Forgot your password?
typodupeerror
The Internet Media Security IT

The Tiger Effect and Internet DDoS 191

Posted by timothy
from the aka-the-kenn-starr-steamroller dept.
An anonymous reader writes "Many US and Canadian ISPs thought they were under a massive denial of service attack yesterday — traffic spiked by hundreds of gigabits across North America. Turns out that the traffic was due to live streaming of the U.S. Open and Tiger Woods nail-biting victory."
This discussion has been archived. No new comments can be posted.

The Tiger Effect and Internet DDoS

Comments Filter:
  • by COMON$ (806135) * on Wednesday June 18, 2008 @03:34PM (#23843725) Journal
    tigerd

    Tigerdotted

    I Got wooded?

    ok /.ers you can do better. I need to update my ids logs to take this into consideration ;)

  • by spun (1352) <loverevolutionary@@@yahoo...com> on Wednesday June 18, 2008 @03:36PM (#23843759) Journal
    Who knew that there was a professional nail-biter's competition, let alone that Tiger Woods won it?
    • I thought this was some sort of mixed martial art competition and Tiger Woods won by repeatingly biting someone's nails. Must be some sort of new fangled submission technique.
  • by truthsearch (249536) on Wednesday June 18, 2008 @03:36PM (#23843767) Homepage Journal
    You mean it wasn't due to Firefox downloads? Guess it's not yet as mainstream as I'd like it to be. :)
  • Tiger? Euro2008? (Score:4, Interesting)

    by superphreak (785821) on Wednesday June 18, 2008 @03:38PM (#23843803) Homepage
    I thought it was due to Euro2008 coverage on Espn360.com
  • by Anonymous Coward on Wednesday June 18, 2008 @03:38PM (#23843807)
    Haven't most users updated to Leopard by now?
    • by morgan_greywolf (835522) * on Wednesday June 18, 2008 @04:20PM (#23844607) Homepage Journal

      Haven't most users updated to Leopard by now?
      Oh, FSCKING JEBUS. Why does some nitwit have to make everything about Apple?!

      Hint to Steve Jobs genuflecting tards: No, life is not all about Apple. No go outside and get some fresh air. Now.
      • by bobdotorg (598873) on Wednesday June 18, 2008 @06:38PM (#23846695)

        Haven't most users updated to Leopard by now?

        Oh, FSCKING JEBUS. Why does some nitwit have to make everything about Apple?!

        Hint to Steve Jobs genuflecting tards: No, life is not all about Apple. No go outside and get some fresh air. Now.


        Wow. Get some air. You're right. And it's a really nice day out. Head on out and get some air.

        You just gave me an excellent idea. I'll just pop out to the Apple Store and get a MacBook Air.
  • Office bandwith (Score:5, Insightful)

    by silas_moeckel (234313) <silas@nOspAM.dsminc-corp.com> on Wednesday June 18, 2008 @03:41PM (#23843875) Homepage
    I remember working at a streaming media startup and a Tiger nail bitter was our first live event. 8 Years ago that was 24gb a sec and the average bit rate was 368kbs if I remember correctly. There is a lot more bandwidth now than then. The fun part was running the logs and associating the AS and often the big company associated with it, there seemed to be a lot of people with comfy offices a lot of bandwidth and a love of golf back then.
  • We could call it the mourningwoods effect. [rimshot]
  • Oops. (Score:3, Funny)

    by WK2 (1072560) on Wednesday June 18, 2008 @03:42PM (#23843915) Homepage

    traffic spiked by hundreds of gigabits across North America.

    Oh sorry, that was me. I downloaded several seasons of Star Trek: The Next Generation. Seriously, hundreds of gigabits across North America is a problem? 500 gigabits is approximately 62 GB.

    • Re:Oops. (Score:5, Informative)

      by gbjbaanb (229885) on Wednesday June 18, 2008 @03:44PM (#23843945)

      Seriously, hundreds of gigabits across North America is a problem? 500 gigabits is approximately 62 GB.
      that'll be per second.

      • by g0at (135364)
        So why don't people say what they mean? Yeesh.
        • by Kjella (173770)

          So why don't people say what they mean? Yeesh.
          May I suggest you go out and bludgeon every producer of "10 Mbit", "100 Mbit" and "Gigabit" ethernet cards, switches and so on? I mean, speaking of network traffic without dividing it by a time unit, there should be a law against things like that.
      • How many library of congress' of porn is that per second?
  • by Anonymous Coward on Wednesday June 18, 2008 @03:45PM (#23843963)
    I find it hard to believe that there's anything that can possibly be nail-biting about watching golf.
    • by rob1980 (941751)
      Anything that says "sudden death" on it tends to be like that.
    • by swb (14022) on Wednesday June 18, 2008 @03:59PM (#23844249)
      I used to feel the same exact way -- I thought watching golf was about as exciting as watching the grass its played on grow.

      I don't know what happened, but I've gotten kind of hooked on the major tournaments. There's enough camera coverage that they actually spend most of the time with a decent golfer hitting the ball, so its not just a bunch of guys walking around, and they're almost exclusively in high definition.
      • Re: (Score:3, Funny)

        by Anonymous Coward
        Did you recently receive a raise and a comfy office?
      • Re: (Score:3, Funny)

        by mgblst (80109)
        ...and they're almost exclusively in high definition.

        I don't know about you, but if I don't like something, seeing it in HD isn't exactly going to help much.
      • by drew (2081)
        While I'm not as into as some people that I know, I do enjoy both playing and watching golf. Even so, I don't remember ever watching or playing a game of golf that I would consider "nail-biting".
    • by PitaBred (632671) <[gro.sndnyd.derbatip] [ta] [todhsals]> on Wednesday June 18, 2008 @06:05PM (#23846259) Homepage
      If you played, you'd understand the skill going into it.

      It's like the manager who can't possibly understand how hard it can be to add search functionality to the program... I mean, all you have to do is add that button that says "Search", right?
      • Re: (Score:3, Insightful)

        by geekoid (135745)
        Sure, lots of skill, but nail biting? uummm no.

        I don't think anyone doubts the level of skill involved.

      • Re: (Score:2, Insightful)

        by maglor_83 (856254)
        I can't say I like watching someone coding up search functionality in a program either.
  • by moore.dustin (942289) on Wednesday June 18, 2008 @03:46PM (#23843973) Homepage
    If these ISPs were overloaded to the point of thinking they may be being DDoS'ed over one event online, they are they wholly unprepared for any sort of attack that may actually be focused at them? Imagine the carnage a real attack would wreak on the ISPs! Is there anyone out there that knows the likelihood of ISPs going down if they came under a real attack? If a few botnets targeted these ISPs, could they be brought down completely? Imagine one of these ISPs really stepping up the game for a tiered internet service model, putting themselves out there as a lightening rod for angry nerds. Could a coordinated effort break the back of an ISPs ability to provide any service whatsoever?

    Your thoughts are most welcome and I thank you in advance for sharing your thoughts!
    • by thecheatah (977630) on Wednesday June 18, 2008 @04:03PM (#23844321)
      Umm, I knew a person who managed a very large botnet. He use to be able to take down the internet for a general area. He use to have "wars" with other botnet people and you would notice the internet gone for a few hours, in my neighborhood at least. Then he was hired to take down a website in the west side of the Pennsylvania. He actually took down the internet for the whole area. Banks there couldn't communicate and all that. Well, he was caught and spent some time in prison. Now he doesn't really fit in with society any more and spends time in and out of prison.
      • by Anonymous Coward on Wednesday June 18, 2008 @04:11PM (#23844467)
        And you sat on your ass and said nothing eh?

        Great.
      • Re: (Score:3, Funny)

        by maxume (22995)
        It isn't real clear that he started out fitting into society...
      • by timmarhy (659436)
        i've always wondered how these people end up getting caught. i'd imagine a sting or someone blabbing to the cops would be it, because on a technical level it's almost impossible to catch them. typically they have their bots log into an IRC channel and the bots listen for commands, the botnet owner can just remote in through a hacked machine and issue the commands.

        I had a machine of mine fall victim to one of those automated ssh attacks and it was very interesting to sit back and disect the guts of the botn

    • by zappepcs (820751) on Wednesday June 18, 2008 @04:43PM (#23844923) Journal
      I didn't see anyone else catch this. WTF do you mean to tell me that they 'thought' it was a DDoS? Thought? So much for that traffic shaping magic. Sure, if it had been P2P we'd know exactly what little johnny down the street has on his iPod this morning and the RIAA would be all over the news with it and how file sharers killed the Internet.

      From the looks of this, co-ordinated effort is nothing more than a couple thousand bot computers infected with a 'lets watch sports over the net' worm. Think of it. One bot net with 100,000 computers all trying to watch ESPN at the same time, and those that can, also trying to watch something from Europe at the same time.

      One word: multicast

      Uni-casting VOD over the Internet will keep doing this over and over again and ISPs will continue to blame file sharing for their lack of both foresight and bandwidth.
      • by dpilot (134227)
        > One word: multicast
        >
        > Uni-casting VOD over the Internet will keep doing this over and over again

        But multicast is not VOD, because the stream happens when the stream happens. You'd have to consult some sort of schedule, and connect to the multicast stream at the right time. I'll bet that given time, there would even be publications, either online or perhaps even dead-tree, to distribute these schedules. Whatta concept.

        We've accused the cable companies of trying to turn the Internet into TV. I
        • by zappepcs (820751)
          Here's the thing. I've given this some thought, both about how it could/might work, and how I would be able to enjoy it working.

          If there is a multicast stream of the movies available, one started every 15 or 30 minutes that I could join, I'd be totally happy with that. On demand in 30 minutes or less and no pizza guy to have to be nice to. It would work for me. I'm never in that much of a rush to see a movie that it has to start RIGHT NOW dog maddit!

          The cable company ends up with 6-10 streams for each movie
    • by ACMENEWSLLC (940904) on Wednesday June 18, 2008 @05:45PM (#23845973) Homepage
      These streams are 800Kb/s each. On top of that, they run over SSL which adds to the overhead. And each connection streams from one of hundreds of IP ranges.

      We have 500 users sharing a dual T1, all wanting to watch this. So why did business transactions begin failing? I wonder.

      Yea, we saw this.

      Since it was SSL we can't inspect it at the application layer for QoS. Since it's a huge number of IP ranges, that gets us too. We can't transparently proxy SSL so Squid can't help. It's a flash stream over https.

      So we QoSed the end users on port 443 in this case. 300b/s seems about right. :P
  • I guess since it was Monday afternoon everyone was watching it from work.
    • by Dan541 (1032000)

      I guess since it was Monday afternoon everyone was watching it from work.
      Well what else would an office worker do?

      If anything this has saved allot of staples that would otherwise have been fired at the waste paper bin.

  • omfg!ponies (Score:5, Insightful)

    by Rob Kaper (5960) on Wednesday June 18, 2008 @03:46PM (#23843983) Homepage
    Run for the hills! Internet traffic doubles/triples during a major sports event? Who could have known!

    That's about as worthy of an article as one "discovering" Euro Cup 2008 matches causes certain European streets to be abandoned for ninety minutes.

    I can understand how such a traffic increase would be reason for alarm for the average network administrator, but you'd think service providers whose main business is the infrastructure would be aware of major streaming events. This shouldn't have surprised so many people.
    • It was surprising because it was a monday playoff that wasn't on anyone's schedules. Golf tournaments normally end on the weekend, so they don't run into competing with business traffic. This went into monday, and also happened to be a see-sawing event which kept people's attention.

      Damn good golf, too.
    • Just look around. Sysadmins = slashdot people. Do you see anyone here who knows who Tiger Woods is, nonetheless when he'll play? Exactly.
    • by murdocj (543661)
      It's newsworthy because it points up the fallacy of the "TV is going away all video will be watched thru the Internet" meme.
  • until a DDoS effort successfully disrupts tiger wood's game

    DDoG?

  • better streaming? (Score:3, Insightful)

    by jschen (1249578) on Wednesday June 18, 2008 @03:48PM (#23844027)
    Maybe we need a better streaming video mechanism for popular live streams? I would imagine that if everyone's watching the same thing at the same time, it ideally shouldn't take up any more bandwidth than, say, one compressed standard definition cable channel. Signed, naive chemist.
    • Multicast. (Score:5, Interesting)

      by pavon (30274) on Wednesday June 18, 2008 @05:05PM (#23845351)
      Yep, this is exactly the sort of situation that IP Multicast was created for. It has been part of the IP RFCs [faqs.org] since forever. Maybe more incidents like this will convince more ISPs to configure their routers to support it, so we could start using it.
      • Re: (Score:3, Insightful)

        by Kjella (173770)

        Yep, this is exactly the sort of situation that IP Multicast was created for. It has been part of the IP RFCs since forever. Maybe more incidents like this will convince more ISPs to configure their routers to support it, so we could start using it.

        The more time passes, the less likely I think we'll ever use it. Multicast requires that all the people watch the same thing at the same time. Sure there are exceptions like this but what most people want the net for is surfing random stuff like YouTube, not being tied to some schedule. Plus being individual, hopefully I can pause the stream and pick it up a bit later, rewind a bit if I want to watch something again and so on. Multicast has all the convinience of TV without a DVR, unless you build the DVR

        • Re: (Score:3, Interesting)

          by pavon (30274)
          I think another good use for it would be saving server bandwidth on downloads without congesting the last mile the way P2P does. Say you offer several (number varying by demand) staggered multicast streams of a file each at some lowest-common-denominator (DSL) speed. Then you have a client that will connect to however many streams your connection can handle, and then just use P2P to pick up the few stray packets that you miss (since you don't normally resend with multicast).

          The overall bandwidth would be mu
  • firefox (Score:5, Funny)

    by mattwarden (699984) on Wednesday June 18, 2008 @03:49PM (#23844033) Homepage
    Just thought of something. Was mozilla.org hosting US Open highlight clips yesterday or something? Because that would explain a lot.
  • Match (Score:3, Interesting)

    by Tiro (19535) on Wednesday June 18, 2008 @03:50PM (#23844053) Journal
    I couldn't access the NBC stream at all.

    Fortunately Hong Kong's Star Sports was accessible through Sopcast P2P.

    Great match! I watched the back nine and the sudden death playoff hole. Unfortunately the commentators were horrible. They did not announce the length of the puts (huge annoyance) and they spoke when there was nothing to say!

    We want Jim Nantz, or perhaps the British announcers at The Open.

    • Re:Match (Score:5, Interesting)

      by corbettw (214229) <`moc.oohay' `ta' `wttebroc'> on Wednesday June 18, 2008 @04:06PM (#23844373) Journal

      I couldn't access the NBC stream at all.

      Fortunately Hong Kong's Star Sports was accessible through Sopcast P2P.
      That's awesome. Someone in the US (I assume you're in the US, since you referred to NBC and not some other network) had to watch a US sporting event by bouncing off a server in China.

      The best part? It's not really all that impressive nowadays. But the entire concept was unthinkable to most people even 10 years ago.
  • is happening to all my comments? I posted a couple yesterday. I posted about 4 today and now the 4 I posted today are gone.
  • The US Open nail-biting ended on Monday, are they sure it wasn't Firefox 3?
  • 1) Give Tiger Woods a cadillac made of gold in order to, after his surgery, play in a major and make it close so that it goes to a playoff. Ask him to keep the tie breaker going for as long as he can.
    2) Advertise how the internet can't handle the bandwidth, scream fire and brimstone, exclaim that you may not be able to see Tiger again in a playoff if this isn't fixed and sell network upgrades.
    3) Profit!
  • by jhsewell (620291) on Wednesday June 18, 2008 @04:01PM (#23844277)
    Did it occur to them to examine the contents of this supposed DDoS? You know, take a look at the source / destination IPs and perhaps a sampling of packet payloads in an attempt to figure out what was going on?

    I'm not in favor of indiscriminate snooping, but as a security professional, this would be the first thing I would expect.
  • I bet the ISP are just twiddling there thumbs right now at the idea of charging by the GB for internet.

    Scary but true.
  • by tacokill (531275) on Wednesday June 18, 2008 @04:09PM (#23844421)
    How could this possibly be confused with a DDOS attack?

    It makes me nervous that it even got to that point. How can a competent ISP confuse DDOS attacks with streaming video (most likely, the same streaming video sent to all people)? Isn't there a pattern there? Couldn't they see the connections were all coming from the same server or block of servers? Couldn't they see all of the connections were using the same protocol? Couldn't they see they were all using the same port?

    How the hell do they confuse that with a DDOS? I am just a lowly part-time IT network manager at my company and even I can see the difference between streaming video and "other bad stuff".

    Someone smarter than me please help me understand more about this. How did this get far enough to convince the ISP's they were being DDOS'd?
    • My guess would be, they assumed that not that many people out there would actually be watching Tiger Woods, but that some botnet was running a new form of DDoS - suck up all the bandwidth by requesting multiple streams of a very bandwidth intensive application. Don't bring down the servers, bring down the pipes themselves.
    • by Dan541 (1032000)
      Because if they call it a DoS attack they can justify themselfs in blocking it.
  • Where I work they thought we were having issues, and found that many people were streaming the competition. When they found that out they asked everyone to go watch it on television in our big meeting room.

    Pretty fun.
  • Isn't this one of the negative consequences of net neutrality ?
    • Re: (Score:2, Interesting)

      If this had a higher priority it might have choked everything out. If it had a lower priority it wouldn't have worked at all. As it is (neutral) a thing has priority directly proportional to its popularity (providing it doesn't "cheat," so to speak, like torrents do [by making many, many connections]).

      My opinion anyway; Feel free to rebut it.

    • by Dan541 (1032000)
      Negative?

      Please explain how this is negative?
  • by tji (74570) on Wednesday June 18, 2008 @04:30PM (#23844745)
    I guess I was part of the problem. I watched a good portion of it, at least the first nine holes until it switched to NBC coverage where my MythTV DVR could record it (the first half was on ESPN, and I don't get cable).

    I was surprised at how good the video looked. I have tried several other events in the past, and have always been disappointed, or completely unable to view it. Although, for the NCAA Final Four this year, I was finally able to actually watch a game after failing the last few years. I had to use Win2K within a VMware VM, but it did work.

    The U.S. Open video worked directly from my Mac, had decent sized video, and was completely watchable on my laptop. Nice job USGA, NBC, etc.
  • by aliens (90441) on Wednesday June 18, 2008 @04:36PM (#23844827) Homepage Journal
    All these moves to charge per usage is going to blow up in their face.

    They're worried this kind of usage will eat into their own TV viewership. What better way to prevent that from happening than by charging those who use it.

    What will end up happening is customers will get in a tizzy and without suitable alternatives lawsuits will fly.

    In the end either they'll have to abandon these plans or competition will be forced into the market.
  • IpTV, not ready yet. (Score:2, Interesting)

    by EnOne (786812)
    sarcasm - Nice to know that now we can get our shows easily and smoothly across the internet. We probably no longer need to broadcast over the air - /sarcasm
  • by zrq (794138)
    So what will happen when the 2008 Olympics [beijing2008.cn] start ?

The bomb will never go off. I speak as an expert in explosives. -- Admiral William Leahy, U.S. Atomic Bomb Project

Working...