T-Mobile Outage Causes Unfounded Panic About a DDoS Attack That Didn’t Happen

On Monday afternoon, several people in the United States reported that they couldn’t use their smartphone for its original purpose: calling and texting people. According to aggregated data on a site that tracks outages and some complaints on Twitter that went viral, something was afoot with T-Mobile, maybe all American cellphone providers, and perhaps even other services like Twitch or Instagram.

It didn’t take long for panic and misinformation to spread. Was it a nation-wide outage of all cellphone providers? Perhaps caused by a cyberattack? A massive one that takes down the whole internet? The answer, it turns out, is no. What we saw was simply a failure of T-Mobile’s network, but network infrastructure is complicated, and widely followed Twitter accounts shared information that made the event seem more nefarious than it actually was.

For @YourAnonCentral, a Twitter account with 6.5 million followers that’s trying to become the “official” voice of the ever-fluid Anonymous hacking collective, it was definitely a “major” Distributed Denial of Service (better known as DDoS) attack on the whole United States of America.

The tweet, which went viral, shows a screenshot of Digital Attack Map, which presents data gathered by Arbor Networks, a cybersecurity company specialized in DDoS mitigation. This kind of map, ironically referred to as “pew pew” maps by infosec professionals, attempts to visualize unusual internet traffic across the internet and DDoS attacks. Unfortunately these maps are often taken as a live and accurate representation of DDoS attacks, even though they are not . The site was made by Jigsaw, a division of Google that’s supposed to create tools to protect marginalized communities on the internet.

Matthew Prince, the CEO of CloudFlare, a company that has visibility into large swaths of internet traffic and can track DDoS attacks, explained on Twitter that the reality of the outage is “far more boring” than what some were led to believe. He blamed it on “some changes to [T-Mobile’s] network configurations today.”

In other words, it looks like T-Mobile caused the problem itself. We asked T-Mobile about it, and will update the piece if and when they get back.

The National Capital Region Threat Intelligence Consortium, part of the U.S. Department of Homeland Security, warned telecom companies to be cautious, claiming this was a DDoS, according to a story by CyberScoop.

If you check the Digital Attack Map website right now without understanding what you’re looking at you might also think that the U.S. was under a “major DDoS attack.”

Digital Attack Map

A screenshot of Digital Attack Map taken at 9:31 a.m. EDT (Image: Digital Attack Map)

“While the data represented in the Digital Attack Map is sourced from one of the most complete data sets available,” as an FAQ on the site itself puts it, “it is an incomplete picture. The data may misidentify or exclude attack activity.”

Those lines, moreover, are not meant to be read as an indication of who is attacking who. They show “anonymous network traffic and attack statistics” from some of the largest internet service providers in the world, according to Digital Attack Map. The source of an attack can also be forged easily, as the site notes, and the site doesn’t show live information on the actual targets.

And yet, the @YourAnonCentral tweet led to some news coverage all over the world, including a debunking.

T-Mobile’s President of Technology wrote that this was all due to “a voice and data issue.” The company’s official statement on the outage said that it was caused by “an IP traffic related issue that has created significant capacity issues in the network core throughout the day.”

As many grapple with a new reality in which Anonymous may be relevant again, I for one understand the allure of nostalgia—of the days when young, intrepid, hackers were not only causing major trouble online. One thing Anonymous Twitter accounts almost never were, however, was a reliable source of information. That, alas, has not changed.

Subscribe to our new cybersecurity podcast, CYBER.