When the first complaints came in last Saturday, folks at StarHub might have thought they were facing yet another routine outage or server problem.
They were probably not expecting to be hit by a cyber attack that was unprecedented in scale and sophistication.
The telecom operator today said the attack on its DNS (domain name servers) on two separate days was launched from its own customers’ PCs and devices which were taken over by hackers. Many of its broadband users could not surf to websites as a result.
With this revelation, there is no question this was a sophisticated and well-planned attack, one with a clear target in mind. More importantly, it shows how difficult it is to fight such threats.
StarHub would have stopped such DDoS (distributed denial of service) attacks from the outside, because its servers would be accessible only by its subscribers.
However, the flood of traffic that such an attack brought about was from its own customers, who are usually allowed to connect to its servers. This means someone had taken care to get into StarHub users’ devices to plan an attack on their service provider.
StarHub rightly said today that the responsibility for cyber security rests with everybody, including users. It advised them to buy devices such as routers and Internet cameras from reputable manufacturers.
This way, they don’t end up being taken over by hackers who can control thousands of such devices to flood a telco with their traffic. But that’s easier said than done.
When was the last time you updated your network attacked storage (NAS) device? Or your Internet-connected TV? In future, what about those smart devices coming onboard such as a connected fridge or even kettle?
And that’s assuming that manufacturers offer an update. After PCs have been patched up regularly in recent years, it’s clear hackers are looking to devices that are less secure and not usually updated.
In a similar attack in the United States last week, millions of Internet cameras were said to be commandeered by hackers to disrupt a DNS service by American firm Dyn.
The cameras, made with components from China’s Hangzhou Xiongmai Technology, are now being recalled. But that’s not before they were used to take down a chunk of the Internet in the US, including services such as Spotify and websites like The New York Times.
What can service providers like StarHub do? They can beef up defences, as they have been doing. The same goes for power plants, land transport system providers and government agencies as well.
Though it is still unclear who initiated the attack on StarHub, it may just be a precursor to more serious threats in future.
Security experts have long wondered if state-backed hackers could be simply testing the waters, probing how hard it would be to take down a large part of the Internet. In the past week, the hackers would have found the results encouraging.
With millions of connected devices coming onboard soon, mounting a defence against a concerted threat will get more difficult.
Will governments have to start mandating that all such devices, from digital door locks to cameras, be updated?
Or will users get help from the technology industry, like how they stepped up to harden PC defences in the past, to better protect their increasingly connected lives?
This situation is looking very interesting …
Routers (presumably mostly D-Link products since that is what StarHub supplies as part of its broadband contracts) connected to StarHub obtain an IP, gateway and DNS settings over DHCP.
And the primary and secondary DNS servers assigned by StarHub are 172.17.5.36 and 172.17.5.68.
Following an exchange on Facebook with another user, I have several questions I am trying to figure out:
1) who runs and controls the DNS hardware at the default IP addresses assigned by StarHub?
2) if they are internal hardware, why did the DNS outage only affect Fibre customers and not cable and mobile customers?
3) if the DNS hardware is externally managed, how then can the telco “add capacity”, as indicated in their slides at today’s briefing? (In this photo, note the comment on actions taken at 10.52pm and 11.20pm. ref. http://www.straitstimes.com/sites/default/files/styles/article_pictrure_780x520_/public/articles/2016/10/26/851517876_80501_16895473786315518726.jpg?itok=k4Yvkuro)
4) if the DNS hardware is external, is it a common service shared by various telcos? Could taking down one central DNS knock out the customers of multiple telcos? (Sort of like how a fire at the OpenNet exchange in Bukit Panjang knocked out internet comms for a huge swathe of users?)
Interesting but worrying thoughts to me …