Slashdot Mirror
MediaDefender's BitTorrent-Based DOS Takes Down Revision3
Sandman1971 writes "Over the long Memorial Day weekend, Revision3 was the target of a malicious Denial Of Service Attack which brought R3 to its knees. After investigating the matter, it was discovered that the source of the attacks came from MediaDefender, the famed company hired by the MPAA and RIAA to try and stop the spread of illegal file sharing. The kicker? Revision3 was taken down for running a bittorent tracker to distribute its own legal content."
Looks to me like MediaDefender is in clear violation of at least two subsections of 18 USC 1030. Where is the federal criminal investigation?
Revision3 taken down by curious Slashdotters, and the popcorn you're eating has been pissed in. Film at 11....
Don't tell me to get a life. I'm a gamer; I have LOTS of lives!
THEINTERNETS (Reuters)- Following the DOS attack which brought Revision3 to its knees, the site was once against the target of a DOS attack by the popular news site "Slashdot" as thousands of nerds flooded the site at once hoping to find fodder to use against their arch-nemeses the MPAA and the RIAA.
Careful What You Wish For....
OMGLAWYERSUESUESUE! Seriously, I hope they get even more crucified because of this. Performing a DOS is a clear violation of law in all states, and since it crosses the borders, its a clear felony.
Looks like they're also the target of a vicious Slashdotting. ;)
I look forward to the indictment, conviction, and imprisonment of the executives of their operation.
Failure to achieve these things will not reflect well on the fitness of the rulers to rule.
Yahoo! Pipes are awesome. How awesome? http://pipes.yahoo.com/jesdynf/slashdot
Revision 3 should have just sued, and sued BIG. By discussing it so glibly, and in such detail, on their blog they're jeopardizing their case. A huge financial hit would hurt the RIAA's cronies a LOT more than a little negative publicity from a blogger.
SJW: Someone who has run out of real oppression, and has to fake it.
One can hope, but I doubt it. Revision3 might see it as bad publicity, even though they're not the ones who did anything wrong, and they'd risk further massive DDoS attacks in retaliation if they did file a lawsuit. Cases take a long time to come to court, and all MediaDefender needs to do is destroy their solvency before that happens. Dead companies tell no tales.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
and then slashdot linked to them.
... you can hear is R3's lawyers leafing through the 2008 Mercedes catalog.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
Can't RTFA. They're slashdotted.
Where is the federal criminal investigation?
...the rulers are vampires and therefore do not reflect at all.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
How did mediadefender get enough computing resources/bandwidth to launch a DOS? Did they launch it out of their own datacenter/domain, or do they have a network of locations?
No, I haven't read the article because the link is not coming up right now.
they'd risk further massive DDoS attacks in retaliation if they did file a lawsuit.
That would be the best thing that could happen. Judges have absolutely no sense of humor about people who pull shit like that.
Sure, R3 may disolve before it can file a civil suit, but I imagine the US goverment will hold together long enough to bring criminal charges against MediaDefender.
DOS attacks are a felony. People go to jail for committing felonies.
R3 can sue, in addition to the criminal charges brought forward by the state, in order to recoup any damages sustained by the attack, but even if they don't, MD still has to face the federal government for breaking the law.
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
Not to mention any discovery in this matter can and WILL be used by states who are currently investigating mediadefender for performing investigations without proper licensing.
Hard.
"Move it's own media files" means they were probably using it for jamming operations against other trackers. Meaning they hacked the server, went to other bittorent sites, said "hey, we've got tasty files here, but only 91% of complete garbage", used revision3 as their server so everyone thought it was kosher instead of, say, Media defenders IP range, and when revision3 kicked them off their servers decided to reconnect and DDOS'd them. Because the input bandwidth was intense for the fubar'd uploads and they had just been cut off of their primary source, they used all available bandwidth to reconnect and DDOS'd.
What's going to happen here is a combination between defamation of character suites and hacking lawsuits. Those are the kinds of suites that put people out of business and in jail.
The RIAA and MPAA just shot themselves in the head on this one and their shell company is going to go tits up due to it. That's going to have a concussive effect on the other shell companies which will have a bad effect on their anti-piracy campaign.
signed,
The Rest Of The Planet
Quo usque tandem abutere, Nimbus, patientia nostra?
It wouldn't be too big of a stretch of one's imagination to believe they use the same tactic against other trackers.
Maybe if the likes of PirateBay, Mininova and others looked more closely at their traffic patterns and found some "common problems" (such as web traffic from MediaDefender), there would be grounds for civil if not criminal proceedings against MediaDefender.
What IP#'s or subnets or networks does MediaDefender use?
Or better yet...
Maybe we should all run trackers with fake movies being shared and watch for MediaDefender DOS'ing us and create an ever larger case against these twits?
I just absolutely felt compelled to send email to MediaDefender, I so much hate MPAA/RIAA using illegal tactics. So, anyway, here is the email I sent them: Hi there! I just wanted to congratulate you on your brilliant stunt of a highly illegal DOS (Denial of service) attack on Revision3. Perhaps you should have checked earlier that they were seeding their own legal products? Then again, DOS attacks are illegal even against illegal trackers so this could be a bit unfortunate for you. If FBI can link you to DOS attacks on other trackers then you could face serious legal issues. So, I just want to congratulate you once more, this was such a brilliant move by you and I hope you'll do something equally stupid again in the near future! ;)
Yours truly,
-Nita
-Nita
I was able to grab the blog post:
As many of you know, Revision3's servers were brought down over the Memorial Day weekend by a denial of service attack. It's an all too common occurrence these days. But this one wasn't your normal cybercrime - there's a chilling twist at the end. Here's what happened, and why we're even more concerned today, after it's over, than we were on Saturday when it started.
It all started with just a simple "hi". Now "hi" can be the sweetest word in the world, breathlessly whispered into your ear by a long-lost lover, or squealed out by your bouncy toddler at the end of the day. But taken to excess - like by a cranky 3-year old-it gets downright annoying. Now imagine a room full of hyperactive toddlers, hot off of a three hour Juicy-Juice bender, incessantly shrieking "hi" over and over again, and you begin to understand what our poor servers went through this past weekend.
On the internet, computers say hi with a special type of packet, called "SYN". A conversation between devices typically requires just one short SYN packet exchange, before moving on to larger messages containing real data. And most of the traffic cops on the internet - routers, firewalls and load balancers - are designed to mostly handle those larger messages. So a flood of SYN packets, just like a room full of hyperactive screaming toddlers, can cause all sorts of problems.
For adults, it's typically an inability to cope, followed either by quickly fleeing the room, or orchestrating a massive Teletubbies intervention. Since they lack both legs and a ready supply of plushies, internet devices usually just shut down.
That's what happened to us. Another device on the internet flooded one of our servers with an overdose of SYN packets, and it shut down - bringing the rest of Revision3 with it. In webspeak it's called a Denial of Service attack - aka DoS - and it happens when one machine overwhelms another with too many packets, or messages, too quickly. The receiving machine attempts to deal with all that traffic, but in the end just gives up. (Note the photo of our server equipment responding to the DoS Attack)
In its coverage Tuesday CNet asked the question, "Now who would want to attack Revision3?" Who indeed? So we set out to find out. Internet attacks leave lots of evidence. In this case it was pretty easy to see exactly what our shadowy attacker was so upset about. It turns out that those zillions of SYN packets were addressed to one particular port, or doorway, on one of our web servers: 20000. Interestingly enough, that's the port we use for our Bittorrent tracking server. It seems that someone was trying to destroy our bittorrent distribution network.
Let me take a step back and describe how Revision3 uses Bittorrent, aka BT. The BT protocol is a peer to peer scheme for sharing large files like music, programs and video. By harnessing the peer power of many computers, we can easily and cheaply distribute our huge HD-quality video shows for a lot less money. To get started, the person sharing that large file first creates a small file called a "torrent", which contains metadata, along with which server will act as the conductor, coordinating the sharing. That server is called the tracking server, or "tracker". You can read much more about Bittorrent at Wikipedia, if you really want to understand how it works.
Revision3 runs a tracker expressly designed to coordinate the sharing and downloading of our shows. It's a completely legitimate business practice, similar to how ESPN puts out a guide that tells viewers how to tune into its network on DirecTV, Dish, Comcast and Time Warner, or a mall might publish a map of its stores.
But someone, or some company, apparently took offense to Revision3 using Bittorrent to distribute its own slate of shows. Who could that be?
Along with where it's bound, every internet packet has a return address. Often, particularly in cases like this, it's forged - or spoofed. But interestingly enough, whoev
Its doubtful that anyone will hack into any of those closed systems for the most part. However, I wouldn't be surprised to see mediadefender start getting nailed VERY hard bandwidth wise. I wonder how many syn packets or christmas tree packets it takes to fill up a 9gbps pipe?
Revision3 refers to longstanding misuse of its severs by MediaDefender, before the current DOS attack. What exactly they were doing isn't clear to me. Anybody know? And is it a crime?
Browsing and posting to Slashdot?
MediaDefender seems to think it's just fine and dandy to DOS other sites because they don't approve of what that site's doing. Why don't we all go over there and take a real good look at what they have to say for themselves. Let's see how they like being Slashdotted.
Good, inexpensive web hosting
I operate a tracker to distribute my music. It's more efficient than direct HTTP downloads, so it saves on my hosting bill.
The point really needs to be rammed home to law enforcement and elected officials that there are many perfectly legitimate, and in fact socially beneficial uses for peer-to-peer file sharing.
Request your free CD of my piano music.
According to CNET article http://news.cnet.com/coops-corner/?tag=cnetfd.blogs "At this point, Revision3 says it's not planning to file a lawsuit. Not because it doesn't have a case but pursuing a court remedy would likely cost a lot of money."
In theory, there's no difference between theory and practice; in practice there is.
Sounds like MediaDefender wants to take down *any* competition to their clients, illegal or otherwise.
"(Mirrordot seems to have died and the wayback machine doesn't have it.)"
The wayback machine doesn't have it? You mean this is fresh news!?!?
I'm waiting for a "-1 somepeoplejustshouldn'tgetmodprivileges" meta-moderation.
The idea MediaDefender is nothing more than a disposable front-end, therefore, is entirely possible and would make a lot of sense.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
MediaDefender claims that they have taken steps to ensure this won't happen again. "We've added a policy that will investigate open public trackers to see if they are associated with other companies", promised Grodsky, "and first will make a communication that says, hey are you aware of this." Since when is being a "company" required to legally run a BitTorrent tracker?
Try this instead: Determine if the tracker belongs to you. No? Then you don't have the right to abuse it in this way.
Don't thank God, thank a doctor!
how about you let law enforcement work out if the allegations of a blog post are true first?
Or you want to abandon the whole concept of justice and just punish whoever gets pointed at first?
DRM-free indie games for the PC and Mac: Positech Games
I'd like to try out this new BitTorrent-based DOS. I'm still using MS-DOS 5 and it takes too long to copy files.
...the least we could do is provide a Coral Cache link to the blog entry.
A DoS violates Federal Criminal Law. Copyright is generally a Civil statute and is prosecuted via lawsuits.
What MediaDefender did is therefore being investigated under criminal law.
http://en.wikipedia.org/wiki/NET_Act The United States No Electronic Theft Act (NET Act), a federal law passed in 1997, provides for criminal prosecution of individuals who engage in copyright infringement, even when there is no monetary profit or commercial benefit from the infringement. Maximum penalties can be five years in prison and up to $250,000 in fines. The NET Act also raised statutory damages by 50%.
- Why Free Music?
I only have the scores to two of the songs so far. At the time I composed them, I couldn't read music, so I did it all by ear, and by memorization.I stopped playing for a while because I got real depressed shortly after recording my album. That lead to me partially forgetting how to play Sahara, and completely forgetting how to play As Yet Untitled.
But I'm working on transcribing the scores from my recordings. It's taking me a long time, but eventually I'll be providing Lilypond source for them as well.
Request your free CD of my piano music.
wow, only on slashdot does the suggestion of innocent till proven guilty get modded as troll.
How pathetic.
DRM-free indie games for the PC and Mac: Positech Games
you do realise that writing your software in such a way that it automatically retaliates if it's 'pissed off' is just as intentional legally as doing it manually, right?.. it doesn't make any difference if this was inititated by an employee unthinkingly switching on the doling out of 'punishment' to websites frustrating their efforts to annoy people with fake materials without first checking if the website is owned by a reputable company or just an automated response which didn't require further human interaction, the response was programmed/executed in a systematic fashion.. that doesn't add up to being negligent when it comes to checking whether they should be bullying this person or not, it adds up to intentional bullying, period.
Ironic. A Slashdot article about someone else DoS'ing a site gets it DoS'ed.
For a site about things like basic rights, Slashdot users sure do like to censor "dissent".
2461 Santa Monica Blvd., D-520
Santa Monica, CA 90404
PHONE: (310) 956-3300
FAX: (310) 956-3391
Start your letter writing and phone calling campaign against Media Defender now.
For the lazy. Seems they run vmware. Maybe slashdot would like to say 'hi' to them at port 950.
129.47.130.104
129.47.130.155
129.47.130.53
129.47.131.106
129.47.131.208
129.47.132.160
129.47.132.211
129.47.132.58
129.47.132.7
129.47.133.10
129.47.133.112
129.47.133.163
129.47.248.125
129.47.248.207
129.47.248.2
38.103.50.152
38.107.160.10
38.107.160.12
38.107.160.13
38.107.160.14
38.107.160.15
38.107.160.18
38.107.160.19
38.107.160.22
38.107.160.23
38.107.160.24
38.107.160.25
38.107.160.3
38.107.160.6
38.107.160.8
38.107.161.68
38.107.161.71
38.107.161.72
38.107.161.74
38.107.161.75
38.107.161.76
38.107.161.79
38.107.161.80
38.107.161.81
38.107.161.82
38.107.161.83
38.107.161.84
Routers and firewalls still have to take time to process all the incoming packets. It may do some good for a while, but a SYN flood will eventually overwhelm the router, especially in the proportions being talked about here.
Remember that blocking the packets doesn't make them not come to the router. It just means they don't get past the router.
Help protect civil rights from abuse by the TSA - visit TSA News Blog.
http://www.tsanewsblog.com
Even with free lawyers from the EFF, the costs and risks of civil litigation could be substantial for what looks like a fairly small company. The alternative of focusing on maximising the free publicity and then keeping 100% of your effort on providing a great service might be a better business strategy. I'm just guessing, but if I was in Revision3's shoes I'd think long and hard before starting law suits that could easily tie up scarce resources. The upside could be big I suppose but it would be a gamble and also any payoff would surely be a long way in the future.
In theory, there's no difference between theory and practice; in practice there is.
The only thing these **AA thugs understand is brutal force. Someone needs to carbomb those fuckers.
I hate to feed the trolls, but just felt someone should point out for those who don't use Revision3 that this is incorrect, they produce original shows, such as Diggnation. (as far as i am aware, they do not have any user uploaded content or any non-original content at all)
There is no "original content". All music/TV/movies/video created in the last 10 years at least must be derivative works of major media company IP. 99.99% of the US population (and nearly as high a percentage of the rest of the world) is exposed/hears/watches/reads/is told about IP owned by the major media producers. It is nearly impossible for anyone to escape it.
Subconsciously, they process it and incorporate it into anything they create. Therefor all content is owned by, or is a derivative work of, the major media producers. With even government failing to acknowledge the truth and logic of this fact, the major media producers are *forced* to take extra-legal actions.
They have every right and no choice in taking these actions to preserve their business, capitalism itself, and justice. Until government and the courts acknowledge these facts, expect more attacks on distribution of content and IP that by all rights is owned by the major media corporations either outright or as a derivative work illegally appropriated and incorporated into unauthorized works that steal food from the table of honest, hard-working media creation and distribution business workers and executives.
They have the money and political connections to avoid any deluded wrong-headed attempts to twist the law to impede their God-given right to defend what is rightfully theirs and theirs alone by whatever means they decide is most effective. Any claims that any media created these days is not rightfully theirs flies in the face of the facts and are simply the whines and whimpers of thieves trying to excuse their larceny!
It's the server/computers IP stack which processes SYN packets and maintains the state table of TCP connections, which are awaiting being opened (syn), which ones are open (syn,ack), which are closing (syn,rst), and which are closed (rst,ack)
If you send a bunch of syn packets, their server will send back a syn,ack and await the last stage of handshaking, which of course you don't do, since you are busy sending out your next syn packet and don't want to keep track of all those connections yourself.
Once their servers IP stack state table is filled with these half open connections, awaiting for the final packets to setup the TCP connection (which will never happen), then until those half open connections start timing out and being dropped from the state table, no new legit connections can be established due to the state table being full.
So, you don't need to send enough syns to fill a 9gbps pipe, only send enough to fill their servers state table, and send them only faster than the IP stack timeouts those connections and drops them.
Chances are a constant syn storm sent at 10mbps will be enough to make their server stop answering legit requests.
And if their server happens to be an OS with a more advanced TCP stack, which can support syn cookies to stop syn floods, then all one needs to do is aim the attack at one of their routers and take IT down instead.
How about a backhoe?
SYN Flooding is one of the oldest DOS attacks around. The attack must have been truely massive to bring down the server... or the admins didn't have the protection in place for such an old style DOS attack.
Either way, if they can track the attack back to MediaDefender, then they have pretty good evidence to sue them, or at least get the FBI involved.
I think MediaDefender need to be taught a valuable lesson: just because other people break the law, doesn't mean you have the right to break the law in your crusade against them.