Eircom internet services hit by new cyber attack

Galen

Eircom internet services were seriously disrupted again last night due to another suspected cyber attack.

Many of the company's 500,000 subscribers suffered internet outages or delays after what the firm says was an "unusual and irregular volume of traffic".

The situation reoccurred yesterday, but services were restored last night and technical experts are now working to determine the source of the problem.

The outages are likely to have been caused by a deliberate attack on the eircom network by computer hackers.

http://news.eircom.net/breakingnews/16075883/?view=Standard

MagicMarker

What a ****ing joke, they must get cyber attacks on a daily basis with the ''service'' they're offering.

PogMoThoin

Is that their excuse for having a crappy DNS? I'm using OpenDNS and having zero problems. See the big thread here,

DNS is something that needs to be done right, nothing will disgruntle customers quicker than a DNS server that doesn't work or works intermittently. Eircoms DNS has always been flaky, which is why I've been using OpenDNS for over a year.

Red Alert

Maybe IRMA were trying to see what people were downloading?

cian1500ww

I was called out to look at a computer last night with this problem, I knew straight away that it was more than likely DNS releated so I switched it over to the openDNS servers. It was perfect then. I also noticed while checking how web pages were loading was that the eircom site was taking significantly longer to load than any other site. I'd say there DNS was attacked. As said above just switch to openDNS and you're sorted

Cabaal

I see its covered on www.eircomsucks.com to, I hate the way the news throws around the term hackers when in all likelyness its script kiddies

Galen

It was probably bunch of disgruntled customers that did the damage :-)

My name is URL

Why won't they disclose details though? I mean if their main DNS servers are being poisoned then what other parts of their network have vulnerabilities?

Pretty poor for them to say "The outages are likely to have been caused by a deliberate attack on the eircom network by computer hackers."

This has been happening intermittently for a month and they only acknowledge it now!!

Typical of Eircon tbh

Cheeble

Dear Eircom,

I regret to report that my letterbox has seen an "unusual and irregular volume" of bills and other demands for payment. The bill paying service may be prone to unscheduled outages and could continue to be disrupted for an indeterminate period. I'm looking into it, please be patient.

Kind regards,
Cheeble-eers

ronkmonster

OpenDNS settings are
208.67.222.222
208.67.220.220

I heard months ago that the eircom dns server still wasn't patched against the dns exploit that was published and fixed last year

Cheeble

I tried switching to OpenDNS last night and it made a difference early on in the evening, but then I lost the PPPoA connection altogether and couldn't get it back. It's something more than "just" a DNS problem :mad:

thanatos

Has there been any mention of how serious a security issue this could potentially be by anyone from eircom or otherwise.

e.g. people get directed to an aib site clone instead of the real one and their banking details captured etc etc etc

Flukey

A frustrating night of getting in and out of the net. I've registered on OpenDnS and will try it next time this happens.

shamwari

ronkmonster wrote: »

OpenDNS settings are
208.67.222.222
208.67.220.220

I heard months ago that the eircom dns server still wasn't patched against the dns exploit that was published and fixed last year

That's a pretty fundamental no-no in IT Terms. If it is true, whoever is responsible for managing AND auditing their IT systems should have had their asses kicked over last week. The fact that it has reoccured means the gallows should be prepared. It's very hard to excuse this if both incidents are related to improperly patched servers.

ronkmonster

shamwari wrote: »

That's a pretty fundamental no-no in IT Terms. If it is true, whoever is responsible for managing AND auditing their IT systems should have had their asses kicked over last week. The fact that it has reoccured means the gallows should be prepared. It's very hard to excuse this if both incidents are related to improperly patched servers.

I heard last year that some server were slower than others to update but its must be close to a year now.

The OpenDNS servers are supposed to faster anyway and seem to be updated more often

PogMoThoin

Has Eircom actually taken on or retrained any IT staff, isn't the last time Eircom took on staff in the very early 90's? Do they actually know what they're at?

cian1500ww

PogMoThoin wrote: »

Has Eircom actually taken on or retrained any IT staff, isn't the last time Eircom took on staff in the very early 90's? Do they actually know what they're at?

I bet they're busy plugging the servers in and out and giving them an odd tap to get them going :rolleyes:

DominoDub

Red Alert wrote: »

Maybe IRMA were trying to see what people were downloading?

The IRMA issue is why they are now a Target for these attacks !:D

vibe666

lol, it's even made the news on the register.

http://www.theregister.co.uk/2009/07/14/eirocm_downtime_again/

mike65

According to many txting (but not e-mailing) rte news its still ongoing. Bunch of amateurs.

Are they being targeted due to a known weakness or just cos its eircom which is reason enough in my book.

podgeandrodge

Is this why my parents UTV broadband is down since last night - is it connected?

mike65

According to the PR hack on rte this morning ISPs that piggy-back are not effected.

podgeandrodge

mike65 wrote: »

According to the PR hack on rte this morning ISPs that piggy-back are not effected.

Ok thanks. I've just seen another thread saying UTV has been down all over the place so they must be having other problems...

PogMoThoin

cian1500ww wrote: »

I bet they're busy plugging the servers in and out and giving them an odd tap to get them going :rolleyes:

Ah, Yeah, the old "Have You tried turning it off and back on again", trick, works every time

netwhizkid

Eircom have launched a new eSecurity product in response to these attacks. A quick example of how their Security works is attached.

Fnergg

I know absolutely nothing about any of this stuff but a telecomms guy at my work told me that scores of Eircom staff are leaving on early retirement much earlier than anticipated in order to beat the probable taxing of their lump sums in the next budget.

They are leaving with valuable knowledge not being passed on to younger staff with the result that the view in Eircom is that customers across all Eircom services can expect longer delays in fixing problems for the immediate future.

Is this true and did it contribute to the recent broadband problems? I have no idea but it sounds plausible.

Regards,

Fnergg

shamwari

ronkmonster wrote: »

I heard last year that some server were slower than others to update but its must be close to a year now.

The OpenDNS servers are supposed to faster anyway and seem to be updated more often

Well some servers might be slower than others when it comes to applying patches, however it shouldn't take a year (!!) and certainly not doing it at all is not an excuse. My comments presuppose that patching or the lack thereof is the issue here BUT in the absence of the facts, we are only speculating.....

Anyhow, I talked an number of my friends through changing their DNS to OPENDNS. Many commented that OPENDNS is faster than Eircom's DNS is. How bizarre...:D

Such an excuse for crappy DNS Servers

netwhizkid

Fnergg wrote: »

I know absolutely nothing about any of this stuff but a telecomms guy at my work told me that scores of Eircom staff are leaving on early retirement much earlier than anticipated in order to beat the probable taxing of their lump sums in the next budget.

They are leaving with valuable knowledge not being passed on to younger staff with the result that the view in Eircom is that customers across all Eircom services can expect longer delays in fixing problems for the immediate future.

Is this true and did it contribute to the recent broadband problems? I have no idea but it sounds plausible.

Regards,

Fnergg

Yes this is true but it has nothing at all to do with the current broadband problems which are the responsibility of the younger IT guys. Telecom Eireann/Eircom have hired no new technical staff since privatisation and most of the younger staff have never been near the wiring or up on a telephone pole.

The vast majority of Eircom networks staff are now in their fifties and sixties with a few in their forties also, most have no IT skills but are good at what was their technology PSTN Telephone networks. My first PC came in 1998 as a special staff offer within Telecom as part of a plan for employees to self educate themselves and it resulted in most staff becoming computer knowledgeable but still most are pretty bad at IT, writing a letter for example won't help you with DNS errors!

All broadband exchange enablement and IT stuff in the exchanges is handled by centralised teams travelling from Dublin to location. Eircoms staff are dwindling down and I eventually presume that in 10 or 12 years time the network will be managed by outside teams of contractors most likely Foreign or ex-BT as they migrate to 21CN as the skills for maintaining and implementing POTS are being lost due to not having any new staff hired at all.

Firetrap

DominoDub wrote: »

The IRMA issue is why they are now a Target for these attacks !:D

That's a conspiracy theory, surely. Though for that alone they deserve to be attacked :mad:

WillieCocker

eoinbn

mike65 wrote: »

According to the PR hack on rte this morning ISPs that piggy-back are not effected.

I just came on to ask that. I am with BT and my net is crawling today. I am losing 50% of the packets on a tracert to www.boards.ie.

Lessie

The slowness or hanging still continues. I'm entering the actual IP address for loading sites now. Hope this helps you guys too...:D

branie

I thought it was just my computer

aoidan

eircom have now restricted the size of an email you can send to about 200k, attacks must be coming from all sides

Sponge Bob

I suspect that eircom did something in response to a request from IRMA and that the Russians are not happy with eircom/IRMA .

I fail to see why eircom have not contacted the Estonians who were similarly attacked some years back !!!

Mr.Nice Guy

aoidan wrote: »

eircom have now restricted the size of an email you can send to about 200k, attacks must be coming from all sides

Seriously?

I noticed my wireless router giving me a bit of grief and flashing red quite a bit about a half hour ago. I was scared it was all going to kick off again but maybe it was just me.

Pa ElGrande

Sponge Bob wrote: »

I suspect that eircom did something in response to a request from IRMA and that the Russians are not happy with eircom/IRMA .

I fail to see why eircom have not contacted the Estonians who were similarly attacked some years back !!!

I suspect you are right the successful IRMA intimidation might well be the motivation for the DNS attack on Eircom. If Eircom DNS servers are forced off the internet or compromised, then it's user base has to use an alternative that is uncensored. If this is true the attacks will probably continue.

floydmoon1

Just readin again bout the whole Irma and eircom thing.
So to track this Eircom would use there DNS servers to track what sites people are visiting such as pirate bay.So if you are a big music fan or even associtated with one of these music sites like Pirate bay and want to punish Eircom you would hack there DNS servers so people would switch to open DNS and then Eircom wouldnt be able to track people.

Does that actually make sense or am I completely off the wall and not really understanding it?

NullZer0

Wouldn't suprise me if some idiot had the DNS configured wrong anyway! i.e Read/Write!

NullZer0

floydmoon1 wrote: »

Just readin again bout the whole Irma and eircom thing.
So to track this Eircom would use there DNS servers to track what sites people are visiting such as pirate bay.So if you are a big music fan or even associtated with one of these music sites like Pirate bay and want to punish Eircom you would hack there DNS servers so people would switch to open DNS and then Eircom wouldnt be able to track people.

Does that actually make sense or am I completely off the wall and not really understanding it?

Well the punishment side of things makes sense.

However while I'm sure DNS plays a part in "tracking" I don't know how they could use it to track people. I mean the only thing they could establish is the fact that you resolved a hostname using the DNS server (if even! ... and anyway this is Eircom).

If you ask me, I'm delighted! lol and they call themselves "Engineers"

Can you spell UNDER EXPERIENCED BRAINDUMPER

NullZer0

eoinbn wrote: »

I just came on to ask that. I am with BT and my net is crawling today. I am losing 50% of the packets on a tracert to www.boards.ie.

Don't BT use the same DNS?

java

floydmoon1 wrote: »

Just readin again bout the whole Irma and eircom thing.
So to track this Eircom would use there DNS servers to track what sites people are visiting such as pirate bay.So if you are a big music fan or even associtated with one of these music sites like Pirate bay and want to punish Eircom you would hack there DNS servers so people would switch to open DNS and then Eircom wouldnt be able to track people.

Does that actually make sense or am I completely off the wall and not really understanding it?

No sense at all. You are tracked through the ip address of your connection. Besides, eircom don't do the tracking, the music companies do.

Galen

Eircom is getting famous...

http://news.softpedia.com/news/Possible-DNS-Hack-at-Ireland-039-s-Largest-ISP-115860.shtml

[FONT=Arial, sans-serif]Customers of Eircom, the largest Internet service provider in Ireland, experienced serious DNS slowdowns and weirdness over the weekend. Users from different parts of the country reported that trying to open legit URLs in browsers redirected them to advertising pages.[/FONT]


[FONT=Arial, sans-serif]Some of them suggested on forums that there were two separate incidents related to Eircom's DNSs. The first reports appeared around July 1st, when multiple customers complained about significant DNS slowdowns and timeouts.[/FONT]


[FONT=Arial, sans-serif]"I'm having terrible issues this evening performing DNS lookups. Takes about 10 to 20 seconds to do the lookup but once done the page loads in normal time," wrote a user on boards.ie, a popular Irish community boards website. "Same problem here in Mayo and it won't let me log onto my ps3," another one confirmed several minutes later.[/FONT]


[FONT=Arial, sans-serif]Advertising search engine displayed instead of Twitter to Eircom subscribers (censored)[/FONT]
[FONT=Arial, sans-serif]Enlarge picture[/FONT]
[FONT=Arial, sans-serif]The unresponsiveness of Eircom DNS servers seemed to still be an issue at the time of writing this article. However, over the weekend, users started experiencing other DNS-related problems as well. Legit URLs like facebook.com or twitter.com began displaying advertising pages instead of the popular social networking websites.[/FONT]


[FONT=Arial, sans-serif]"Anyone else getting this when going on to rte [Ireland's national television website] via eircom BB [broadband]?," a user asked on July 3rd, while posting a screenshot of a search engine accompanied by the picture of a scantly dressed woman. "Ye Seems their DNS was hacked again.. Apparently it hapened recently with eBay.ie same picture and everything," he later added.[/FONT]


[FONT=Arial, sans-serif]Rik Ferguson, solutions architect at antivirus vendor Trend Micro, also reported about the issues. "So far there are very few details on the nature of the problem over at Eircom, but it is certainly clear that many Eircom subscribers are being redirected to bogus websites and rumours abound that Eircom’s DNS has been compromised," the researcher wrote on his blog. He suggests that affected users switch to using OpenDNS.[/FONT]


[FONT=Arial, sans-serif]Advertising search engine displayed instead of Facebook to Eircom subscribers[/FONT]
[FONT=Arial, sans-serif]Enlarge picture[/FONT]
[FONT=Arial, sans-serif]OpenDNS is a free DNS service used by millions of home users as well as organizations worldwide. In addition to increased stability, reliability and very fast response times, the service offers features such as parental control, phishing protection, URL typo correction, personal URL shortcuts and many more.[/FONT]


[FONT=Arial, sans-serif]Fortunately, this attack, if it indeed is an attack, does not seem to be malicious in nature and at best is focused around generating income. Nevertheless, it is rather invasive and annoying for the affected parties, preventing them from accessing legit resources over the Internet.[/FONT]


[FONT=Arial, sans-serif]Back in August 2008, we reported a similar incident affecting customers of a large Chinese ISP, China Netcom (CNC). At the time, hackers poisoned the DNS server with a fake entry that directed users trying to access an inexistent domain to a page loading exploits. The ISP normally loaded an advertising page for such mistyped or bogus URLs.[/FONT]


[FONT=Arial, sans-serif]That attack was a lot more subtle than the problems Eircom is having right now, because the hackers wanted to go undetected for as long as possible. However, this is not applicable for an income-generating scheme, whose success is directly tied to the traffic on the rogue page.[/FONT]


[FONT=Arial, sans-serif]Update: Eircom has released an official announcement confirming the DNS problems. "Customers may have recently experienced delays in web browsing and may have been unable to access the Internet. In some cases, customers may have been redirected to incorrect websites," it reads.[/FONT]

[FONT=Arial, sans-serif]As far as details go, they remain scarce, the ISP only noting that, "This issue has been caused by an unusual and irregular volume of internet traffic being directed onto our network, and this impacted the systems and servers that provide access to the Internet for our customers." It is yet unclear if this refers to a distributed denial of service (DDoS) attack, or something else.[/FONT]


[FONT=Arial, sans-serif]The company stressed that it "is working continuously to minimise the impact for customers and has taken a number of steps, including software updates and hardware interventions, to fully restore internet service."[/FONT]


[FONT=Arial, sans-serif]Update 2: Eircom subscribers reported a new wave of service problems on July 14. The company has released a new official statement, confirming the problems. "Last night eircom.net customers experienced significant congestion while browsing the web," the ISP announces.[/FONT]

[FONT=Arial, sans-serif]A new denial of service attack is again named as a possible source for the recent troubles. "While it is too early to confirm, eircom believes that it is related to an unprecedented volume of traffic deliberately directed at our network which has caused difficulties for customers over recent days," the company says.[/FONT]


[FONT=Arial, sans-serif]Clearly, the issue must be pretty serious for it to last so long. Eircom notes that it "has been in contact with other operators in the Irish market to collaborate and pool technical expertise in this area."[/FONT]

Liam Byrne

Interesting duality in a report in yesterday's Examiner :

A spokeman for Eircom said....."We've avoided the word hacker because no Eircom system or data has been compromised"

:

Unconfirmed reports indicate that some customers who tried to access websites such as Facebook and Bebo were redirected to sites filled with porn and advertising.

Unconfirmed ? I can confirm that for them, given what I saw at "www.rte.ie".

Conor Flynn, Technical Director with Rits Information Security, speculated that the attacks could be examples of......DNS Poisoning

Surely DNS Poisioning involves changing the data on the DNS server ? So if this is true, why the first statement ?

PaddyTheNth

Liam Byrne wrote: »

Unconfirmed ? I can confirm that for them, given what I saw at "www.rte.ie".

Surely DNS Poisioning involves changing the data on the DNS server ? So if this is true, why the first statement ?

Likewise, I posted a screenie somewhere here of what I saw when I tried to get to O2's website.

I'm seriously kicking myself now that I didn't fire up wireshark and see where I was being redirected to, even though it was undoubtedly just a compromised server somewhere. Would have been nice to confirm that the DNS response did in fact come from Eircom's server.

The statement from Eircom re uncompromised data is BS imo.

Liam Byrne

Anyone know if the repeated log-offs and "DSL down" today is related to this ? Had to actually feck off out of the home office for 3 hours because I'd have thrown the router through the window!

Only properly back online for the last 5 mins.....