcast and Time Warner, or a mall might publish a map of its stores.

But someone, or some company, apparently took offense to Revision3 using Bittorrent to distribute its own slate of shows. Who could that be?

Along with where it's bound, every internet packet has a return address. Often, particularly in cases like this, it's forged - or spoofed. But interestingly enough, whoev

R3 says they are not planning to sue

[davros-too]

According to CNET article http://news.cnet.com/coops-corner/?tag=cnetfd.blogs "At this point, Revision3 says it's not planning to file a lawsuit. Not because it doesn't have a case but pursuing a court remedy would likely cost a lot of money."

Re:Criminal investigation?

[shasbot]

I hate to feed the trolls, but just felt someone should point out for those who don't use Revision3 that this is incorrect, they produce original shows, such as Diggnation. (as far as i am aware, they do not have any user uploaded content or any non-original content at all)

Since /. isn't making things any easier...

[akahige]

...the least we could do is provide a Coral Cache link to the blog entry.

Re:Criminal investigation?

[bishop32x]

There isn't much of a chance this attack could have been forged.... Their VP admitted that they had been mucking around with R3's bit torrent, which R3 apparently stopped just before the DoS attack started. The only point of contention seems to be exactly how many packets MediaDefender was sending, R3 says up to 8000/sec while the VP of MediaDefender says one every three to four hours.

Now it's possible that there was a 3rd party somewhere in there forging packet headers and inflating the number of packets sent, but that seems unlikely.

Re:Criminal investigation? Yes

[deck]

A DoS violates Federal Criminal Law. Copyright is generally a Civil statute and is prosecuted via lawsuits.

What MediaDefender did is therefore being investigated under criminal law.

Re:Good luck suing anyone

[scubamage]

Unless you can find some leaked documents from the higherups authorizing it, or some people come forward and admit it. If they were using their servers without permission, that alone is illegal - and under antihacking laws, a federal crime.

Re:Shouldn't have publicized it on their blog

[PunkOfLinux]

Here's the thing: most of the time, those small, single people who get sued have dynamic IPs. MD does not, almost guaranteed. It would be pretty stupid to give a 9gb/s links a dynamic ip address, which means that the ambiguity inherent in dhcp-assigned ip addresses is gone. Also, the RIAA and MPAA have sued people who, in one case, were dead, and in another, didn't even own a computer. They just keep pulling names out of their asses.

Re:Criminal investigation?

[mr_matticus]

"Illegal" has nothing to do with criminality. All copyright infringement is illegal. Affirmative defenses mitigate that with a justification.

"Mere civil infraction" is likewise misleading. Many civil penalties are far harsher than criminal ones. Both have a range of consequences. Many criminal misdemeanors aren't show-stoppers, while some civil judgments, depending on your occupation, can be.

As for 'guilty', because Revision3 is an Internet television business, had they actually done what AC believed, it would be criminal infringement. The civil suit is an option, but not a requirement, for industry litigation. They prefer it because it allows them greater leeway with their false-attack shenanigans, makes it easier for them to prove, and because it shows some element, however small, of temperance. Willful, knowing copyright infringement is a crime, punishable with imprisonment.

You're using 'illegal' and 'mere' carelessly, while the troll, in fact, got the 'illegal' part right, as far as terminology goes. Within the false scenario presented by AC, 'guilty' would also be correct. Leave it to Slashdot to get it wrong, though.

Re:Criminal investigation?

[gnuman99]

#1 - yes it is. It is covered in the copyright act.

    http://www.copyright.gov/title17/

http://www.copyright.gov/title17/92chap5.html#506
    AKA - Criminal Infringement

Most copyright infringement on the Internet is falls under Criminal Infringement. The key word in the definition there is "public" under paragraph 506(a)(1)(C). This protects private distribution on the internet amongst friends (and you better be able to prove that all people with access are friends!), but it slaps public distribution.

The clause was added due to relatively cheap or free ability to infringe on other's work. See 10 years ago with Napster. Clearly, the sharing was *not* between friends!

2. I agree. But in this case no crime was not even committed in the first place. MediaDefender is treading on some very thin ice.

Anyway, this is not about the copyright act. It is about a different law altogether.

Re:misuse of Revision3 servers?

[Max+Threshold]

The way I'm reading it, MediaDefender hacked Revision3's torrent tracker to track a torrent of copyrighted material, believing that this would somehow justify the DDOS attack.

Re:Criminal investigation? Yes

[DAldredge]

http://en.wikipedia.org/wiki/NET_Act The United States No Electronic Theft Act (NET Act), a federal law passed in 1997, provides for criminal prosecution of individuals who engage in copyright infringement, even when there is no monetary profit or commercial benefit from the infringement. Maximum penalties can be five years in prison and up to $250,000 in fines. The NET Act also raised statutory damages by 50%.

Re:Criminal investigation?

[coolGuyZak]

It's called 'civil disobedience' when you break the law you disagree with.

That said, be prepared to accept the consequences when participating in such an act.

Letters and Phone calls (The old school DOS)

[Bryansix]

2461 Santa Monica Blvd., D-520
Santa Monica, CA 90404

PHONE: (310) 956-3300
FAX: (310) 956-3391

Start your letter writing and phone calling campaign against Media Defender now.

Here are the IPs responsible for the attack:

For the lazy. Seems they run vmware. Maybe slashdot would like to say 'hi' to them at port 950.

129.47.130.104
129.47.130.155
129.47.130.53
129.47.131.106
129.47.131.208
129.47.132.160
129.47.132.211
129.47.132.58
129.47.132.7
129.47.133.10
129.47.133.112
129.47.133.163
129.47.248.125
129.47.248.207
129.47.248.2
38.103.50.152
38.107.160.10
38.107.160.12
38.107.160.13
38.107.160.14
38.107.160.15
38.107.160.18
38.107.160.19
38.107.160.22
38.107.160.23
38.107.160.24
38.107.160.25
38.107.160.3
38.107.160.6
38.107.160.8
38.107.161.68
38.107.161.71
38.107.161.72
38.107.161.74
38.107.161.75
38.107.161.76
38.107.161.79
38.107.161.80
38.107.161.81
38.107.161.82
38.107.161.83
38.107.161.84

Re:god save their souls

[dissy]

I wonder how many syn packets or christmas tree packets it takes to fill up a 9gbps pipe? Fortunately with a syn flood, one doesn't need to fill their pipe, not even close.

It's the server/computers IP stack which processes SYN packets and maintains the state table of TCP connections, which are awaiting being opened (syn), which ones are open (syn,ack), which are closing (syn,rst), and which are closed (rst,ack)

If you send a bunch of syn packets, their server will send back a syn,ack and await the last stage of handshaking, which of course you don't do, since you are busy sending out your next syn packet and don't want to keep track of all those connections yourself.

Once their servers IP stack state table is filled with these half open connections, awaiting for the final packets to setup the TCP connection (which will never happen), then until those half open connections start timing out and being dropped from the state table, no new legit connections can be established due to the state table being full.

So, you don't need to send enough syns to fill a 9gbps pipe, only send enough to fill their servers state table, and send them only faster than the IP stack timeouts those connections and drops them.

Chances are a constant syn storm sent at 10mbps will be enough to make their server stop answering legit requests.

And if their server happens to be an OS with a more advanced TCP stack, which can support syn cookies to stop syn floods, then all one needs to do is aim the attack at one of their routers and take IT down instead.

Re:Criminal investigation?

[MadnessASAP]

Well here in Canada alot of police officers choose not to enforce the pot smoking laws. So far this hasn't led to a massive breakdown in law & order or police abuse, just a bunch of relaxed police officers and pot smokers. Yep ignoring that law sure seems to have worked out pretty well, maybe we can try a few more in the near future.

Re:Criminal investigation?

[Ptraci]

I actually went to the site to see what they had, and I didn't see anything there that was not their own content. It looks like some pretty interesting stuff, too. Would you like to provide a cite of anything that can be found there that is not theirs? If not, just admit that you don't know what you're talking about and refrain from further comment.

Re:Criminal investigation?

[darthflo]

Not quite. MD's two most important tools are fake torrents and DoS attacks, both to be used only against what they deem immoral^Willegal.
Probably, Rev3's tracker somehow made the list of evil trackers, only to be "attacked" by the first, inexpensive measure: Injecting fake torrents. MD's goal being to dilute the quality of one tracker's torrents to uselessness. Since Rev3's tracker doesn't communicate tracked torrents back to a web site, nobody noticed or downloaded the fakes and everything was good with the exclusion of some wasted cpu cycles and memory on Rev3's side.
Now after Rev3 changed the tracker's policy to no longer accept random injections, MD's system probably recognized it's first measure to be failing and escalated behaviour to the next stage. A purty DDoSing of the torrent, obviously illegal under federal law.

Since this appears to be their software's standard behaviour, blame will probably be shifted on some dumb programmer who merely executed orders from higher-up scum within MediaDefrauder. I demand the heads of all of MD as well as the RIAA and MPAA on silver platters. Also, pepper sauce. :]

Re:Criminal investigation?

[gnasher719]

If I knew you bought illegal drugs, despite being a crime, that doesn't mean I should hope you were really buying illegal drugs when i murder you by shooting you in the head. No matter if you were buying illegal or legal drugs, I would still be in even more trouble for murdering you. There was a case where person A bought illegal drugs, and person B stole the drugs from A. A called the police. The police investigated, and B was eventually convicted for theft. A was also convicted for possession of illegal drugs :-)

So the fact that another person committed a crime may stop them from calling the police if you commit a crime against them, but once the police is involved, their crime won't help you at all.

Re:Criminal investigation?

[sumdumass]

The executives aren't being sued, the company is. This sort of "Take-down" company is treading on thin ice legally, one such misfire as this and they can lose the company.

Trick is, they are well aware and have likely structured the company to allow a simple simple collapse w/ minimal loss, after which MediaProtector will be reborn from the ashes, a completely different company w/ the exact same staff and an identical client list.

Generally, in a suit involving a company, you sue the company and the persons who wronged you working at the company. They in turn rat our the executives to save their asses. If you can show that an executive issued the order to do whatever violated you and gave grounds for the suit, you go directly after them too. They will have the company pay their legal fees but they will also do everything possible to stop it from going under because now their personal wealth is at risk too.

In a criminal prosecution, they often go after the persons who committed the crimes and the management who issued the orders to if and when it is clear that breaking the law was the intent of the orders from the management. Sometimes criminal charges are ignored when civil charges have been brought against someone at a company when the civil complain could cause more punishment then the civil charges could (misdemeanors limited to $1000 fine and so on verses a couple mill lawsuit). But this concept has been used widely in the past.

A common misconception is that a company hides or shields the execs and owners. But the reality is, if there is proof that they had anything to do with the illegal actions, they are held accountable for their part. Of course proving how far up the ladder goes is something of a difficult nature and the criminal burden of proof is harder then the civil burden or ever the trial in the court of public opinion might be. But if you wondering when this has happened recently, W.R. Grace over asbestos at their libby mine, Patricia Dunn from HP fame, and BP over their alaskan spill around 2005-2006 all faced criminal charges for their illegal activities.

Best bet is to go after the company that hired them; prove they paid this company to break the law for them. The RIAA/MPAA will have a harder time collapsing and reforming...

If I was them, I would file a criminal complaint with the state and federal attorney generals then wait to see what happens with that. If nothing seems to be happening, I would then launch a civil suite. If criminal charged are being brought, or it looks like they might be, I would wait until they are done or almost done then file the civil suit so you don't provoke leniency on any of the convicted. And yes, I would name as many people up the ladder as possible, including RIAA/MPAA in the process. But I would also attempt to name specific people in those organizations in order to broaden the scope of communications in the discovery process. Of course us talking about something like that could trigger them to start deleting and shredding documents. Preservation laws probably wouldn't kick in until they had a reasonable belief of a pending or potential case.