In its analysis of a recent massive cyber-attack, EU cyber-security agency ENISA today points out that Internet Service Providers (ISPs) have failed to apply well-known security measures which have been available for over a decade.
This error is as a key factor behind the failure to counter major cyber-attacks, the Agency underlines in its information Flash Note, ‘Can Recent Cyber Attacks Really Threaten Internet Availability?’
The Flash Note focuses on the large-scale cyber-attack that was mounted in March against the Non-Profit Organisation Spamhaus, which is based in Geneva and London. The digital assault caused noticeable delays for internet users, primarily in the UK, Germany and other parts of Western Europe. According to online media, the attack on Spamhaus, starting on 16th March, was the biggest Distributed Denial of Service (DDoS) attack in internet history. DDoS attacks work by “overloading” a site’s ability to cope with incoming traffic. The attack on Spamhaus lasted more than one week. In its final phase, the enormous amount of traffic generated caused problems at the London Internet Exchange.
ENISA underlines that the technique used for the DDoS attack is by no means new. Yet, even today, many network providers do not use a set of recommendations, known as Best Current Practice 38 (BCP38), which have been around for almost 13 years. A similar set of recommendations for DNS server operators (BCP140, published in 2008) would have reduced the number of servers that can be misused for DNS amplification attacks. If these recommendations had been implemented by all operators, traffic filtering would block such attacks.
There are, says ENISA, a number of lessons that can be learned from the attack, including:
- Attacks are increasing in size. The March 2013 attack on Spamhaus reached a size of more than 300 Gigabits of data per second while the biggest reported DDoS attack in 2012 was at 100 Gigabits of data per second.
- Size matters. At this size of attack, even commercial internet exchange points, which normally have very high capacity infrastructure, can be compromised.
The Agency makes three technical recommendations:
- Relevant service operators should implement BCP38
- Operators of DNS servers should check whether their servers can be misused, and should implement BCP 140
- Internet exchange point operators should ensure they are protected against direct attacks.
ENISA’s Executive Director, Professor Udo Helmbrecht, stated: “Network Operators that have yet to implement BCP38 and BCP140 should seriously consider doing so without delay, failing which their customers, and hence their reputations, will suffer. Prevention is key to effectively countering cyber-attacks. We therefore welcome the EU’s Cyber Security Strategy, which is proposing a strengthened role for ENISA, with adequate resources, to help protect Europe’s digital society and economy.”
Background: EU’s Cybersecurity strategy
For interviews: Ulf Bergstrom, Spokesman, press@enisa.europa.eu, or mobile: +30 6948 460 143, or Dr. Louis Marinos, louis.marinos@enisa.europa.eu