EU Security Agency slates ISPs over 300Gb/s Spamhaus DDoS attack

Long-agreed best practice ignored

March's huge DDoS attack on Spamhaus that left service providers struggling to contain a 300Gb/s DNS reflection surge was made possible by the industry's tardiness in implementing IETF recommendations on limiting forged traffic made more than a decade ago, EU security agency ENISA has argued.

In the organisation's view, the possibility of a large-scale attack exploiting 'open recursive responders' (DNS servers that respond to all requests not only their primary domains) was a consequence of issues first raised in a best practice document, BCP 38, from May 2000.

This drew attention the need for routing to cope with DDoS attacks that used forged IP addresses, subsequently updated in 2008 by IETF BCP 140 to take account of precisely the form of DNS reflection attacks unleashed during the Spamhaus attack.

"If the available recommendations were implemented by all networks, traffic filtering on border routers would block such attacks," ENISA said in its caustic 'flash note' dissecting the lessons.

"However, today there are still thousands of servers that can be abused for this kind of attack."

The Internet remained vulnerable to apparently local disputes between private parties, which could be driving an increase in the size of DDoS events, presumably a reference to reports that Spamhaus was attacked by individuals unhappy with its anti-spam blacklisting.

Such attacks could "exhaust commercial exchanges, ENISA said, noting that "the enormous amount of traffic generated by the attack caused problems at the London Internet Exchange."

Does ENISA have a point or is it stating the obvious?

The organisation seems to have accepted initial claims that the attacks caused "noticeable delays for internet users mostly in the UK, Germany and other parts of Western Europe," although there remains little hard evidence about the event's real effect on Internet speeds.

Ditto, the inconvenience for the UK's Internet pressure point LINX, which found itself with a traffic problem passed to it by upstream carriers suddenly drawn unexpectedly into the attack's field of fire as it moved from Spamhaus to the latter's DDoS mitigation service CoudFlare and then beyond that to CloudFlare's own providers.

ENISA is certainly spot on to draw attention to the extraordinary fact that even after a 300Gb/s DDoS event, it has been difficult to even agree on the significance of what happened even though such attacks are not new and have been mentioned as a worry for years.

The Agency recommends that service providers implement both BCP38 and BCP140 as a matter of urgency. Most of all, upstream service providers should assume they can become collateral targets in such attacks and take appropriate measures.

"Network Operators that have yet to implement BCP38 and BCP140 should seriously consider doing so without delay, failing which their customers, and hence their reputations, will suffer," emphasised ENISA executive director, Professor Udo Helmbrecht.

"Prevention is key to effectively countering cyber-attacks. We therefore welcome the EU's Cyber Security Strategy, which is proposing a strengthened role for ENISA, with adequate resources, to help protect Europe's digital society and economy."

Join the CSO newsletter!

Error: Please check your email address.

Tags Configuration / maintenanceSpamhaussecurityhardware systemsData CentreENISA

More about EUIETF

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts