This article is more than 1 year old

Nude celeb pics wrongly blamed for DDOS at New Zealand's largest ISP

Actual culprit appears to be silly router configurations and Euro-nasties

New Zealand's largest ISP, Spark, has spent the weekend fighting off a DDOS incorrectly assumed to have a connection with last week's nude celebrity picture scandal.

The ISP hit trouble last Friday, when it Tweeted that some of its subscribers had become infected with malware that was flooding its DNS servers and making it hard to access the web.

Some media put one and one together to reach a total of three, by assuming that the malware was deposited by sites purporting to offer the chance to gaze upon popular entertainers wearing no clothes. The sites offered something along those lines, plus malware downloads.

But Spark has hosed down that hypothesis, writing on Facebook that it isn't ruling out malware, but has found “cyber criminals have been accessing vulnerable customer modems on our network.”

“These modems have been identified as having 'open DNS resolver' functionality, which means they can be used to carry out internet requests for anyone on the internet,” the ISP explains. “This makes it easier for cyber criminals to ‘bounce’ an internet request off them (making it appear that the NZ modem was making the request, whereas it actually originates from an overseas source).”

“Most” of the culprit modems “were not supplied by Spark and tend to be older or lower-end modems.”

Spark says the attack originated in Eastern Europe and looked like this:

“The DDoS attack was dynamic, predominantly taking the shape of an ‘amplified DNS attack’ which means an extremely high number of connection requests – in the order of thousands per second - were being sent to a number of overseas web addresses with the intention of overwhelming and crashing them. Each of these requests, as it passes through our network, queries our DNS server before it passes on – so our servers were bearing the full brunt of the attack.

While the Spark network did not crash, we did experience extremely high traffic loads hitting our DNS servers which meant many customers had either slow or at times no connectivity (as their requests were timing out). There were multiple attacks, which were dynamic in nature. They began on Friday night, subsided, and then began again early Saturday, continuing over the day. By early Sunday morning traffic levels were back to normal and have remained so since. We did see the nature of the attack evolve over the period, possibly due to the cyber criminals monitoring our response and modifying their attack to circumvent our mitigation measures – in a classic ‘whack a mole’ scenario.”

During the attack, Spark suggested its customers point their browsers at Google's DNS servers, a handy workaround even if does mean a little more latency.

And the celebrity nudes angle? It's unverified. And likely a way to get you clicking on stories. ®

More about


Send us news

Other stories you might like