Cisco Technology Developer Partner - Arbor Networks, a provider of flow-based and deep packet inspection (DPI) technologies to ISPs, released a survey of 66 ISPs last week that says from relatively humble megabit beginnings in 2000, the largest DDoS attacks have now grown a hundredfold to break the 40 gigabit barrier this year. The growth in attack size according to Arbor, continues to significantly outpace the corresponding increase in underlying transmission speed and ISP infrastructure investment.
Also according to the Arbor survey, trends suggest that DDoS attack sizes may be on pace to approach 100 gigabits by this time next year, or perhaps more sophisticated attack vectors will be employed and bits per second won’t be as significant.
Arbor's figure 1 below shows the yearly reported maximum attack size:
Arbor added that when asked to rank threats that they believe would pose the largest problems over the next 12 months, 66 self-classified Tier 1, Tier 2 and other IP network operators from North America, South America, Europe and Asia responded that bots and botnets took the top spot, followed closely by DNS cache poisoning and BGP route hijacking (figure 4 below).
Arbor continued that the growth of the largest botnets continues to outpace containment efforts and infrastructure investment.
Additionally, the Arbor survey said 57% of service provider respondents reported attacks larger than 1 gigabit in the past 12 months (see figure 5 below).
6% of respondents reported attacks over 10 gigabits, with the largest attack reported this year being "just north of 40 gigabits," a 100-fold increase since 2001 according to Arbor.
When asked for details about the largest reported attack, respondents provided Arbor with the following direct quotes:
 |
"This was, initially, criminal-on-criminal crime though obviously the greatest damage was inflicted on the infrastructure used by the criminals." |
|
"The attack exceeded 40 gigabits in aggregate at one time." |
|
"The attack used DNS amplification." |
|
"The attack stopped only because the attacker was paid." |
|
"The attacker remains at large and active." |
|
"No bots were used in this attack. The attacker had a small number of compromised Linux boxes from which he’d launch the spoofed source DNS query. The DNS servers were all DNS servers open to recursion." |
Respondents were asked what attack vector was employed for the largest attack they observed over the past 12 months (see figure 6 below).
As seen in the Arbor survey pie chart shown above, protocol exhaustion and flood-based attacks are the most predominant.
Respondents mentioned that they were seeing an increase in application-based attacks aimed expressly at triggering back-end transaction activity and resource state, and that these attacks, while not the largest, were certainly the most sophisticated and devastating attacks they had observed over the past year.
25% of the respondents indicated that they observed attacks that were more sophisticated in the manner in which they targeted network services, either as second-stage attacks or attacks aimed at impacting other systems by affecting adjacent network services (i.e., DNS, load balancers, VoIP systems, routers, etc).
Regarding the frequency of attacks, figure 7 below shows the number of attacks per month that impacted respondent customers as well as respondent network infrastructure respectively:
Furthermore, Arbor asked respondents what attack vectors were employed during attacks against their infrastructure and received the following direct quotes:
|
"Brute force attacks, floods targeting router interfaces and network elements." |
|
"Know vulnerability probes." |
|
"Heavy VoIP scans—on the increase recently." |
|
"Application-based attacks targeting network services." |
|
"Lots of SSH [secure shell] brute force login attempts to all network elements and management systems." |
|
"Multi-mode attacks, from SYN [synchronized] and DNS, evolving to application-layer attacks targeting customer-facing systems and network elements." |
|
"Lots of attacks towards customers, resulting in collateral damage to infrastructure." |
|
"More scans targeting router OS vulnerabilities expressly." |
|
"Often getting DDoS directly as a result of mitigating attacks for customers." |
Regarding infrastructure and internal security incidents, respondents indicated the following primary threat vectors:
| 61% | External Brute-Force Attacks |
| 12% | Known Vulnerability |
| 3% | Social Engineering |
| 3% | Misconfiguration |
| 2% | Insider Threat |
| 20% | Other |
In the survey, Arbor observed that external brute-force attacks are high, while insider threats are quite low.
Respondents were asked to identify the tools and techniques they employ for attack detection and traceback, which figure 8 illustrates below:
As can be seen for 2008 in the above chart, Arbor noted a considerable increase in flow-based tools that can help enable attack detection.
With regard to attack detection, respondents were asked to identify their mechanism for tracing attacks back to network ingress interfaces and upstream or downstream networks. According to the Arbor survey, 70% of respondents indicated that they use flow-based tools to trace attacks back to network ingress interfaces. Another 12% said they use SNMP-based tools, 3% reported using DPI or other tools, and 15% indicated they have no current solutions or tools to trace attacks back to network ingress.
In figure 9 below, respondents were asked the attack mitigation techniques that they used.
Some of the challenges cited by respondents in mitigating attacks included:
|
"Coordinating with upstreams to filter attack flows, inattentive NOC/SOC [network operations center/security operations center] at peers/upstream." |
|
"Delays in internal escalation to capable staff, senior management authorization." |
|
"Cooperation from internal operations teams for internal policy deployment." |
|
"Internal manpower, resources." |
|
"Manual generation, configuration and deployment of mitigation policies in network." |
|
"Poor quality of data/tools in-house, identification and classification after detection." |
|
"Sometimes difficulty in verifying that it is not a flash crowd or otherwise legitimate customer traffic." |
|
"Ensuring no unintended outage is triggered by mitigation, ability to effectively mitigate without impacting production traffic, esp. with emerging application-layer attacks." |
|
"Taking target offline may deflect attack to another target—dealing with mitigation impact scenarios." |
|
"Budget for infrastructure to surgically mitigate attacks." |
|
"Managing capacity of dedicated mitigation devices." |
|
"Sometime[s] with or without managed services, customer permission to mitigate [an] attack is required before any action can be taken." |
According to the Arbor survey, the 3 most often referenced obstacles to reducing attack mitigation time by respondents included:
| 1. | Accurately identifying and separating attack flows from legitimate traffic. |
| 2. | Communication with upstreams, customers and internal staff. |
| 3. | Internal resources and manpower to mitigate attacks. |
Arbor asked respondents what activities they have personally observed bots performing over the past year. SPAM took the lead, followed closely by DDoS attacks, see figure 17 below:
Note: In the Arbor survey chart above, the "Other" category includes phishing, drop sites as well as an array of other nefarious activities.
When asked to identify the most effective tools to detect, measure and monitor botnets, the respondents were quoted as follows:
|
"End system IP address logging of suspicious hosts." |
|
"Flow data analysis." |
|
"We don’t monitor directly, we just filter the cr— — they spew." |
|
"Rely on CSIRTs, security groups and data sharing." |
|
"Honeypots and darknet monitoring." |
|
"Snort with bleeding-edge rules." |
|
"Collaboration." |
|
"Internally developed magic." |
|
"Monitor DNS queries and unauthorized traffic." |
|
"It all depends, really on what the botnet is doing…If it’s a spam cannon type botnet (e.g., Srizbi), simple extrapolation of originating IP vs. the message run in question will give you a general estimate. HTTP and IRC-based DDoS can be guessed from measuring the impact of the DDoS and/or infiltrating the C&C server." |
When Arbor asked if respondents believe that ISPs should be responsible for detecting and monitoring botnets. 61% said Yes, while 23% disagreed, and another 17% responded Yes, with some criteria.
Interestingly, when respondents were asked how successful they believe anti-botnet tools and techniques have been over the past year, 20% indicated such tools and techniques were sufficient, while 68% said insufficient.
When respondents were asked by Arbor what trends they have observed in network security over the past year, and how they spend their time on a daily (or nightly) basis as a result, responses were as follows:
|
"Very little has changed." |
|
"Zero-sum game." |
|
"More customer awareness on the needs to monitor their networks." |
|
"Seeing more behavioral patterns in attacks (e.g., students always attacking on national holidays)." |
|
"Less resource, more work, less board-level interest/understanding." |
|
"More time on revenue-generating services/products." |
|
"Attackers are getting smarter. Tools keep up, but users don’t." |
|
"Web 2.0 attacks on the increase." |
|
"Much more awareness regarding routing security." |
|
"Large Web mail operators like Google don’t give a sh— — about spam originating from their networks because they know they are too large to be blacklisted. This causes significant pain." |
|
"More attacks are unintentionally impacting other services (e.g., our VoIP)." |
|
"New services are not prepared or developed to deal with Internet security threats." |
|
"Attackers are smarter and more professional." |
|
"More law enforcement as they appear to be getting more resources." |
|
"Attackers are ‘definitely’ getting smarter, developing better techniques to hide exploits in Web sites, better rootkits to avoid AV detection, and better 2nd+ stage download techniques to avoid honeypot grabbing." |
|
"Customers see ISP as ‘the Internet’ and blame for things outside their control. On one hand protect, on the other, don’t even think about looking at our packets or invading our privacy." |
Respondents were also asked by Arbor if they have deployed deep packet inspection (DPI) equipment, and if so, for what purpose. 52% said No, they have not deployed such equipment. Of those answering Yes, 11% said it is for lawful intercept, 20% for service enforcement and protection, and 3% for both lawful intercept and service enforcement and protection. 15% responded with "Other," with no details provided.
Finally wrapping it all up, ISPs were unhappy with their vendors and the security community according to the Arbor survey. The surveyed ISPs also said that their vendor infrastructure equipment continues to lack key security features (like capacity for large ACL lists) and suffers from poor configuration management and a near complete absence of IPv6 security features.
Arbor Chief Security Officer - Danny McPherson, had this to say about the growth in DDoS attack size:
 "The growth in attack size continues to significantly outpace the corresponding increase in underlying transmission speed and infrastructure investment. |
"And, while most ISPs now have the infrastructure to detect bandwidth flood attacks, we found that many still lack the ability to quickly mitigate these attacks; only a small percentage of the providers we surveyed said they have the capability to mitigate DDoS attacks in 10 minutes or less.
"What’s even more concerning is that even fewer providers have the infrastructure to defend against service-level attacks or this year’s reported peak of a 40 gigabit flooding attack. This is an area of weakness for operators that can be exploited quickly."
Related story:
Distributed DoS attacks surging in scale, ISPs report
What do you consider to be the key security features missing from vendor infrastructure equipment?
Quotes on New Cisco Equipment
One year warranty on refurbished:
One year warranty Refurbished Cisco
|
Cisco vs. Competitor Lab Tests |
Brad Reese cofounded BradReese.Com Cisco Refurbished, which enables affordable Cisco networks globally by assuring customer satisfaction with guaranteed one year warranties on both Cisco Repair as well as Refurbished Cisco.
Don't be shy, contact Brad Reese online or call him Toll Free:
866-864-0506
International callers may wish to call Brad by dialing:
850-364-4115
The Leader in Network Knowledge
Comprehensive Analysis
Wow, impressive stuff in this survey and a lot to digest at this point. One element that I found interesting was what you wrote near the end:
Since we are in the network equipment testing market this certainly rang a bell for me since the equipment they have now needs to either be tested immediately or in some cases ripped out...and this is said before you even get to the IPv6 security threats which are abundant.
Also, was a bit surprised at the low number in using DPI to detect attacks. Thought this would be a bit higher, perhaps too early at this point?
OK, back to digesting it all ;)
/kff
BreakingPoint Systems
www.breakingpointlabs.com
I find it amusing that a
I find it amusing that a company in the DDoS detection business is feeding off of a network vendor that has a reputation of deliberately selling products with design deficiencies. With Cisco equipment it's damn if you do and damn if you don't. Turn on filtering and your Cisco equipment will slow to a crawl or cease up but turning off filtering will allow your network to propagate DDoS traffic. The reason the worldwide internet is fragile and DDoS is a bigger issue than it is is due in large part to Cisco deficiencies. Cisco is the Microsoft of networking when it comes to instability, vulnerability and insecurity.