‫ Worldwide Infrastructure Security in 2011 (1st Section)

IRCRE201204095
Date: 2012-04-19
Arbor Networks, in cooperation with the broader operational security community, has completed the seventh edition of an ongoing series of annual security surveys. This survey, covering roughly a 12-month period from October 2010 through September 2011, is designed to provide industry-wide data to network operators.
Most Significant Operational Threats
More than 71 percent of respondents indicated that DDoS attacks toward end customers were a significant operational threat encountered during this 12-month survey period.
Over 62 percent also identified misconfigurations and/or equipment failures as contributing to outages during the survey period. Botnets and their unwanted effects (including DDoS attacks) were rated highly, as were DDoS attacks targeted at operators’ network infrastructure and ancillary support services, such as DNS, Web portals and email servers. Spam and VoIP-related attacks were included in the “Other” category.
With regards to application-layer attacks, respondents listed HTTP, DNS and SMTP as the most-frequently targeted applications, with HTTP/S and SIP/VoIP coming in at fourth and fifth place, respectively. The percentage of HTTP and IRC increased slightly year over year since 2010. DNS, SNMP, HTTP/S and SIP/VoIP decreased slightly over the same period. Targeted applications in the “Other” category include SSH, online gaming, FTP, Telnet, RDP, SQL databases, IRC, PHP and TCP port 123.
Top security concerns for the next 12 months include: attacks against end customers; attacks against operators’ network infrastructure devices and ancillary support services such as DNS and Web portals; botnet activities, which include DDoS attacks; and, as in last year’s report, new vulnerabilities.
Scale, Targeting and Frequency of Attacks
During the survey period, respondents reported a significant increase in the prevalence of flood-based DDoS attacks in the 10 Gbps range. This represents the “mainstreaming” of large flood-based DDoS attacks, and indicates that network operators must be prepared to withstand and mitigate large flood attacks on a routine basis.
As illustrated in the next figure, the highest-bandwidth attack observed by respondents during the survey period was a 60 Gbps DNS reflection/amplification attack. This represents a 40 percent decrease from the previous year in terms of sustained attack size for a single attack.
Based upon our experiences, we believe that this apparent decrease in attack magnitude at the high end does not represent a significant reduction of risk from flood-based DDoS attacks. Sixty Gbps is a very large attack, and the increased prominence of 10 Gbps and higher attacks reflected in survey responses indicates that the volume of traffic in large-scale flood attacks remains a significant risk.
Over 74 percent of respondents reported that the highest-bandwidth DDoS attack they experienced during this survey period was directed at their end customers, while nearly 13 percent reported that their own ancillary support services such as DNS and Web portals were targeted. Almost 11 percent indicated that their own network infrastructure was the target of the highest-bandwidth attack they experienced.
As shown in the next figure, nearly 47 percent of respondents indicated that they experienced 1 to 10 DDoS attacks per month during the survey period, while over 44 percent experienced 10 to 500 or more DDoS attacks per month.
While the prevalence of complex multi-vector DDoS attacks has steadily increased over the last several years, next figure indicates that nearly 27 percent of survey respondents have experienced multi-vector DDoS attacks involving both flood-based and application-layer components during the last 12 months. This represents a significant escalation on the part of attackers and is consistent with their increased usage of application-layer attack methodologies.
The results in the next figure indicate that ideology or ”hacktivism” ranks as the single most commonly observed motivation for DDoS attacks, with online gaming-related attacks ranked second.
In this year’s survey, we asked respondents about the longest-duration DDoS attack they had observed during the survey period. Responses varied widely, ranging from “a few minutes” to “six months, with bursts and calm stages.”
In another significant development, next figure reflects what we believe to be the first documented occurrences of IPv6 DDoS attacks on production Internet networks.
We believe that the scope and prevalence of IPv6 DDoS attacks will gradually increase over time as IPv6 is more widely deployed. It is also important to note that more than 75 percent of respondents do not have sufficient visibility into IPv6 traffic on their networks to detect and classify IPv6 DDoS attacks.
Attack Mitigation and Average Time to Mitigate
Nearly 47 percent of respondents indicated that they are able to successfully mitigate DDoS attacks within 20 minutes, a slight decrease from last year. Nearly 33 percent indicated mitigation times in excess of 30 minutes, more than double the number of operators reporting longer mitigation times than last year. This may be a result of the increasing popularity of complex application attacks that are often more difficult to detect and mitigate.
The overwhelming majority of respondents indicated that they do not proactively block known botnet C&C servers, malware drop servers and phishing servers at this time. Nearly 24 percent indicated that they do in fact attempt to block these undesirable hosts on a proactive basis.
Managed Security Services
Forty-five percent of respondents indicated that they offer managed security services, with the most popular being managed router, managed VPN and CPE firewalls. Of this pool of respondents, more than 58 percent offer Clean Pipes managed DDoS mitigation services, a slight increase over last year.
Respondents offering managed security services reported a small head count of dedicated managed security services personnel, with nearly 28 percent employing more than 10 dedicated staff members, an 11 percent increase year over year.
OPSEC Groups
Next figure identifies the numbers of network engineering personnel, network operations personnel and dedicated OPSEC personnel employed by respondents. The majority of respondents employ 10 or fewer dedicated OPSEC staff members.
As in previous reports, lack of head count and/or resources topped the list of operational security challenges faced by respondents. Other significant challenges reported by this year’s respondents include the difficulty of finding and retaining skilled personnel, lack of management support, lack of stakeholder support and CAPEX/OPEX funding.
References:
Worldwide Infrastructure Security Report, 2011 Volume VII

نظرات

بدون نظر
شما برای نظر دادن باید وارد شوید

نوشته

 
تاریخ ایجاد: 2 اردیبهشت 1391

دسته‌ها

امتیاز

امتیاز شما
تعداد امتیازها:0