Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Apple DDOS? Nope, just the update coming down!

Published: 2013-09-18
Last Updated: 2013-09-19 17:14:37 UTC
by Rob VandenBrink (Version: 2)
5 comment(s)

The amount of press that Apples IOS 7 update has gotten today has had an unintended consequence - everyone seems to be pulling it down the instant they see that it's available.

This is triggering IPS Sensors and causing real DOS conditions due to the traffic involved - an unintended "apple - zooka"

<<updated content follows>>

Our readers are reporting up to a doubling of wireless traffic, and similar increases on overall internet bandwidth usage!  The chart below shows the impact on a wireless network in a education setting (thanks again to John and Eric for this!).  That's more Apple-y goodness than we bargained for today ! 


Swa, one of our handlers, indicates that this can be easily resolved for a corporate network by enabling the Apple Caching Service and/or Software Update Server  on a single OSX Server in the network, which serves as the update "broker" for all clients on the netowrk. (thanks for the screenshot Swa).  The Caching Server will serve up all Apple content (including updates), while the Update Server will only server up Updates.

I'm not sure how these services interact with the Service Discovery features in mDNS - if anyone has details on this we'd appreciate your insight in the comments field for this story!

The basics of setting up your Caching Server can be found in the "Mac Management Basics" guide, found here ==>
Generally, just enabling the Caching Server is enough, but advanced settings for the caching server can be found here ==>


Rob VandenBrink

5 comment(s)
Diary Archives