ISPs must share info to fight new app security threats

“The last two years, ISPs have been pretty optimistic because they thought they were getting ahead of the attacks,” he said. “Our studies had shown literally a sense of optimism. Maybe it’s the economic mood, but there is a little bit of pessimism going on now. Most providers who are tasked with procuring these services felt they are starting to lose some ground to more sophisticated attacks. Budgets have been under strain, they are being asked to do more with less and feeling the pressure.”

With the broader corporate pressure to race new services into the market, there is also danger that while newer services mature, they are more vulnerable, Labovitz said.

Many of the larger attacks will actually threaten more than one ISP, consuming the resources of peering networks. “Some of these attacks are too large for one ISP to handle – you need to have good relationship with your peers,” Labovitz said. “ISPs need fingerprint-sharing.”

The malicious traffic can come in on hundreds of transit interfaces, consuming all peering capacity, he said. “Other ISPs may see collateral damage.”

Fingerprint-sharing enables ISPs to identify and address the attack at the edge of the network without allowing it to consume backbone resources, Labovitz said.

“The Fingerprint Sharing Initiative goes back to early 2000,” he said. “Some attacks are so large that it requires providers to use the phone or other channels to contact counterparts at other ISPs, to ask them to install filters. Under this initiative, 50 or 60 ISPs have publicly said they will collaborate for the greater good, agreeing to take proactive action when a member is under attack.”

Finally, the study showed ISPs weren’t happy when they were the last to know about an identified vulnerability called DNS cache poisoning. In mid-2008, a security researcher named Dan Kaminsky “found a subtle implementation detail that allowed for cache poisoning to take a little less effort,” Labovitz said. “Kaminsky tried to contact the major Domain Name Server vendors to get them to implement patches ahead of any public release of the information.”

ISPs themselves weren’t notified, however, and the information became public before they had a chance to implement patches, producing an increase in Kaminsky-related DNS cache poisoning. “Most ISPs ended up being pretty unhappy with the way information was shared and distributed,” Labovitz said. “The information was shared selectively, and they didn’t like not being among those selected – no one likes to be the last to know.”