ENISA Report Outlines Incidents Causing Major Outages at Telcos

The European Network and Information Security Agency (ENISA), Europe’s cyber security agency, has released a new report outlining incidents that resulted in “major outages” at electronic communication networks or services in the EU during 2012.

The report provides an aggregated analysis of the 79 reported incidents of severe outages of electronic communication networks, or services during the year.

According to the Annual Incident Reports 2012:

• 18 countries reported 79 “significant” incidents, nine countries reported no significant incidents.

• Most incidents affected mobile telephony or mobile Internet (about 50%).

• Incidents affecting mobile telephony or mobile Internet also affected most users (around 1.8 million users per incident).

• Incidents caused by overload followed by power failures respectively had most impact in terms of number of users affected times duration.

• For most incident reports, as well as for the four services, (fixed and mobile telephony, and fixed and mobile internet) the root cause was “System failures” (75 %).

• Hardware failures were the most common cause of “Systems failures”, followed by software bugs.

• Switches were the most frequent point of failure (e.g. routers and local exchange points) followed by mobile network home location registers.

• Root cause third party failure incidents, mostly power supply failures, affected around 2.8 million user connections per incident on average.

• Incidents involving overload affected around 9.4 million user connections per incident on average.

• Incidents caused by natural phenomena (mainly storms and heavy snowfall) lasted the longest: on average around 36 hours.

Some interesting incidents pulled from the report include

• Overload caused VoIP outage – In the shift from a temporary to a permanent network solution, voice over IP service was disrupted for 400,000 users after the platform became overloaded as a result of too many simultaneous registrations of customer devices.

• Faulty Upgrade halted IP-base traffic – An upgrade in a core router went wrong, causing a drop of all IP based traffic for the provider causing many services to go down, including the emergency number 112. This incident led to an outage of 17 hours affecting 3 million users.

• DDoS attacks on DNS affected mobile Internet – A series of DDoS attacks targeted a provider’s domain name service. Up to 2.5 million mobile Internet users were affected during 1-2 hours. The attacking IP-addresses were tracked and blocked, the load balancing units were restarted and the traffic could be recovered. As post-incident actions additional DNS servers were installed, configuration changes were made on firewalls and hardware was expanded to withstand similar attacks.

“Reporting major incidents helps us understand what went wrong, why, and how to prevent similar incidents from happening again,” ENISA Executive Director, Professor Udo Helmbrecht said in a statement.

The full report can be downloaded here. ENISA’s 2013 report is expected to be published in the spring of 2014.