Starhub fibre outages in October not caused by DDoS attack: IMDA

SINGAPORE — The massive outage that StarHub’s broadband subscribers experienced in two separate incidents in October last year were not caused by a cyberattack, as it had said then, but because of insufficient capacity in the telco’s servers.

The Infocomm Media Development Authority (IMDA), which concluded an investigation into the incidents, said on Friday (April 21) that it had issued a stern warning to StarHub, and told it to upgrade its infrastructure, which the telco noted has already been carried out. If a similar incident occurs, StarHub could face sterner actions such as a fine, the regulator added.

The outages, which occurred over three days, affected thousands of users islandwide, and led many to complain about disruption to their personal lives and business.

There had been a cyberattack, or distributed denial-of-service (DDoS) attack, on American company Dyn which hosts popular websites such as Twitter, Netflix and Paypal. The initial symptoms of StarHub’s outage bore “some similarities” to the DDoS attack which affected users worldwide. However, an “in-depth investigation” by the IMDA and the Cyber Security Agency “did not uncover any evidence to suggest that the cause of the incidents was a DDoS attack on StarHub’s network infrastructure”. While some unusual DNS requests were identified when the incidents occurred, the type and volume of these requests did not match the profile of a DDoS attack,” the regulator said. 

While StarHub said last year that the surge of traffic came from a cyberattack, IMDA reiterated that much of it was from legitimate traffic.

The IMDA explained that the attack on Dyn may have indirectly caused a spike in traffic. This might have proved too much for StarHub’s limited capacity servers to handle.

Investigations traced the possible cause of the telco’s outage to another American company Mixpanel, a major provider of user analytics services for sites and apps such as Amazon and Uber, which are used by many Singaporeans. As a precautionary measure following the attack on Dyn, Mixpanel switched to a secondary server and the process led to increased traffic that clogged up the networks, As a result, Internet surfing speeds slowed and many users here repeatedly refreshed their Web browsers, which worsened the situation. 

The four other Internet Service Providers here — Singtel, M1, MyRepublic and ViewQwest — were not affected. 

Responding to TODAY’s queries, StarHub’s Chief Technology Officer Chong Siew Loong, said it noted the IMDA’s findings. He added: “The authorities have acknowledged the fact that we have increased our DNS processing capacity and taken additional security measures to better avert similar incidents. We assure our customers and the regulator that we will continuously review our security posture and enhance network resilience in partnership with network and security providers.”

The IMDA spells out minimum service requirements for telcos, in what is known as the Telecom Service Resiliency Code. Breaching these minimum service standards could lead to fines of up to S$270,000 for every 30 minutes that a service is down.

The StarHub outage lasted about two hours per episode. In its statement shortly after the incidents, StarHub pinned the blame on cybercriminals for what it called a DDoS attack. A denial-of-service attack is one in which a computer network controlled by a group floods a network with an overwhelming amount of traffic, bringing it to its knees. The motive for these attacks is normally mischief, but in some instances, has been ascribed to business competition. Other reasons include what is known as “hactivism”, when cyber crusaders unhappy with a government or business flood its network to express this – a form of cyber vandalism.

Mr Vincent Loy, Cybercrime and Technology Risk Leader of PWC (Asia Pacific), said that sometimes it could be tricky for companies to decide how much additional capacity is warranted.

“Many times there might be spikes (in traffic), but it might not be very common, and when that extra capacity is not used, it becomes a very expensive investment. Every company will build a certain level of additional capacity, but then the question is how much.”