Second StarHub outage in two days leaves customers irate

Yahoo Singapore

October 25, 2016

ricky l16 seconds ago

Attacking the ISP DNS server is the most effective method adopted by hackers - to prevent clients from resolving their web URL to the right IP web server - to surf their webpage.

This is how twitter, amazon, paypal etc were being brought down.

Hackers instead of attacking all ISPs all at once - they attack the DNS server (where all the ISPs rely on to direct the web URL to the right IP web servers).

Hackers can poison the DNS server with incorrect DNS entries - and thus point the URL to a wrong IP address.

Hackers can also send invalid URL to the DNS server to resolve for an IP address that are non-existent - by going through the DNS record hold in cache one by one or requesting information from other authoritative DNS servers - thus choking up the DNS server resources such as CPU, memory, network bandwidth - and deny legitimate DNS request.

Hackers often use botnets to compromise clients to launch such DDOS DNS attack.

So now the challenges are to :-

(1) identify whether any authoritative DNS servers have been compromised and have been sending false DNS entries to Starhub DNS servers.

(2) identify any DNS clients that have been compromised by botnets to launch DDOS DNS resolution requests to Starhub DNS servers.

Compromised home devices triggered broadband outages: StarHub

• By Kevin Kwang
 
• Posted 26 Oct 2016 19:10
 
• Updated 26 Oct 2016 19:21

• ENLARGE
• CAPTION 

• 378
 
 
 
•  Email
•  More

 
• • A
   
  • A
 

SINGAPORE: Web-connected devices bought by StarHub subscribers were the cause of the "illegitimate traffic" that resulted in the distributed denial of service (DDoS) the telco sufferedtwice in two days, said StarHub CTO Mock Pak Lum on Wednesday (Oct 26).

In a media briefing, Mr Mock said affected devices such as broadband routers and webcams were responsible for the spike in Web traffic the telco saw last Saturday and Monday nights.

He did not however disclose how many devices or IP addresses were compromised, or what was the exact volume in the spike in Web traffic its domain name server (DNS) farms had to handle in a short space of time.

The illegitimate traffic to the DNS resulted in an overload that disrupted Web connection for "some" broadband users, Mr Mock said. "Not everyone was affected," he added, saying that some users would have gotten to their desired webpage if they had waited long enough.

As remedial action, the telco said it has increased DNS capacity by 400 per cent since Saturday, and is also implementing traffic filtering and source tracing to identify the source of Web traffic surges.

It is also looking to deploy its technical team - HubTroopers - to subscribers identified with compromised devices to help them troubleshoot. This could either be done at their homes or, with their permission, taken back to StarHub for further investigation.

That said, the CTO said his team is working to scrub through the logs to see if the traffic spike was linked to the attack on US-based Dyn DNS. He noted that there are similarities in that compromised connected home devices were used to conduct the attack, but that it was too early to draw any conclusion.

He also could not comment as to why only StarHub was attacked by the compromised devices, while other Internet service providers were not affected.

StarHub is working with the CSA in terms of sharing information from its investigations, he added.

In the meantime, Mr Mock stressed that "everyone has a role to play in cybersecurity". "The reward is now too huge" for cybercriminals, and the online threat will be "prevalent for a long time to come", the CTO said.

He suggested that consumers only get devices that are "reputable", remember to change the default passwords, and set up the necessary defences such as firewalls after buying the devices.

He also cautioned against blindly opening up Web links sent from friends via emails, for instance, as this could potentially lead to malware being downloaded into the device without the user's knowledge.