Internet service providers could have prevented a high-profile distributed denial of service (DDoS) attack last month by applying established, best practice defence mechanisms, according to ENISA, the European Union's IT security agency.
The DDoS attack on anti-spam service provider Spamhaus was the largest ever seen, ENISA claims. At its peak, the load on Spamhaus's infrastructure reached 300 Gigabits per second, three times the previous record.
The unknown attacker used a botnet to send many concurrent DNS requests from multiple DNS servers to Spamhaus's website, a technique known as 'DNS amplification'. The DNS requests were "spoofed" to look as though they originated from Spamhaus itself, so its servers were quickly overloaded.
For example, a protocol called BCP38, which was introduced 13 years ago, would have limited the impact of the attack by identifying and blocking "spoofed" IP addresses.
BCP140, meanwhile, would prevented the attackers from using multiple DNS servers in the attack.
The cyber security agency said that while the attack on Spamhaus did not affect Internet performance globally, as had first been reported, the local impact was "rather noticeable".
“Network operators that have yet to implement BCP38 and BCP140 should seriously consider doing so without delay, failing which their customers, and hence their reputations, will suffer," said ENISA executive director professor Udo Helmbrecht.
"Prevention is key to effectively countering cyber-attacks."
Early reports implicated hosting provider Cyberbunker in the attack, as Spamhaus had recently blacklisted the company as a suspected spam distributor (an accusation it flatly denied).
However, Spamhaus itself has said that it does not know who initiated the attack. "A number of people have claimed to be involved in these attacks," it said. "At this moment it is not possible for us to say whether they are really involved."
