UPD ENISA Criticise UK ISPs for Failing to Tackle 300Gbps DDoS Attack

The European Network and Information Security Agency (ENISA) has criticised ISPs in the UK and Europe for failing to implement measures that could have helped to tackle one of the biggest Distributed Denial of Service (DDoS) attacks ever seen, which hit anti-spam group Spamhaus in March 2013 and impacted global internet traffic.

A typical DDoS attack usually works by overloading a target server (e.g. a website or other online service) with masses of data requests from multiple internet connected computers (often via Trojan infected computers on a botnet). According to ENISA, the staggering amount of traffic generated by the 16th March 2013 attack even ended up causing problems for the London Internet Exchange (LINX).

In reality some of the big headlines, several of which dubiously pointed to a “global internet slowdown“, were perhaps a little wide of the mark as most online services in the UK and consumer / business broadband connections continued to function as normal with only a very small hit to latency times.

Never the less ENISA believes that many ISPs in Germany, the United Kingdom and other parts of Western Europe have “failed to apply” a number of well-known security measures, which could have helped to mitigate the attack. In particular the group points to the Internet Engineering Task Force (IETF) and its Best Current Practice 38 (BCP38) and BCP140 measures.

ENISA Statement

The technique used for the DDoS attack is by no means new. The method used by the attackers to generate the traffic directed at the Spamhaus network, DNS amplification, has been known for many years. It is made possible by the fact that today it is still possible for most internet-connected hosts to send IP packets with forged (“spoofed”) source addresses.

Another factor contributing to the size of the DDoS attack is the large number of so-called “open recursive resolvers” in the internet. Open resolvers are Domain Name Service (DNS) servers which answer all requests sent to them, not just those related to the DNS domain for which they are authoritative resolvers. Open resolvers can be misused to amplify DDoS attacks.

Unfortunately, even today many network providers have not implemented a set of recommendations (called BCP38), which has been around for almost 13 years. If the available recommendations were implemented by all networks, traffic filtering on border routers would block such attacks. A similar set of recommendations for operators of DNS servers (called BCP140), which could help reduce the number of servers that can be misused for DNS amplification attacks, was published in 2008.

Naturally ISPreview.co.uk wanted to find out what ISPs in the United Kingdom thought about this and on Monday morning we began canvassing some of the markets leading providers for an opinion. But so far the responses we’ve had have been more along the lines of “no comment“, although we’re still awaiting some replies and will update when they arrive. At this stage only Sky Broadband has confirmed that it’s compliant with BCP38 and 140.

Meanwhile the UK Internet Service Providers Association (ISPA) informed us that they’ve “always recommended that their members implement BCP38 wherever possible in order to reduce malicious exploitation of members networks and resources“, though it remains unclear how many have actually done this.

A Spokesman for the ISPA told ISPreview.co.uk:

“Whilst BCP38 will solve statically routed addresses being exploited it becomes harder to filter where networks provide [Border Gateway Protocol] BGP transit to their customers and ISPA has always recommended that networks seriously consider applying other filters (such as IRR generated ones) in order to reduce the impact.

On the subject of BCP140, whilst members are encouraged to implement this as best practice it should be noted that the majority of the open resolvers exist in devices (such as home routers) outside of the direct control of ISPA members. ISPA has informed members of the existence of http://openresolverproject.org and its goal to eradicate open resolvers wherever possible.”

It should be said that Spamhaus was also attacked using Border Gateway Protocol (BGP) route hijacking, which effectively hijacked legitimate queries away from Spamhaus’s servers in order to disrupt their operation and reputation (i.e. causing every IP address on the internet to be regarded as a source of SPAM).

It’s also worth remembering that ISPs too can suffer from DDoS attacks and we’ve reported on quite a few in the past, though most providers prefer not to mention such incidents in public. The most recent one hit Entanet on 28th March 2013 when a DDoS was directed at parts of their DSL network based in Interxion.

Sadly tracking DDoS attacks to their source remains very difficult, especially in situations where supposedly legitimate computers have been hijacked. Never the less ISPs could still do more and the EU’s new Cyber Security Strategy will be taking a closer look at the situation.

UPDATE 19th April 2013

Business ISP Fluidata has offered some useful insight into this issue.

Dan Fisher, Fluidata’s Technical Director, said:

“Looking at the Spamhaus attack, it would appear that both unsecured DNS (by design) and unsecured DNS (by misconfiguration) were responsible for the amplification of the attack. One way of nullifying this would be for all ISP’s to only allow their customers IP’s to query their own DNS servers (as we do at Fluidata) however the processing overheads deter many others from doing so. As it stands customers also have the option to build their own recursive DNS servers on their own infrastructure; moving DNS outside of the ISP’s responsibility and increasing the potential for misconfiguration; which can be exploited for malicious purposes.

In theory ISP’s could form a united front against DDoS attacks of this nature; through insisting that customers only use their recursive DNS servers and ensuring that those servers are secure. To increase security further BCP-38 could also be deployed – providing filtering on every edge port so that customers cannot spoof traffic from their links. However the move to a more regulated system would rely on (if it was to be truly effective) cross national coordination and likely meet opposition from service providers who do not wish to incur the processing overheads associated with such measures.

Overcoming that opposition (i.e. by turning regulation into something more akin to legal statute) would inexorably carry this issue into the contentious territory of who governs the internet, who polices it and whether anybody has the right to do; a proverbial Pandora’s box with far reaching consequences and considerations for subjects ranging from security to freedom of speech, right to privacy and the debate over the openness of the web. Given this, raising awareness around responsible DNS use seems the most viable course of action; the Spamhaus attack legacy might just be encouraging people to think a little more about it.”