Cisco technology partner: DDoS attack sizes may be on pace to approach 100 gigabits by this time next year

Arbor Networks - DDoS Attacks May Be On Pace To 100 Gigabits Per Second
Cisco Technology Developer Partner - Arbor Networks, a provider of flow-based and deep packet inspection (DPI) technologies to ISPs, released a survey of 66 ISPs last week that says from relatively humble megabit beginnings in 2000, the largest DDoS attacks have now grown a hundredfold to break the 40 gigabit barrier this year. The growth in attack size according to Arbor, continues to significantly outpace the corresponding increase in underlying transmission speed and ISP infrastructure investment. Also according to the Arbor survey, trends suggest that DDoS attack sizes may be on pace to approach 100 gigabits by this time next year, or perhaps more sophisticated attack vectors will be employed and bits per second won’t be as significant.

Arbor's figure 1 below shows the yearly reported maximum attack size:

Largest Attack Size — 40 Gigabits Per Second
Arbor added that when asked to rank threats that they believe would pose the largest problems over the next 12 months, 66 self-classified Tier 1, Tier 2 and other IP network operators from North America, South America, Europe and Asia responded that bots and botnets took the top spot, followed closely by DNS cache poisoning and BGP route hijacking (figure 4 below).
Most Concerning Threats
Arbor continued that the growth of the largest botnets continues to outpace containment efforts and infrastructure investment. Additionally, the Arbor survey said 57% of service provider respondents reported attacks larger than 1 gigabit in the past 12 months (see figure 5 below).
Largest Attacks Observed – Past 12 Months
6% of respondents reported attacks over 10 gigabits, with the largest attack reported this year being "just north of 40 gigabits," a 100-fold increase since 2001 according to Arbor. When asked for details about the largest reported attack, respondents provided Arbor with the following direct quotes:

"This was, initially, criminal-on-criminal crime though obviously the greatest damage was inflicted on the infrastructure used by the criminals."
"The attack exceeded 40 gigabits in aggregate at one time."
"The attack used DNS amplification."
"The attack stopped only because the attacker was paid."
"The attacker remains at large and active."
"No bots were used in this attack. The attacker had a small number of compromised Linux boxes from which he’d launch the spoofed source DNS query. The DNS servers were all DNS servers open to recursion."

Respondents were asked what attack vector was employed for the largest attack they observed over the past 12 months (see figure 6 below).

Attack Vectors
As seen in the Arbor survey pie chart shown above, protocol exhaustion and flood-based attacks are the most predominant. Respondents mentioned that they were seeing an increase in application-based attacks aimed expressly at triggering back-end transaction activity and resource state, and that these attacks, while not the largest, were certainly the most sophisticated and devastating attacks they had observed over the past year. 25% of the respondents indicated that they observed attacks that were more sophisticated in the manner in which they targeted network services, either as second-stage attacks or attacks aimed at impacting other systems by affecting adjacent network services (i.e., DNS, load balancers, VoIP systems, routers, etc). Regarding the frequency of attacks, figure 7 below shows the number of attacks per month that impacted respondent customers as well as respondent network infrastructure respectively:
Customer- and Infrastructure-Impacting Attacks – Per Month
Furthermore, Arbor asked respondents what attack vectors were employed during attacks against their infrastructure and received the following direct quotes:

"Brute force attacks, floods targeting router interfaces and network elements."
"Know vulnerability probes."
"Heavy VoIP scans—on the increase recently."
"Application-based attacks targeting network services."
"Lots of SSH [secure shell] brute force login attempts to all network elements and management systems."
"Multi-mode attacks, from SYN [synchronized] and DNS, evolving to application-layer attacks targeting customer-facing systems and network elements."
"Lots of attacks towards customers, resulting in collateral damage to infrastructure."
"More scans targeting router OS vulnerabilities expressly."
"Often getting DDoS directly as a result of mitigating attacks for customers."

Regarding infrastructure and internal security incidents, respondents indicated the following primary threat vectors:

61% External Brute-Force Attacks
12% Known Vulnerability
3% Social Engineering
3% Misconfiguration
2% Insider Threat
20% Other

In the survey, Arbor observed that external brute-force attacks are high, while insider threats are quite low. Respondents were asked to identify the tools and techniques they employ for attack detection and traceback, which figure 8 illustrates below:

Attack Detection Techniques
As can be seen for 2008 in the above chart, Arbor noted a considerable increase in flow-based tools that can help enable attack detection. With regard to attack detection, respondents were asked to identify their mechanism for tracing attacks back to network ingress interfaces and upstream or downstream networks. According to the Arbor survey, 70% of respondents indicated that they use flow-based tools to trace attacks back to network ingress interfaces. Another 12% said they use SNMP-based tools, 3% reported using DPI or other tools, and 15% indicated they have no current solutions or tools to trace attacks back to network ingress. In figure 9 below, respondents were asked the attack mitigation techniques that they used.
Primary Attack Mitigation Techniques
Some of the challenges cited by respondents in mitigating attacks included:

"Coordinating with upstreams to filter attack flows, inattentive NOC/SOC [network operations center/security operations center] at peers/upstream."
"Delays in internal escalation to capable staff, senior management authorization."
"Cooperation from internal operations teams for internal policy deployment."
"Internal manpower, resources."
"Manual generation, configuration and deployment of mitigation policies in network."
"Poor quality of data/tools in-house, identification and classification after detection."
"Sometimes difficulty in verifying that it is not a flash crowd or otherwise legitimate customer traffic."
"Ensuring no unintended outage is triggered by mitigation, ability to effectively mitigate without impacting production traffic, esp. with emerging application-layer attacks."
"Taking target offline may deflect attack to another target—dealing with mitigation impact scenarios."
"Budget for infrastructure to surgically mitigate attacks."
"Managing capacity of dedicated mitigation devices."
"Sometime[s] with or without managed services, customer permission to mitigate [an] attack is required before any action can be taken."

According to the Arbor survey, the 3 most often referenced obstacles to reducing attack mitigation time by respondents included:

1. Accurately identifying and separating attack flows from legitimate traffic.
2. Communication with upstreams, customers and internal staff.
3. Internal resources and manpower to mitigate attacks.

Arbor asked respondents what activities they have personally observed bots performing over the past year. SPAM took the lead, followed closely by DDoS attacks, see figure 17 below:

Observed Bots – Past 12 Months
Note: In the Arbor survey chart above, the "Other" category includes phishing, drop sites as well as an array of other nefarious activities. When asked to identify the most effective tools to detect, measure and monitor botnets, the respondents were quoted as follows:

"End system IP address logging of suspicious hosts."
"Flow data analysis."
"We don’t monitor directly, we just filter the cr— — they spew."
"Rely on CSIRTs, security groups and data sharing."
"Honeypots and darknet monitoring."
"Snort with bleeding-edge rules."
"Internally developed magic."
"Monitor DNS queries and unauthorized traffic."
"It all depends, really on what the botnet is doing…If it’s a spam cannon type botnet (e.g., Srizbi), simple extrapolation of originating IP vs. the message run in question will give you a general estimate. HTTP and IRC-based DDoS can be guessed from measuring the impact of the DDoS and/or infiltrating the C&C server."

When Arbor asked if respondents believe that ISPs should be responsible for detecting and monitoring botnets. 61% said Yes, while 23% disagreed, and another 17% responded Yes, with some criteria. Interestingly, when respondents were asked how successful they believe anti-botnet tools and techniques have been over the past year, 20% indicated such tools and techniques were sufficient, while 68% said insufficient. When respondents were asked by Arbor what trends they have observed in network security over the past year, and how they spend their time on a daily (or nightly) basis as a result, responses were as follows:

"Very little has changed."
"Zero-sum game."
"More customer awareness on the needs to monitor their networks."
"Seeing more behavioral patterns in attacks (e.g., students always attacking on national holidays)."
"Less resource, more work, less board-level interest/understanding."
"More time on revenue-generating services/products."
"Attackers are getting smarter. Tools keep up, but users don’t."
"Web 2.0 attacks on the increase."
"Much more awareness regarding routing security."
"Large Web mail operators like Google don’t give a sh— — about spam originating from their networks because they know they are too large to be blacklisted. This causes significant pain."
"More attacks are unintentionally impacting other services (e.g., our VoIP)."
"New services are not prepared or developed to deal with Internet security threats."
"Attackers are smarter and more professional."
"More law enforcement as they appear to be getting more resources."
"Attackers are ‘definitely’ getting smarter, developing better techniques to hide exploits in Web sites, better rootkits to avoid AV detection, and better 2nd+ stage download techniques to avoid honeypot grabbing."
"Customers see ISP as ‘the Internet’ and blame for things outside their control. On one hand protect, on the other, don’t even think about looking at our packets or invading our privacy."

Respondents were also asked by Arbor if they have deployed deep packet inspection (DPI) equipment, and if so, for what purpose. 52% said No, they have not deployed such equipment. Of those answering Yes, 11% said it is for lawful intercept, 20% for service enforcement and protection, and 3% for both lawful intercept and service enforcement and protection. 15% responded with "Other," with no details provided. Finally wrapping it all up, ISPs were unhappy with their vendors and the security community according to the Arbor survey. The surveyed ISPs also said that their vendor infrastructure equipment continues to lack key security features (like capacity for large ACL lists) and suffers from poor configuration management and a near complete absence of IPv6 security features. Arbor Chief Security Officer - Danny McPherson, had this to say about the growth in DDoS attack size:

Danny McPherson
"The growth in attack size continues to significantly outpace the corresponding increase in underlying transmission speed and infrastructure investment. "And, while most ISPs now have the infrastructure to detect bandwidth flood attacks, we found that many still lack the ability to quickly mitigate these attacks; only a small percentage of the providers we surveyed said they have the capability to mitigate DDoS attacks in 10 minutes or less.

"What’s even more concerning is that even fewer providers have the infrastructure to defend against service-level attacks or this year’s reported peak of a 40 gigabit flooding attack. This is an area of weakness for operators that can be exploited quickly." Related story: Distributed DoS attacks surging in scale, ISPs report

What do you consider to be the key security features missing from vendor infrastructure equipment?

Brad Reese
http://www.BradReese.Com Quotes on New Cisco Equipment One year warranty on refurbished: Cisco Aironet Cisco Power Supplies Cisco VoIP Gateways One year warranty Refurbished Cisco

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.