How the StarHub DDOS (possibly) happened


starhub-dns-attackCustomers of Singaporean ISP StarHub, suffered two major disruptions to their service over the past week, in what the telco said was a result of a “intentional and likely malicious distributed denial-of-service (DDoS) attacks”.

Oh the humanity!!

In what appears to be a copycat of the Dyn attack we saw (at roughly the same time), the attack signals the first local salvo in the war of IOT devices. But is it really that serious?

If you’re wondering what the hell happened, let’s walk this through step-by-step, from the attackers perspective.

Step 1 : Download Mirai Source Code

10 days ago, a hacker by the Anna-Sepai released the source code for Mirai,  an extra-special malware used for executing DDOS attacks.

Think of Mirai as a virus built to hack into Internet-of-Things (IOT) devices like CCTVs, and IP cameras. Mirai would infect a device and turn it into a slave awaiting instructions from its ‘master’. With each infection, the master gains control of an additional device, beginning with the first device and ending up with a army of them–typically called a botnet.

Remember that term IOT and botnet we’ll be using it often.

Step 2 : Deploy Mirai and start building your botnet

Once the hacker downloaded the code, she could simply unleash it on the general internet, hoping to infect as many devices as possible. In this particular case though, the hacker set her sights on just StarHub IP addresses. (we’ll see why in a minute).

If you’re wondering how easy it is to hack into IOT devices like routers or DVR, just look at what I did 3 years ago.

In many cases these IOT devices are un-secureable. Meaning the security on them is so poor, you couldn’t secure them even if you wanted to—and quite frankly very few customers who buy a $100 camera is going to worry about things like internet security.

Step 3 : Pick a target to attack

Once the hacker had amassed enough devices in her botnet, she could then order it to attack.

But attack what?

Well, the internet might be distributed, and there are pockets of centrality, and one of those pockets is called DNS.

DNS is a topic we’ve covered often here, and that’s because the entire web hinges on it. Think of DNS as the GPS of the internet, every time you instruct your computer to go somewhere like, or, your computer refers to the GPS to tell it how to get there.

And just like my wife, your computer is completely lost without GPS. So the moment you disrupt GPS, it’s as good as disrupting the internet.

DNS is that GPS for the inernet, and while your computer may be working perfectly, and the website you plan to visit is also up–your computer doesn’t know how to get there. So from your perspective the site is as good as down.

Step 4 : Attack!!

So with a target set, and the botnet ready, the hacker then unleashed the attack.

A DDOS attack is the blunt-instrument, it’s purely about hitting a server as hard as possible. So all the botnet did was generate traffic to the DNS servers hosted by StarHub for their customers. If there were enough devices in the botnet, and they generated enough traffic the StarHub DNS service would soon experience degradation, leading to complete failure.

Basically the DNS service was tied up with traffic from the botnet, it couldn’t respond in a timely fashion to legitimate request from StarHub subscribers.

So now that we know what happened to StarHub, how did they respond?

StarHub strikes back

According to StarHub’s official statement they “mitigated the attacks by filtering unwanted traffic and increasing our DNS capacity, and restored service within two hours”.

The simplest way to resist a DDOS attack is to have more capacity then your attacker. Also, by filtering traffic, that reduces the load on the servers as well–allowing them space to respond to legitimate request.

Overall, pretty straightforward solutions—and they worked!

But if StarHub managed to resolve their attacks in two hours, how come the internet is panicking over the same attacks on Dyn?

Why StarHub is different?

First of all, StarHub’s attack was probably on a much smaller scale than the 620Gbps attack that hit Brian Krebs website 2 weeks earlier,  or the 1.2Tbps attack that hit Dyn.

Secondly, StarHub’s DNS service is an internal service available only to its subscribers. Although I didn’t check this, ISPs in Malaysia host DNS servers that are accessible only by customers of the ISP, and I’m guessing StarHub is the same.

Since StarHub is only providing DNS to their customers, they block any request to their DNS service from outside their network. Put it simply, only StarHub subscribers can access StarHub’s DNS.

Therefore, only StarHub subscribers can DDOS StarHub’s DNS.

Hence why the attacker only chose to infect StarHub devices.

So obviously the source of the DDOS traffic had to be from StarHub subscribers, and more importantly, meant the attacker actually chose the target of her attack first before infecting the IOT devices, because why else would she limit herself to just StarHub subscribers.

In plain English, an attacker decided to attack StarHub’s DNS service, and only then set out to infect machines to accomplish this task. This puts the attacker in a whole different light, because this suggest that she wasn’t some script-kiddie looking to test out Mirai on a random service, but rather she executed a well planned attack, presumably for some end-goal that isn’t quite clear.

But I’m digressing–back to why this is different from Dyn.

Dyn is a global service available to anyone with an internet connection, and just about everything on the internet is global in nature. It’s much harder for  a global service to ‘filter’ their traffic, because all traffic ‘legitimate or otherwise’ appears the same, and they can’t do geo-blocking.

So Ok, StarHub isn’t the same as Dyn–what can you do?

What can you do?

First things first, if you experienced the outage, that means you’re using StarHub’s DNS service–at at the very least re-adjust your DNS settings to point to either GoogleDNS or OpenDNS (or better both of them with one primary and one secondary). [Pro Tip: if you use a VPN like PIA, the DNS resolution happens on their end, giving you even more privacy from your ISP]

Secondly, make sure you’re not part of the botnet.

The Mirai malware, targets a specific type of IOT device from a specific supplier(s).

Even if the owner of the infected camera were to hard-reset their device (i.e. hold down the reset button and setup the camera again), chances are the camera would be re-infected in minutes. Basically the only thing you can do is throw away the camera and get a new one.

Problem is, I don’t know which one to recommend, because they all apparently have shitty security.


There really is some next level shit going on in the world of DDOS, but the StarHub isn’t any cause for concern.

Other publicly available services may not be so lucky though. Imagine if the myTax portal gets hit on submission date, or a private news portal gets hit during election season, or worse yet, a hacker DDOS’s foodpanda on a Friday evening—how will I eat?

If anything this was a pretty mild attack, because StarHub could easily respond–but we might not be so lucky in the future.

For more of my thoughts on the subject, read yesterday’s post here.


Add comment

Astound us with your intelligence