Skip Links

Network World

Brad Reese

Cisco technology partner: DDoS attack sizes may be on pace to approach 100 gigabits by this time next year

By Brad Reese on Tue, 11/18/08 - 1:45pm.

Arbor Networks - DDoS Attacks May Be On Pace To 100 Gigabits Per Second

Cisco Technology Developer Partner - Arbor Networks, a provider of flow-based and deep packet inspection (DPI) technologies to ISPs, released a survey of 66 ISPs last week that says from relatively humble megabit beginnings in 2000, the largest DDoS attacks have now grown a hundredfold to break the 40 gigabit barrier this year. The growth in attack size according to Arbor, continues to significantly outpace the corresponding increase in underlying transmission speed and ISP infrastructure investment.

Also according to the Arbor survey, trends suggest that DDoS attack sizes may be on pace to approach 100 gigabits by this time next year, or perhaps more sophisticated attack vectors will be employed and bits per second won’t be as significant.

Arbor's figure 1 below shows the yearly reported maximum attack size:

Largest Attack Size — 40 Gigabits Per Second

Arbor added that when asked to rank threats that they believe would pose the largest problems over the next 12 months, 66 self-classified Tier 1, Tier 2 and other IP network operators from North America, South America, Europe and Asia responded that bots and botnets took the top spot, followed closely by DNS cache poisoning and BGP route hijacking (figure 4 below).

Most Concerning Threats

Arbor continued that the growth of the largest botnets continues to outpace containment efforts and infrastructure investment.

Additionally, the Arbor survey said 57% of service provider respondents reported attacks larger than 1 gigabit in the past 12 months (see figure 5 below).

Largest Attacks Observed – Past 12 Months

6% of respondents reported attacks over 10 gigabits, with the largest attack reported this year being "just north of 40 gigabits," a 100-fold increase since 2001 according to Arbor.

When asked for details about the largest reported attack, respondents provided Arbor with the following direct quotes:

"This was, initially, criminal-on-criminal crime though obviously the greatest damage was inflicted on the infrastructure used by the criminals."
"The attack exceeded 40 gigabits in aggregate at one time."
"The attack used DNS amplification."
"The attack stopped only because the attacker was paid."
"The attacker remains at large and active."
"No bots were used in this attack. The attacker had a small number of compromised Linux boxes from which he’d launch the spoofed source DNS query. The DNS servers were all DNS servers open to recursion."

Respondents were asked what attack vector was employed for the largest attack they observed over the past 12 months (see figure 6 below).

Attack Vectors

As seen in the Arbor survey pie chart shown above, protocol exhaustion and flood-based attacks are the most predominant.

Respondents mentioned that they were seeing an increase in application-based attacks aimed expressly at triggering back-end transaction activity and resource state, and that these attacks, while not the largest, were certainly the most sophisticated and devastating attacks they had observed over the past year.

25% of the respondents indicated that they observed attacks that were more sophisticated in the manner in which they targeted network services, either as second-stage attacks or attacks aimed at impacting other systems by affecting adjacent network services (i.e., DNS, load balancers, VoIP systems, routers, etc).

Regarding the frequency of attacks, figure 7 below shows the number of attacks per month that impacted respondent customers as well as respondent network infrastructure respectively:

Customer- and Infrastructure-Impacting Attacks – Per Month

Furthermore, Arbor asked respondents what attack vectors were employed during attacks against their infrastructure and received the following direct quotes:

"Brute force attacks, floods targeting router interfaces and network elements."
"Know vulnerability probes."
"Heavy VoIP scans—on the increase recently."
"Application-based attacks targeting network services."
"Lots of SSH [secure shell] brute force login attempts to all network elements and management systems."
"Multi-mode attacks, from SYN [synchronized] and DNS, evolving to application-layer attacks targeting customer-facing systems and network elements."
"Lots of attacks towards customers, resulting in collateral damage to infrastructure."
"More scans targeting router OS vulnerabilities expressly."
"Often getting DDoS directly as a result of mitigating attacks for customers."

Regarding infrastructure and internal security incidents, respondents indicated the following primary threat vectors:

61% External Brute-Force Attacks
12% Known Vulnerability
3% Social Engineering
3% Misconfiguration
2% Insider Threat
20% Other

In the survey, Arbor observed that external brute-force attacks are high, while insider threats are quite low.

Respondents were asked to identify the tools and techniques they employ for attack detection and traceback, which figure 8 illustrates below:

Attack Detection Techniques

As can be seen for 2008 in the above chart, Arbor noted a considerable increase in flow-based tools that can help enable attack detection.

With regard to attack detection, respondents were asked to identify their mechanism for tracing attacks back to network ingress interfaces and upstream or downstream networks. According to the Arbor survey, 70% of respondents indicated that they use flow-based tools to trace attacks back to network ingress interfaces. Another 12% said they use SNMP-based tools, 3% reported using DPI or other tools, and 15% indicated they have no current solutions or tools to trace attacks back to network ingress.

In figure 9 below, respondents were asked the attack mitigation techniques that they used.

Primary Attack Mitigation Techniques

Some of the challenges cited by respondents in mitigating attacks included:

"Coordinating with upstreams to filter attack flows, inattentive NOC/SOC [network operations center/security operations center] at peers/upstream."
"Delays in internal escalation to capable staff, senior management authorization."
"Cooperation from internal operations teams for internal policy deployment."
"Internal manpower, resources."
"Manual generation, configuration and deployment of mitigation policies in network."
"Poor quality of data/tools in-house, identification and classification after detection."
"Sometimes difficulty in verifying that it is not a flash crowd or otherwise legitimate customer traffic."
"Ensuring no unintended outage is triggered by mitigation, ability to effectively mitigate without impacting production traffic, esp. with emerging application-layer attacks."
"Taking target offline may deflect attack to another target—dealing with mitigation impact scenarios."
"Budget for infrastructure to surgically mitigate attacks."
"Managing capacity of dedicated mitigation devices."
"Sometime[s] with or without managed services, customer permission to mitigate [an] attack is required before any action can be taken."

According to the Arbor survey, the 3 most often referenced obstacles to reducing attack mitigation time by respondents included:

1. Accurately identifying and separating attack flows from legitimate traffic.
2. Communication with upstreams, customers and internal staff.
3. Internal resources and manpower to mitigate attacks.

Arbor asked respondents what activities they have personally observed bots performing over the past year. SPAM took the lead, followed closely by DDoS attacks, see figure 17 below:

Observed Bots – Past 12 Months

Note: In the Arbor survey chart above, the "Other" category includes phishing, drop sites as well as an array of other nefarious activities.

When asked to identify the most effective tools to detect, measure and monitor botnets, the respondents were quoted as follows:

"End system IP address logging of suspicious hosts."
"Flow data analysis."
"We don’t monitor directly, we just filter the cr— — they spew."
"Rely on CSIRTs, security groups and data sharing."
"Honeypots and darknet monitoring."
"Snort with bleeding-edge rules."
"Collaboration."
"Internally developed magic."
"Monitor DNS queries and unauthorized traffic."
"It all depends, really on what the botnet is doing…If it’s a spam cannon type botnet (e.g., Srizbi), simple extrapolation of originating IP vs. the message run in question will give you a general estimate. HTTP and IRC-based DDoS can be guessed from measuring the impact of the DDoS and/or infiltrating the C&C server."

When Arbor asked if respondents believe that ISPs should be responsible for detecting and monitoring botnets. 61% said Yes, while 23% disagreed, and another 17% responded Yes, with some criteria.

Interestingly, when respondents were asked how successful they believe anti-botnet tools and techniques have been over the past year, 20% indicated such tools and techniques were sufficient, while 68% said insufficient.

When respondents were asked by Arbor what trends they have observed in network security over the past year, and how they spend their time on a daily (or nightly) basis as a result, responses were as follows:

"Very little has changed."
"Zero-sum game."
"More customer awareness on the needs to monitor their networks."
"Seeing more behavioral patterns in attacks (e.g., students always attacking on national holidays)."
"Less resource, more work, less board-level interest/understanding."
"More time on revenue-generating services/products."
"Attackers are getting smarter. Tools keep up, but users don’t."
"Web 2.0 attacks on the increase."
"Much more awareness regarding routing security."
"Large Web mail operators like Google don’t give a sh— — about spam originating from their networks because they know they are too large to be blacklisted. This causes significant pain."
"More attacks are unintentionally impacting other services (e.g., our VoIP)."
"New services are not prepared or developed to deal with Internet security threats."
"Attackers are smarter and more professional."
"More law enforcement as they appear to be getting more resources."
"Attackers are ‘definitely’ getting smarter, developing better techniques to hide exploits in Web sites, better rootkits to avoid AV detection, and better 2nd+ stage download techniques to avoid honeypot grabbing."
"Customers see ISP as ‘the Internet’ and blame for things outside their control. On one hand protect, on the other, don’t even think about looking at our packets or invading our privacy."

Respondents were also asked by Arbor if they have deployed deep packet inspection (DPI) equipment, and if so, for what purpose. 52% said No, they have not deployed such equipment. Of those answering Yes, 11% said it is for lawful intercept, 20% for service enforcement and protection, and 3% for both lawful intercept and service enforcement and protection. 15% responded with "Other," with no details provided.

Finally wrapping it all up, ISPs were unhappy with their vendors and the security community according to the Arbor survey. The surveyed ISPs also said that their vendor infrastructure equipment continues to lack key security features (like capacity for large ACL lists) and suffers from poor configuration management and a near complete absence of IPv6 security features.

Arbor Chief Security Officer - Danny McPherson, had this to say about the growth in DDoS attack size:

Danny McPherson"The growth in attack size continues to significantly outpace the corresponding increase in underlying transmission speed and infrastructure investment.

"And, while most ISPs now have the infrastructure to detect bandwidth flood attacks, we found that many still lack the ability to quickly mitigate these attacks; only a small percentage of the providers we surveyed said they have the capability to mitigate DDoS attacks in 10 minutes or less.

"What’s even more concerning is that even fewer providers have the infrastructure to defend against service-level attacks or this year’s reported peak of a 40 gigabit flooding attack. This is an area of weakness for operators that can be exploited quickly."

Related story:

Distributed DoS attacks surging in scale, ISPs report


What do you consider to be the key security features missing from vendor infrastructure equipment?

Brad Reese
http://www.BradReese.Com

Quotes on New Cisco Equipment

One year warranty on refurbished:

Cisco Aironet

Cisco Power Supplies

Cisco VoIP Gateways

One year warranty Refurbished Cisco

Brad's Favorite Top 5 Picks
# 1. 8 Gbit/sec switches are key to the standout Brocade 4th quarter
# 2. Analyst appears to pre-announce the imminent death of Nortel: Stock price target $0
# 3. CCIE water cooler gossip: Cisco denies Internetwork Expert statement about its 360 CCIE training program
# 4. Final blog post for Nortel chief technology officer John Roese
# 5. Will Cisco switching be trumped by advanced technologies as early as next year?
Brad Reese on Cisco Story Archives Brad Reese on Cisco Story Archives

Cisco Tools

Cisco vs. Competitor Lab Tests

One Year Warranty On All Cisco Repair

Cisco Technical Forums

  

Comprehensive Analysis

0

Wow, impressive stuff in this survey and a lot to digest at this point. One element that I found interesting was what you wrote near the end:

"The surveyed ISPs also said that their vendor infrastructure equipment continues to lack key security features (like capacity for large ACL lists) and suffers from poor configuration management and a near complete absence of IPv6 security features."

Since we are in the network equipment testing market this certainly rang a bell for me since the equipment they have now needs to either be tested immediately or in some cases ripped out...and this is said before you even get to the IPv6 security threats which are abundant.

Also, was a bit surprised at the low number in using DPI to detect attacks. Thought this would be a bit higher, perhaps too early at this point?

OK, back to digesting it all ;)

/kff

BreakingPoint Systems
www.breakingpointlabs.com

I find it amusing that a

0

I find it amusing that a company in the DDoS detection business is feeding off of a network vendor that has a reputation of deliberately selling products with design deficiencies. With Cisco equipment it's damn if you do and damn if you don't. Turn on filtering and your Cisco equipment will slow to a crawl or cease up but turning off filtering will allow your network to propagate DDoS traffic. The reason the worldwide internet is fragile and DDoS is a bigger issue than it is is due in large part to Cisco deficiencies. Cisco is the Microsoft of networking when it comes to instability, vulnerability and insecurity.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • You can use BBCode tags in the text.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <p> <strong> <i> <br /> <br> <ul> <ol> <li> <dl> <dt> <dd> <blockquote>

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Welcome, visitor. Register Log in
About Brad Reese on Cisco

Brad Reese cofounded BradReese.Com Cisco Refurbished, which enables affordable networks globally by assuring customer satisfaction with guaranteed one year warranties on both Cisco Repair as well as Refurbished Cisco.

Don't be shy, contact Brad Reese online or call him Toll Free:

866-864-0506

International callers may wish to call Brad by dialing:

850-364-4115

Archives
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
Categories
A classic scam to defraud Cisco's SMARTnet program
America's Best profile written by Useem regarding Chambers' success
Avian Securities Senior Telecom Research Analyst - Catharine Trebnick
Breakingviews.com correspondent - Robert Cyran
CCIE
Careers
Charlie Giancarlo - Managing Director of Silver Lake Partners and Skype investor
Cisco
Cisco ASR 9000 architecture
Cisco ISR G2 Module Support
Cisco Integrated Services Router Generation 2 (ISR G2) Model Comparison
Cisco Integrated Services Routers Generation 2 Portfolio
Cisco Unified Communications Support for Microsoft Windows 7
Cisco is pushing their ASR 9000 at very competitive prices
Cisco is warning Unified Communications customers about NOT successfully offering support for Microsoft Windows 7
Cisco technical star Jonathan Rosenberg
Cisco will have no liability for any delay in delivery
Data Center
Douglas Smith - Cofounder and President of Network Instruments
Expand visibility of NetFlow-dependent NBAD and compliance applications
GigaStor captures and converts packets in NetFlow data flows
Index Venture partner Danny Rimer
Jonathan Rosenberg - a Cisco Fellow in Cisco's Voice Technology Group
Juniper MX960 lab test results
LANs / WANs
Mark Roberts - Polycom vice president of partner marketing
Michael Useem - Professor of Management
Microsoft
NetFlow
NetFlow add-ons
NetFlow overhead can overtax infrastructure
Network Behavior Anomaly Detection (NBAD)
Network Management
Non-NetFlow capable devices are blind to local traffic
Produce NetFlow about any device
SMB
Security
Selection committee member for America's Best Leaders
September 2009 vs. October 2009 Worldwide CCIE Count Comparison
Silver Lake Managing Director - Egon Durban
Skype's cofounders Niklas Zennstrom and Janus Friis
Software
The Charlie angle is to keep Dave Roux on track
The new Cisco ISR G2 portfolio is priced as follows
VoIP / Convergence
What are the benefits of GigaStor NetFlow Agent?
What’s new on the Cisco ISR G2 models vs. the old ISR models?
Windows 7
Windows 7 just not worth an all-out urgent effort by Cisco to support
Wireless / Mobile
eBay CEO - John Donahoe
sFlow
sFlow and NetFlow provides extended visibility
On The Web
Twitter