So, FCC, how about that massive DDoS? Hello? Hello...? You still there?

Like trying to get blood out of a stone

Updated America's broadband watchdog, the FCC, has declined to share any more details on the cyber-assault that apparently downed its website shortly after it announced its intent to kill net neutrality.

Today, the regulator said in a formal response [PDF] to a Freedom of Information inquiry that it would not hand over more than 200 pages of internal documentation regarding the cyber-tsunami that, we're told, knocked over its online comment system. The commission claimed the attack washed away its servers in early May after telly comic John Oliver criticized the FCC's efforts to tear up net neutrality rules.

Shortly after Oliver's segment aired, the FCC's comment system went down under the weight of what the commission said was a distributed denial of service attack, but what critics claim was merely the American public firing up their web browsers and letting the regulator know what they thought of the policy.

Skeptical of the claim of an attack, Gizmodo scribes filed public record requests for the agency's internal analysis of the cyber-assault. A group of US Senators also sought out proof.

Now the FCC claims it can't provide more than 200 pages of the requested documents because they contain commercially confidential details, copyrighted information, and internal agency notes that are protected from civil discovery requests. It also said early analysis of the DDoS was not even written down.

"Records responsive to your request were withheld under FOIA Exemption 4. Exemption 4 protects matters that are 'trade secrets and commercial or financial information obtained from a person and privileged or confidential'," the FCC claimed.

"These documents consist of trade press articles and other subscription publications that are subject to copyright. We have determined that disclosure is prohibited by law under the Trade Secrets Act, 18 USC §1905, or that release would otherwise harm the commercial interests of the companies involved."

The response will only fuel claims that the broadband watchdog and its chairman Ajit Pai are trying to downplay the unpopular nature of the commission's efforts to dismantle net neutrality protection in the US by claiming that the flood of comments to the FCC site was a deliberate attack and not a massive wave of disgruntled Americans making their voices heard.

The FCC plan for net neutrality rollbacks was recently endorsed by the Trump administration. ®

Updated to add

Here's where the plot thickens. Today, tech hacks took the FCC's response to mean the regulator had no record or any proof of the alleged cyber-attack. In the FoI response, the watchdog said an internal study of the attack "did not result in written documentation."

Hours later, the FCC shot us an email arguing it does have proof in the form of web server logs – and that in the aftermath of the chaos, it did eventually write down an analysis of the alleged attack.

"Media reports claiming that the FCC lacks written documentation of its analysis of the May 7-8 non-traditional DDoS attack that took place against our electronic comment filing system are categorically false," said FCC spokesman Brian Hart.

"Given that the Commission’s IT professionals were in the midst of addressing the attack on May 8, that analysis was not reduced to writing. However, subsequent analysis, once the incident had concluded, was put in writing. Indeed, analysis was made public in response to a request from Capitol Hill.

“Moreover, the FCC has never stated that it lacks any documentation of this DDoS attack itself. And news reports claiming that the Commission has said this are without any basis and completely irresponsible. In fact, we have voluminous documentation of this attack in the form of logs collected by our commercial cloud partners.”

However, that aforementioned written analysis appears to be a letter the commission sent to US Senator Ron Wyden (D-OR) in June; the missive is a rather longwinded way of saying: "We were DDoS'd, all right."

So, yes, the FCC didn't document the attack while its servers were on fire, and thus it couldn't hand over any detailed information to journos. However, it did write Senator Wyden a long letter about it all, so essentially: back off, nerds.

Meanwhile, we're still none the wiser to what actually happened other than that the site's API – used by complaint-filing software – got two million comments in 10 days from a load of bots in "the cloud" shooting out 30,000 requests a second tops. By flooding the API service, the bots stopped normal humans from submitting comments to the website, we're told.

In short, the FCC says bots knackered its website via its form-filing API. Critics of its decisions reckon it was the stampede of angry Americans and their web browsers that brought down the site.


Biting the hand that feeds IT © 1998–2017