plambrechtsen: Was going to post this at 4am but decided to post it now.

Quite a few more changes on the network so even the small minority of customers who were still impacted should be resolved now.

freitasm: So, at the end do we still don't know if this was a premeditated event brought upon Spark by unknown actors?

 

As you probably know, one of the mitigation options in response to the DDoS attacks during the weekend involves blocking port 53, which effectively stops one of the means for some customer devices and modems to be misused. We’re aware other ISPs have done the same thing in the past week or so in order to combat this latest development in cyber-threats. However in certain cases blocking port 53 does have other impacts on connectivity. So since the weekend we’ve been continuing to make enhancements and changes.

 

 

 

As part of these enhancements, we took some further steps this morning to enable us to better look ‘under the hood’ across some parts of the network. While the initial measures taken had largely mitigated the impact of the attacks, we didn’t have total visibility of everything that was going on, especially in terms of abnormal traffic patterns. Within the first hour of taking these further steps this morning we saw DNS traffic coming from just three of our home broadband customers representing4% of our total DNS traffic for that period. One connection alone had 1.2 million DNS requests in an hour. As we have port 53 blocked, we believe that this may be due to malware previously installed on these customers’ devices. We don’t believe this is a new attack, it’s likely the malware was installed before the weekend’s issues. We must stress that because of the actionswe’ve been taking over recent days, this abnormal activity is not impacting on our overall customer experience. We’re now contacting these customers and working with them to disinfect their home systems.

 

 

 

You’ll recall during the weekend issues that among other things we saw incoming traffic being bounced off a number of vulnerable customer modems (those with DNS open resolver functionality). Today’s insights did not involve any significant level of incoming traffic, which tends to point to device malware, rather than a specific modem issue. This demonstrates there were a number of different vectors involved in the weekend’s DDoS attacks.

 

 

 

This is just one vivid illustration of the potential scale of cyber-threats and the impact that can be generated from just a very small number of connections. Like all ISPs we see evidence of literally thousands of attacks every year and the vast majority of these never impact on the customer experience across our network because of proactive management.

 

Talkiet: "Five to one against and falling..." she said, "four to one against and falling...three to one...two...one...probability factor of one to one...we have normality, I repeat we have normality." She turned her microphone off — then turned it back on, with a slight smile and continued: "Anything you still can’t cope with is therefore your own problem."

Cheers - N (It's not even a hard quote to find!)