EU blasts ISPs over lack of security
DDoS preventative measures should have been implemented a decade ago, warns ENISA.
ISPs have failed to implement security measures that would have prevented cyber attacks on their infrastructure, according to a new report.
The EU cyber security agency ENISA said that ISPs have not applied well-known security measures that have been around for a decade to their systems, leaving them open to hacking.
ENISA (European Network and Information Security Agency) detailed in a report how attacks, such as Spamhaus being DDoS earlier last month, could have been prevented if organisations and ISPs followed recommendations and best practices in IT security.
It said that even today, many network providers do not use a set of recommendations, known as Best Current Practice 38 (BCP38), which have been around for almost 13 years.
A similar set of recommendations for DNS server operators (BCP140, published in 2008) would have reduced the number of servers that can be misused for DNS amplification attacks. If these recommendations had been implemented by all operators, traffic filtering would block such attacks.
The attack on Spamhaus overloaded servers and in its final phase, the enormous amount of traffic generated caused problems at the London Internet Exchange.
ENISA said that such attacks are increasing in size. The March attack on Spamhaus reached a size of more than 300 Gbps while the biggest reported DDoS attack in 2012 was at 100 Gbps. It said that the size of attacks matters as even commercial internet exchange points, which normally have very high capacity infrastructure, can be compromised.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
It urged ISPs to implement BCP38 while operators of DNS servers should check whether their servers can be misused, and should implement BCP 140. It also recommended that internet exchange point operators should ensure they are protected against direct attacks.
ENISA's Executive Director, Professor Udo Helmbrecht, stated: "Network Operators that have yet to implement BCP38 and BCP140 should seriously consider doing so without delay, failing which their customers, and hence their reputations, will suffer."
"Prevention is key to effectively countering cyber-attacks. We therefore welcome the EU's Cyber Security Strategy, which is proposing a strengthened role for ENISA, with adequate resources, to help protect Europe's digital society and economy."
Rene Millman is a freelance writer and broadcaster who covers cybersecurity, AI, IoT, and the cloud. He also works as a contributing analyst at GigaOm and has previously worked as an analyst for Gartner covering the infrastructure market. He has made numerous television appearances to give his views and expertise on technology trends and companies that affect and shape our lives. You can follow Rene Millman on Twitter.