Global DDoS Attack Dismissed as T-Mobile Misconfiguration

Claims of a global DDoS attack have been dismissed, with evidence showing it was caused by a misconfiguration.

The issue was apparently caused by a misconfiguration at T-Mobile in the USA. Mike Sievert, CEO of T-Mobile, claimed in a statement published at 845pm PT that it had “been experiencing a voice and text issue that has intermittently impacted customers in markets across the US” which started just after 12pm EDT, and continued through the day.

“This is an IP traffic-related issue that has created significant capacity issues in the network core throughout the day,” Sievert said. “Data services have been working throughout the day and customers have been using services like FaceTime, iMessage, Google Meet, Google Duo, Zoom, Skype and others to connect.

“I can assure you that we have hundreds of our engineers and vendor partner staff working to resolve this issue and our team will be working through the night as needed to get the network fully operational.”

T-Mobile claimed on Twitter that it was a “widespread routing issue affecting voice & text” and this affected customers around the country.

Despite regular updates and clarifications, claims that there was a global DDoS attack taking place were seen. Some claimed that brands including Sprint, AT&T, Verizon, Comcast, Fortnite, Instagram and Chase Bank were affected, while this map appeared to show a large flow of attack traffic coming from the US.

However, Cloudflare CEO Matthew Prince dismissed claims of a DDoS attack, saying in a Twitter thread that he saw the issue with T-Mobile “making some changes to their network configurations today” and “unfortunately, it went badly” as the result was six hours “of cascading failures for their users.”

Prince added: “This is no massive DDoS attack. First, traffic from WARP to supposedly impacted services is normal and has no increase in errors. Second, there is no spike in traffic to any of the major internet exchanges, which you do see during actual DDoS attacks and definitely would see during one allegedly this disruptive.”

What’s Hot on Infosecurity Magazine?