ISPs are failing to use well-known traffic...

March against Spamhaus, it said. The incident, dubbed the largest distributed denial-of-service (DDoS) attack ever, caused noticeable delays for Internet users in the U.K., Germany and other parts of western Europe, ENISA said. It said Spamhaus, based in Geneva and London, helps fight spam by providing a service that allows operators of email servers to see if a sender’s email server is known to be transmitting unsolicited commercial email. While there’s no clear evidence, the attack on Spamhaus is generally attributed to a hosting provider flagged by Spamhaus as a spammer, it said. The attack, which Spamhaus noticed March 16, lasted for over a week and happened in three phases, ENISA said. The first stage was directed at Spamhaus, followed by an assault on CloudFlare, which Spamhaus contracted to deal with the incident, the agency said. It said the enormous amount of traffic generated caused problems at the London Internet Exchange. The technique used for the DDoS attack isn’t new, and was possible because most Internet-connected hosts are still able to send Internet Protocol packets with forged source addresses, ENISA said. Another factor that contributed to the size of the cyberattack is the large number of “open recursive resolvers” in the Internet. These are domain name system (DNS) servers that answer all requests sent to them, not just those related to the DNS domain for which they are authoritative resolvers, it said. ENISA chided network providers for failing to implement recommendations that have been around for 13 years. If they had done so, traffic filtering on border routers would have blocked the Spamhaus attack, it said. Other existing recommendations for operators of DNS servers could help reduce the number of servers that can be misused for DNS amplification attacks, it said. The Spamhaus incident teaches several lessons, ENISA said: (1) It’s a reminder that the Internet overall can be considered resilient, but this doesn’t necessarily hold true for the local part of the Internet infrastructure serving a particular region or country. (2) Even disputes between private, non-government actors can have significant effects on Internet infrastructure, because of the high number of interconnections and the cross-border nature of the Internet. (3) Attacks are getting bigger. The largest publicly reported DDoS attack up to 2012 had been around 100 gigabits of data per second; the Spamhaus incident reached more than 300 Gbps. (4) In cyberattacks of this size, the capacity of commercial Internet exchanges can be exhausted. (5) There is no widely agreed system to gauge the impact of the factors that played a role in the attack, making it hard to assess the associated risks. ENISA recommended that operators serving as upstream or transit providers to end-customer networks implement the longstanding recommendations, and that Internet exchange points make sure they have proper security measures in place.