Eircom reveals ‘cache poisoning’ attack by hacker led to outages

17 Jul 2009

Eircom has confirmed that the hacker attack that led to surfers being misdirected to bogus websites with two subsequent outages over two weeks was a ‘moderate attack’ known as cache poisoning.

A spokesman told siliconrepublic.com: “Our initial investigations and what we’ve seen definitely confirms there was a cache-poisoning attack. This is effectively the redirection of traffic to false websites.”

‘Cache poisoning’ is a form of attack where the open-architecture of a domain name server (DNS) is altered to direct authentic web traffic to non-authentic web sites. Eircom users initially found that when they went to popular sites such as Facebook, Bebo and RTE, they were redirected to sites with pictures of scantily clad women.

It is understood that Eircom’s DNS servers, which usually receive 4.5 million requests every five minutes, had to cope with double the level of traffic and outages resulted.

Eircom users were without web services over the weekend of Sunday, 5 July and on the evening of Monday, 13 July.

However, the spokesman also explained to siliconrepublic.com that its efforts to correct the problem also contributed to the outages.

“There was a moderate level attack and as a result of that people were getting redirected to incorrect websites. We took a number of measures – including restrictions on DNS – and they may well have impacted on service levels.

“We strengthened our systems around the filtering of unwanted or suspected traffic within IP ranges and adjusted parameters that control and optimise system performance.

“After we identified the cache poisoning, we also saw increased levels of activities that were worrying and could have been a sign of something bigger.

“It was a moderate level attack that caused irregular and unusual traffic patterns and as a result we took steps that stopped the cache poisoning, but certainly as we took these steps on security they also impacted customer experience.

“We haven’t seen any further attempts at cache poisoning since last week,” the spokesman added.

He said the company hasn’t reached a definitive conclusion as to where the attacks originated.

“We have stabilised the network and we have also taken a number of steps including installing additional DNS servers. This weekend we are starting an upgrade and replacement of some of our service routers,” he told siliconrepublic.com.

By John Kennedy

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years

editorial@siliconrepublic.com