Safeguarding ISPs from DDoS AttacksThe Role of Security Best Practices
A distributed-denial-of-service attack in Europe highlights the need for Internet service providers to implement security best practices to prevent future incidents, ENISA's Thomas Haeberlen says.
Spamhaus, an international group that helps network owners block spam, was the victim in March of a DDoS attack that reportedly caused online disruptions in Europe [see: Biggest DDoS Attack in History?].
BCP 38 is a set of recommendations from the Internet Engineering Task Force that describes measures that Internet service providers could implement to keep people from sending network packets with a forged sender address. A key factor in the success of the Stophaus DDoS attack was the ability to forge sender addresses, says Haeberlen, an expert member in network and information security of the European Network and Information Security Agency's resilience program.
The reason service providers aren't implementing BCP 38 is the cost, Haeberlen contends.
"[There will be] service costs for an ISP implementing BCP 38, whereas, on the other hand, if they don't implement the recommendations and they thereby enable DDoS attacks, they probably won't be at the receiving end the attack," Haeberlen says, though the ISP customers' traffic could be disrupted.
In the interview, Haeberlen:
- Explains how recommendations that ISPs failed to implement could have mitigated the attacks;
- Contrasts the strength of Operation Stophaus with other types of DDoS attacks; and
- Discusses why ISP customers should get their providers to adopt the recommendations.
Haeberlen is employed by ENISA as a subject matter expert whose expertise includes IT security, cloud computing, interconnected networks, risk management and smart grids.
ERIC CHABROW: The Spamhaus Project is an international not-for-profit with the stated mission to track the Internet spam operations and sources to provide real-time anti-spam protection for Internet networks and to work with law enforcement agencies to identify and pursue spam gangs worldwide. Before we get to ENISA's recommendations resulting from the DDoS attack, briefly explain what Operation Stophaus was. How disruptive was it?
THOMAS HAEBERLEN: Operation Stophaus was an organized attack by some people who were affected by Spamhaus, whose IP addresses were put on the blacklist by Spamhaus. They wanted to retaliate and shut down Spamhaus for some time, or even permanently, in order to continue with their business.
CHABROW: How disruptive was it?
HAEBERLEN: It was quite disruptive in some areas; not globally. But according to media reports and what you read on mailing lists, there were noticeable slowdowns in Internet traffic in parts of Western Europe, mostly in the UK.
The Size of the Attack
CHABROW: What was different about Operation Stophaus from other types of DDoS attacks?
HAEBERLEN: It was not so much different from other types of DDoS attacks. What was really different about Operation Stophaus was the size because it raised the bar, so to say, of DDoS attacks by about a factor of three, compared to the previous record.
CHABROW: When you say by a factor of three, you mean the amount of traffic being sent to disrupt servers was three times the amount of a normal DDoS attack?
HAEBERLEN: It was three times the previously recorded record - maximum size - of a DDoS attack. You could say normal DDoS attacks probably stay below 100 gigabytes. The previously-recorded maximum size was around 100 gigabytes of data per second, while this Stophaus attack was clocked at 300 gigabytes peak data rate. This was quite an interesting increase in size.
CHABROW: In a flash note ENISA issued, the agency said many network providers failed to implement a set of recommendations known as BCP 38 that have been around for more than a dozen years and, if implemented by all networks, would have blocked the attacks. First of all, what is BCP 38 and why do you think network operators have failed to implement these recommendations?
HAEBERLEN: BCP 38 is a set of recommendations collected by the Internet Engineering Task Force which describes a set of measures that an Internet service provider could implement to keep people from sending network packets with a forged sender address. The ability to forge a sender address was a key factor in the Stophaus DDoS attack.
Why don't ISPs implement this set of recommendations? The answer is quite simple: The reason is that implementing BCP 38 will cost the ISPs money. It won't break much, but there might be some exotic things that it will break. It will cost service costs for an ISP implementing BCP 38, whereas, on the other hand, if they don't implement the recommendations and they thereby enable DDoS attacks, they probably won't be at the receiving end of a DDoS attack. This is one of the famous externalities in security that often inhibits progress in that area.
CHABROW: According to the flash note, the capacity of commercial Internet exchanges could be exhausted by an attack the size of Operation Stophaus. Does that mean traffic would be halted between various ISPs?
HAEBERLEN: Yes, that could actually happen. Although at the size of the Stophaus attack, the amount of traffic could really lead to problems even at Internet exchange points. I think this serves as an example that attackers in that way can really raise flood that could fill even the largest pipes in networking, you could say.
Lessons for Enterprises and Governments
CHABROW: ENISA made recommendations to operators that service end customers, DNS servers and Internet exchange points. Why should security professionals and enterprises such as banks, healthcare organizations, governments and others care about this? Is there anything they can do to protect themselves against this type of DDoS attack?
HAEBERLEN: The point for the customers in enterprises and governments is that they should go to their service providers and ask them to implement BCP 38, not primarily to protect themselves immediately against attacks but to raise the level of security as a whole and therefore reduce the probability for everybody and also for themselves as a consequence to be the victim of a DDoS attack. This is a contribution that enterprises can make by asking their providers to implement these security measures.