ENISA Warns of Internet VulnerabilitiesCalls for Adoption of Best-Practice Defenses
The Internet infrastructure remains susceptible to a variety of threats, including routing attacks, DNS spoofing and poisoning attacks and distributed denial-of-service disruptions. But a number of best practices can help prevent related exploits, a new EU government study says.
See Also: Dynamic Detection for Dynamic Threats
The report, "Threat Landscape and Good Practice Guide for Internet Infrastructure," is from the European Union Agency for Network and Information Security. ENISA focuses on improving cybersecurity practices for the 28 EU member states.
Most of the threats detailed in the report are continuing to grow more prevalent not just in Europe, but across the world, warns ENISA Executive Director Udo Helmbrecht. "It is important to apply good practices and promote the exchange of information, in order to mitigate threats and secure Internet infrastructure," he says. ENISA's guide provides an up-to-date overview of emerging threats and lays the foundation for a more secure Internet infrastructure through proper risk assessment, training and evaluation, he adds.
ENISA's new report isn't designed just to define some of the biggest threats facing Europe's Internet infrastructure. It also represents a call to action, in particular for Internet service providers to get better at sharing threat information, spotting and disrupting botnet-related communications, arresting DDoS attacks in progress, as well as prioritizing correct system configuration, which can block a vast number of potential exploits.
ENISA says its document is also aimed at policymakers, who might want to review the potential difficulties that Internet infrastructure players face should they attempt to share threat information with each other. "Currently there are several possibilities available when it comes to sharing threat information," according to a statement from some of the report's authors provided to Information Security Media Group. "The report underlines the need for such a collaboration to [anyone] not already involved in the process."
But in the EU, threat-related information sharing can be challenging, legal experts say, in part because of the region's strong privacy laws.
The ENISA report recommends that Internet service providers participate in Information Sharing and Analysis Centers, or ISACs. It also notes that despite Europe's strong privacy protections, the EU Electronic Communications Directive allows for some types of confidential and regulated information to be exchanged on several grounds, including helping organizations prevent the loss of reputation that might occur due to their having been exploited or breached.
Mitigating DDoS Attacks
To better mitigate DDoS attacks, the ENISA report offers multiple suggestions. In addition to much greater threat information sharing between Internet infrastructure providers, the reports says that DNS and NTP servers must be correctly configured so they cannot be used by an attacker to amplify their DDoS disruptions.
The report also recommends a number of defenses that are designed to safeguard data and avoid account or site hijackings. Related recommendations include much greater validation of IP addresses to avoid address space hijacking; configuring the Border Gateway Protocol to ensure that only legitimate traffic is flowing over networks; and ensuring that DNS registrars lock down account credentials and lists of authorized users, to prevent attackers from seizing control of sites by tricking DNS registrars.
Better DDoS attack defenses are reportedly also on the way, the report authors note, with some new options also offering "backward compatibility" with existing infrastructure. One such technique - not mentioned in the report - known as spread identity, can dynamically and randomly assign IP addresses in a network, the better to complicate any attempt to DDoS either the source or the host. Even better, spread identity can be used with existing network infrastructure, and without having to recode systems, thus making it backward-compatible.
Call for Adoption
"To have an open, safe and secure Internet, which is a priority of the EU, it is important to foster the application of these good practices by all actors involved in the Internet infrastructure," the report's co-authors say.
"Most infrastructure operators are well aware of these threats, and have already deployed several of the measures presented," they add. "The only possible impediment could be the willingness of infrastructure operators to collaborate and implement the good practices proposed in the report."