Industry comment - TalkTalk and Post Office routers hit by cyber-attack
December 2016 by Roland Dobbins, Principal Engineer at Arbor Networks
Following the news that TalkTalk and the Post Office have been hit by a cyber-attack, the comments from Roland Dobbins, Principal Engineer at Arbor Networks.
Broadband access ISPs should proactively scan their customer access networks to locate compromised and/or vulnerable nodes, and should take action to notify the users in question that their devices are vulnerable. In cases where the ISPs themselves have provided the vulnerable CPE devices, they should take immediate steps to replace those devices, as heavy scanning activity on the part of the attackers will result in devices becoming immediately re-compromised once they’ve rebooted.
ISPs operating DSL broadband networks should implement best current practices (BCPs) in order to ensure that only the dedicated network management systems of the ISPs themselves can access the remote network management facilities on these CPE devices. Operators of cable modem networks should do the same with the DOCSIS network management systems used to remotely manage CPE devices on their networks.
Additionally, broadband access ISPs should utilise network infrastructure self-protection mechanisms built into their network devices to rate-limit ARP and other relevant control-plane traffic which may be generated by compromised devices scanning in order to subsume other vulnerable CPE devices into the botnet. This will ensure that heavy scanning activity by compromised CPE devices cannot disrupt large swathes of their user populations by limiting the collateral impact of such scanning.