EU Security Agency slates ISPs over 300Gb/s Spamhaus DDoS attack

Long-agreed best practice ignored

March's huge DDoS attack on Spamhaus that left service providers struggling to contain a 300Gb/s DNS reflection surge was made possible by the industry's tardiness in implementing IETF recommendations on limiting forged traffic made more than a decade ago, EU security agency ENISA has argued.

In the organisation's view, the possibility of a large-scale attack exploiting 'open recursive responders' (DNS servers that respond to all requests not only their primary domains) was a consequence of issues first raised in a best practice document, BCP 38, from May 2000.

This drew attention the need for routing to cope with DDoS attacks that used forged IP addresses, subsequently updated in 2008 by IETF BCP 140 to take account of precisely the form of DNS reflection attacks unleashed during the Spamhaus attack.

"If the available recommendations were implemented by all networks, traffic filtering on border routers would block such attacks," ENISA said in its caustic 'flash note' dissecting the lessons.

"However, today there are still thousands of servers that can be abused for this kind of attack."

The Internet remained vulnerable to apparently local disputes between private parties, which could be driving an increase in the size of DDoS events, presumably a reference to reports that Spamhaus was attacked by individuals unhappy with its anti-spam blacklisting.

Such attacks could "exhaust commercial exchanges, ENISA said, noting that "the enormous amount of traffic generated by the attack caused problems at the London Internet Exchange."

Does ENISA have a point or is it stating the obvious?

The organisation seems to have accepted initial claims that the attacks caused "noticeable delays for internet users mostly in the UK, Germany and other parts of Western Europe," although there remains little hard evidence about the event's real effect on Internet speeds.

Ditto, the inconvenience for the UK's Internet pressure point LINX, which found itself with a traffic problem passed to it by upstream carriers suddenly drawn unexpectedly into the attack's field of fire as it moved from Spamhaus to the latter's DDoS mitigation service CoudFlare and then beyond that to CloudFlare's own providers.

ENISA is certainly spot on to draw attention to the extraordinary fact that even after a 300Gb/s DDoS event, it has been difficult to even agree on the significance of what happened even though such attacks are not new and have been mentioned as a worry for years.

The Agency recommends that service providers implement both BCP38 and BCP140 as a matter of urgency. Most of all, upstream service providers should assume they can become collateral targets in such attacks and take appropriate measures.

"Network Operators that have yet to implement BCP38 and BCP140 should seriously consider doing so without delay, failing which their customers, and hence their reputations, will suffer," emphasised ENISA executive director, Professor Udo Helmbrecht.

"Prevention is key to effectively countering cyber-attacks. We therefore welcome the EU's Cyber Security Strategy, which is proposing a strengthened role for ENISA, with adequate resources, to help protect Europe's digital society and economy."

Tags hardware systemsSpamhausConfiguration / maintenanceENISA

Show Comments