SINGAPORE: A Distributed Denial of Service (DDoS) attack on StarHub's network was ruled out as the reason for last October's fibre broadband service outages, the Infocomm Media Development Authority (IMDA) said on Friday (Apr 21).
Instead, the regulator said its joint investigations with the Cyber Security Agency of Singapore (CSA) found that the two service disruptions were caused by a surge in legitimate Domain Name System (DNS) traffic, which the local telco's infrastructure could not cope with.
StarHub was warned over the incidents, and instructed to engage an independent expert to review its DNS and other associated infrastructure, to ensure that its network is resilient to future incidents of this nature.
StarHub's chief technology officer, Chong Siew Loong, said in a statement: "We note IMDA’s findings that the significant increase in traffic to our home broadband DNS systems in October 2016 do not fit typical DDoS patterns. The authorities have acknowledged the fact that we have increased our DNS processing capacity and taken additional security measures to better avert similar incidents.
"We assure our customers and the regulator that we will continuously review our security posture and enhance network resilience in partnership with network and security providers.”
A StarHub spokesman added that the telco installed new equipment for a "small number of customers" whose home devices had been identified to have generated unusual data traffic patterns during both incidents.
DDOS THEORY DEBUNKED
The findings by IMDA and CSA debunked previous findings by StarHub that the outages were caused by cyberattacks brought on by bug-infected devices of its users. StarHub at the time said that these devices caused "illegitimate traffic" that resulted in the DDoS the telco suffered twice in two days.
However, IMDA said the investigation concluded that the typical signs of a DDoS attack were missing.
For instance, analysis of logs showed the increase in DNS requests was across multiple domains and not focused on a particular domain, and the increase in requests was not due to a spike in IP addresses or spoofed IP addresses.
Additionally, the increase was not primarily caused by a few or selected IP addresses, it said.
The outages were, in fact, caused as a result of a combination of possible factors like an increase in Internet usage over the weekend, repeated reloading of Web browsers, and bigger-than-usual traffic caused by changes made by domain owners in the United States, IMDA said.
Explaining the unusual traffic from the US, the agency said a website called mixpanel.com, which monitors users’ usage of Web and mobile applications, uses Dyn as its DNS service provider. Following an attack on Dyn, mixpanel.com switched to its secondary DNS provider as a precaution, and these increased the size of a typical DNS request, which caused added strain on StarHub's infrastructure.
Cybercriminals conducted a complex attack using common devices such as webcams and digital recorders on Dyn, which acts as a switchboard for Internet traffic. Among the online services affected by the 2016 attack were Twitter, Spotify and PayPal.
In the immediate aftermath of the outages, StarHub said it increased its DNS capacity by 400 per cent and implemented traffic filtering and source tracing to identify the source of Web traffic surges.
M1 and Singtel are likely to have experienced the same surges, but did not experience issues, IMDA said.