Security experts say there is no evidence the U.S. was hit by a major DDoS cyberattack this week—despite rampant social media speculation.
Yesterday, rumors circulated on Twitter after telecom operators, games, social networks, banks and other apps suffered unexplained outages. Those affected appeared to include T-Mobile, Fortnite, Instagram, AT&T, Twitch and Facebook Messenger.
DownDetector, a platform that tracks such outages, indicated a slew of services had been experiencing sharp spikes in connectivity problems or user complaints.
Amid the mounting confusion, a social media account affiliated with the hacktivist group Anonymous said the U.S. was “under a major DDoS attack” and shared a link to a Digital Attack Map that is designed to illustrate the scope of global DDoS threats.
Broadly, DDoS, or distributed denial of service, is an attack that sends vast amounts of traffic at a platform’s servers in the hope of temporarily knocking it offline.
Despite little supporting evidence being available, the Anonymous account’s tweet was shared over 12,000 times and gained the attention of U.S. Representative Ted Lieu, who used it to make a political argument against President Donald Trump.
“Source of the DDoS attack on the United States is currently unknown,” the Anonymous profile tweeted in an update shared close to 4,000 times. “We speculate it may be China as the situation between South and North Korea is currently deteriorating.”
A second Anonymous-affiliated Twitter account with more than seven million followers also appeared to allude to the website outages, tweeting: “Take some time off Facebook and Instagram, talked to your loved ones ;).” It did not take credit for the attack.
One major problem with the DDoS claim soon emerged as cybersecurity experts probed the situation. It wasn’t accurate, and there did not appear to be a coordinated attack on the U.S. by any foreign nation. Instead, outages were traced to T-Mobile.
“There’s a lot of buzz right now about a massive DDoS attack targeting the US, complete with scary-looking graphs. While it makes for a good headline in these already dramatic times, it’s not accurate. The reality is far more boring,” tweeted Matthew Prince, founder of web security giant Cloudflare, which also specializes in DDoS protection.
According to Prince, T-Mobile was making network changes today but they “went badly,” causing a “series of cascading failures” for users’ voice and data networks.
He explained: “That caused a lot of T-Mobile users to complain on Twitter and other forums that they weren’t able to reach popular services. Then services like Down Detector scrape Twitter and report those services as being offline.
“So now people are looking around for an explanation and they stumble across sites like the Arbor Networks attack map. It looks terrifying today! Thing is, it always looks terrifying. It’s a marketing gimmick put up to sell DDoS mitigation services.”
In addition, Prince shared screenshots indicating there had been no significant spikes in internet traffic that would typically be seen in the event of such a widespread attack.
Cyber researcher Brian Krebs commented on Twitter: “I have found no indication these outages are DDoS related. Rather, there may be Sprint/T-Mobile issues related to a wonky update in the systems from the Sprint side to help merge with T-Mobile.”
T-Mobile completed its merger with telecom Sprint in April.
A Verizon spokesperson told Data Center Dynamics its networks were “performing well” and said DownDetector’s website had been “falsely reporting Verizon network issues.” At&T News tweeted that its network also appeared to be “operating normally.”
T-Mobile has apologized to customers and said its systems are now coming back online.
Ajit Pai, chairman of the Federal Communications Commission, said the issues were “unacceptable” and that his agency would be launching an investigation.
In an advisory, CEO Mike Sievert confirmed the firm experienced voice and text issues that “intermittently impacted customers in markets across the U.S.”
He wrote: “We are recovering from this… but it may still take several more hours before customer calling and texting is fully recovered. This is an IP traffic related issue that has created significant capacity issues in the network core throughout the day.
“Data services have been working throughout the day and customers have been using services like FaceTime, iMessage, Google Meet, Google Duo, Zoom, Skype and others to connect. I can assure you that we have hundreds of our engineers and vendor partner staff working to resolve this issue and our team will be working through the night as needed to get the network fully operational,” Sievert’s notice added.
Malware researcher Marcus Hutchins, who rose to prominence after temporarily stopping the WannaCry ransomware attack in 2017, was openly skeptical about the initial wave of DDoS claims—an opposition validated as more information emerged.
“T-Mobile outage means everyone using them can’t access any websites, leading to reports that Facebook, Twitter, Instagram are all down (they’re not). Customers also can’t call/be called by other providers, leading to reports other providers are down too (they’re not),” he tweeted, explaining how speculation and misinformation spread.
The attack map shared by Anonymous, Hutchins said, shows a “random sample of global DDoS traffic badly plotted on a world map” and does not indicate an actual attack.