A series of outages at mobile providers, ISPs, streaming services, games and social media platforms prompted speculation Monday that the U.S. could be under a massive coordinated DDoS attack, though security experts said that scenario seemed unlikely.
Customers at AT&T, Sprint, T-Mobile and Verizon reported cell service disruptions while the Downdetector plotted reports of outages at Google, Zoom, Instagram, Facebook, Twitter, Netflix, Chase, Hulu and other organizations.
While AT&T pinned the problems reported by its customers to an internal voice and data issue, an Anonymous twitter account fueled the fire, speculating that China might be behind a DDoS attack on the U.S.
But Cloudflare co-founder and CEO Matthew Prince tweeted that “the reality is far more boring,” attributing the problem to T-Mobile “making some changes to their network configurations” when “it went badly.” Prince said “the result has been for around the last 6 hours a series of cascading failures for their users” that impacted the company’s voice and data networks.
“From @Cloudflare’s vantage point, we can see a number of things that show there is no massive DDoS attack. First, traffic from WARP to supposedly impacted services is normal and has no increase in errors,” Prince said. “Second, there is no spike in traffic to any of the major Internet Exchanges, which you do see during actual DDoS attacks and definitely would during one allegedly this disruptive.”
Noting that “when the internet is slow, or you can’t access your favorite app, we sometimes become overly quick to speculate, skipping to cyberattack attribution by nation states and DDoS attacks," Joseph Carson, chief security scientist and advisory CISO at Thycotic, said taking a step back and considering motives and their root causes, "according to the latest Verizon Data Breach Investigations report, it is human error by misconfigurations.”
When recently asked about DDoS activity over the past three months, Alexander Gutnikov, system analyst at Kaspersky DDoS prevention service, said the number of so-called smart attacks (more technically sophisticated and requiring more ingenuity) was growing through these months. He said most likely educational, government and medical institutions will remain the main targets for would-be attackers.
"As for media outlets and large ISPs, they are likely to face DDoS attacks, but given their scale and channel width, most of these attacks are inefficient," Gutnikov said.