The unprecedented shutdown of Sony’s PlayStation Network (PSN) has reached its third day with the company’s best explanation as to the cause remaining yesterday’s mention of “external intrusion”.

“An external intrusion on our system has affected our PlayStation Network and Qriocity services,” read a blog posted on 22 April by Sony’s senior director of corporate communication, Patrick Seybold.

That appears to scotch the rumour that the anti-Sony Anonymous hacktivist group had launched a distributed denial of service (DDoS) attack, but with the passing of time that was starting to look unlikely anyway. Faced with a company of Sony’s size and resources, a DDoS might cause hours of disruption or slow-down, but not days.

“We are doing all we can to resolve this situation quickly, and we once again thank you for your patience. We will continue to update you promptly as we have additional information to share,” Seybold added.

On message boards and Twitter, the incident has started generating frustration from gaming users, ironically some aimed at the Anonymous group, which conceivably has nothing to do with it.

Three weeks ago, the group, or supporters working under its mantle, launched an intermittenltly successful DDoS attack against a number of the company’s servers in support of alleged PlayStation cracker, George Hotz (‘Geohot’). On 12 April, Sony surprised the world by announcing that it had settled the dispute with Hotz for good.

The disruption also goes well beyond the PSN, to affect the Qriocity media-streaming service, accessed through Sony TVs, Blu-ray players and PCs.

That still leaves some mystery surrounding this week’s events. “External intrusion” refers unambiguously to hackers having penetrated the company’s infrastructure. At the time of Sony’s settlement with Hotz, the group said it would continue its anti-Sony campaign but in truth there are numerous parties that might also want to hack the company to gain commercial information on its customers.

Taking the entire network offline might appear extreme but it is also a textbook form of network self-defence where a company knows that outsiders have broken in but does not what levels of access they have gained. Admins will be combing logs for signs of unauthorised access while another group will be resetting access codes for every layer of the system. This will take a lot of time.

The company will also be checking the parameters on its intrusion prevention systems (IPS), or those of its partners, to trigger alerts more quickly on some domains of the internal network. Unlike firewalls, which filter traffic for attacks coming from outside the network, the IPS layer looks at what is going on inside the network.