EU and banks stage DDoS cyber-attack exercise

The European Union is hosting what it describes as its biggest cybersecurity exercise.

Governments, businesses and ISPs (internet service providers) are being faced with 1,200 separate incidents during a simulated DDoS (distributed denial of service) attack.

A similar event was staged in 2010, but this is the first time that the bloc's banks have been involved.

The results will be used to find ways to improve co-operation.

However, one computer security expert warned that the effort would be of only limited use when it came to protecting organisations against real-world attacks.

Enisa (European Network and Information Security Agency), which is co-ordinating the event, said 25 nations were actively participating in the practice run, and a further four countries were observing. But it would not specify the names of the states or organisations involved.

"We want to test how member states co-operate with each other during a crisis," Evangelos Ouzounis, head of Enisa's resilience and critical information infrastructure unit, told the BBC.

"We have developed some draft operating procedures over the last two years and we would like to test how they are applied in a crisis. We hope that after the exercise we can then identify any gaps in the information flow, and by improving them we can become stronger."

The event centres on a DDoS attack in which a mass of third-party computers attempt to overwhelm their targets' servers, forcing their websites offline and potentially disrupting their operations.

This type of attack has been used over recent months by members of the Anonymous hacktivist collective and others as a form of protest against companies and authorities whose actions they dislike.

"This goes to show that DDoS attacks have gone from a minor annoyance carried out by bedroom hackers to a serious security threat that Enisa feels the need to be addressed," said Paul Lawrence, vice-president of international operations at Corero Network Security.

"The recent attacks on US banks just goes to show that, with enough resources, any hacking group can bring down even some of the most well protected organisations."

Mr Lawrence was referring to spate of recent attacks against JP Morgan, Bank of America, Wells Fargo and three other US-based financial institutions.

Attackers used thousands of hijacked PCs to create several botnets using different types of DDoS attacks to consume all of the bandwidth available for the companies' customer-facing websites, making them inaccessible.

According to Enisa, reported web-based attacks increased by 36% over 2011.

It has also highlighted a World Economic Forum report which estimated there was a one-in-10 risk that a "critical information infrastructure incident" could cause 200bn euros ($260bn; £160bn) of economic damage within the next decade.

"Co-operation is essential given the scale and sophistication of cyber-attacks," said Neelie Kroes, the European Commission's vice-president, ahead of the exercise.

But one security adviser to the British government questioned how much use the event would be against future cyber-assaults

"It's a very worthy exercise but it doesn't guarantee security," said Alan Woodward, a visiting professor at the University of Surrey.

"Penetration-testing assumes you will be attacked using existing techniques, but it doesn't necessarily reveal vulnerabilities you would otherwise not have known about.

"It's rather like checking your front door's locks are working, which doesn't reveal if your windows are open."

Enisa said it would report its key findings before the end of the year.