Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Key Findings from Arbor's Tenth World-Wide Infrastructure Security Report

727 views

Published on

A presentation given at APRICOT 2015 during the Network Security session.

Published in: Internet
  • Be the first to comment

Key Findings from Arbor's Tenth World-Wide Infrastructure Security Report

  1. 1. Worldwide Infrastructure Security Report C F Chui, Arbor Networks
  2. 2. Tenth Year of WISR….. `The more things change, the more they stay the same.’ Ten years of surveying the operational security community on threats, concerns, mitigation/detection strategies and technologies. Significant broadening in both survey scope and respondent mix over this time period Some clear, ongoing trends and some new insights every year Valuable repository of data on the evolution of threats and our means of combating them
  3. 3. Infrastructure Survey Demographics • Survey conducted in October 2014 • 287 total respondents across different market segments • 60% Internet Service Providers
  4. 4. Key Findings • Continued growth in peak attack sizes • Huge number of VERY large attacks reported / monitored • Attack frequency jumps up again • More respondents see cloud services being hit • Intelligent DDoS Mitigation Solutions (IDMS) usage moves ahead of ACLs for the first time DDoS in 2014: A Time of Reflection… • ISP and Enterprise/Government/Education (EGE) data this year • Only half of respondents at least reasonably prepared for an incident • DDoS a top threat for both ISP and EGE respondents • Nearly half of EGE respondents saw DDoS attacks, with a significant proportion of attacks saturating connectivity • APT a top concern for EGE going forward Corporate Network Security
  5. 5. Key Findings • Traffic growing strongly, but still not significant • Nearly three-quarters of service providers now have some customers utilizing IPv6 services IPv6 • Big increase in those seeing revenue loss due to DDoS • Almost two thirds reported DDoS attacks, 38% see attacks exceed total Internet bandwidth • Big rises in use of IDMS and ACLs Data Center • Worrying trend indicating a decrease in focus on DNS security • Lower number of respondents see customer visible outages DNS • Most respondents have dedicated resources, but hiring / retaining still an issue • Concerning reductions in anti-spoofing and DDoS incident rehearsal Security Practices • LTE being pervasively deployed • Fewer respondents see customer visible outage due to a security incident • Attacks targeting infrastructure up, but down against Gi/SGi Mobile
  6. 6. ATLAS Demographics • ATLAS provides invaluable data to Arbor customers and the broader operational security community • 330+ participating customers – 32% Europe – 24% North America – 17% Asia – 9% South America – 9% Global • Tracking a peak of over 120Tbps
  7. 7. Substantial Growth in Largest Attacks • Largest reported attacks ranged from 400Gbps at the top end, through 300Gbps, 200Gbps and 170Gbps • Some saw multiple events above 100Gbps but only reported largest
  8. 8.  2014 Q3/Q4 attacks summary :  BPS : 117.15Gbps / 31.26Mpps, NTP reflection (port 22), 15 mins. APAC DDoS attacks summary Period Average Attack size % Change Peak Attack Size % Change Q3 588.74Mbps +10.98% 98.89Gbps -22.2% Q4 500.68Mbps -15% 117.15Gbps +18% Attack traffic size - APAC Q3 2014 >20Gbps 10-20Gbps 5-10Gbps 2-5Gbps 1-2Gbps 500Mbps-1Gbps <500Mbps Attack traffic size - APAC Q4 2014 >20Gbps 10-20Gbps 5-10Gbps 2-5Gbps 1-2Gbps 500Mbps-1Gbps <500Mbps
  9. 9. 2014, A Time of Reflection….. (part 1)
  10. 10. 2014, A Time of Reflection….. (part 2) • NTP significant throughout 2014 – 93 attacks over 100Gbps, 5 over 200Gbps. • DNS has historically been the ‘leading’ protocol used for reflection amplification • SSDP significant post Q3 – 25K attacks per month in Q4 – Largest at 131Gbps • Other protocols still a concern
  11. 11. APAC – Reflection/Amplification attacks seen Protocols for Amplification  Given the huge storm of NTP reflection activity, there has been some focus on other protocols that can be used in this way.  Looking at attacks with source-ports of services used for reflection.  DNS has been used by attackers for several years.  Significant growth in attacks with source port 1900 (SSDP)  2.1% of total attacks in Q4 are SSDP  Max attack seen – 49Gbps Exploited Protocol % Q1 % Q2 % Q3 % Q4 Max attack size (Gbps) DNS (53) 0.7 2.4 3.6 1.3 97 NTP (123) 3.5 1.1 1.1 3.5 127 SSDP (1900) <0.1 <0.1 0.7 2.1 49 Chargen (19) 0.3 0.5 1.0 1.0 25 SNMP (161) <0.1 <0.1 <0.1 <0.1 4.8
  12. 12. ATLAS – Unprecedented Flood of Attacks • Peak monitored attack at 325Gbps, up 32% on last year – Attacks larger than 2013 peak in January, February, August and December 2014 • ATLAS also monitored more than 4x the number of attacks over 100Gbps in 2014, as compared to 2013
  13. 13. Large DDoS attacks seen in 2014 APAC Peak Attack Growth trend in Gbps 235.6 127.16 98.89 117.15 0 50 100 150 200 250 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Peak Monthly Gbps of Attacks Q1 Q2 Q3 Q4 235Gbps / 63Mpps to India, NTP reflection attack targeting port 80, 21 min 23 sec 127Gbps / 34Mpps to Malaysia , NTP reflection attack targeting port 52606, 29 min 99Gbps / 26Mpps to India, NTP reflection attack targeting port 80, 31 min 117Gbps / 31Mpps to India, NTP reflection attack targeting port 22, 15 min 37 sec
  14. 14. Large Attacks Analysis  28 events over 50Gb/sec in Q4, this gives 132 for year 2014.  Q4 saw numbers of larger events trend down from Q4.  0.13% above 10Gbps, compared to 0.22% in Q3 Large DDoS attacks analysis – 2014 APAC  NTP reflection attacks trending down over the quarter (in terms of large attacks):  3.51% of events overall (1.14% in Q3)  2.11% of events (NTP reflection attacks) over 10Gbps (5.34% in Q3) 0 100 200 300 400 500 600 700 800 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec no of events of attack size >10Gbps >10Gbps
  15. 15. DDoS : Who is being hit? • End users and e-commerce are top two targets, as last year • Finance moves down to fifth, behind government and gaming • Customers of respondents most common targets of attacks • Percentage of attacks targeting Infrastructure continues to rise
  16. 16. DDoS : Attack Types • HTTP and DNS are top targets of application-layer attacks • Drop in proportion of respondents seeing attacks targeting HTTPS • Two-thirds of attacks are volumetric, up slightly – No surprise given reflection storm • 90% of respondents report seeing application-layer attacks – 4% fall in proportion of application-layer attacks
  17. 17. ATLAS attack types stats Q4 2014 APAC Dest Port Break-Out (Q4)  Port 80 (HTTP) stays at number 1, with 17% of events  Roughly the same as Q3 (17%)  Fragment stays at number 2 with 7%  Slightly decrease from 10% in Q3  Attacks targeting port 53 (DNS) in top 3 for the past 6 months.  8% Q3, 4% Q4 Attack dest ports - APAC Q3 2014 80 NIF 53 32768-65535 ICMP 0-32767 7000 others Attack dest ports - APAC Q4 2014 80 fragment 53 7000 ICMP 443 32768-65535 others
  18. 18. DDoS : Why? And, How Often? • Significant increase in proportion of respondents seeing more than 21 attacks per month – Up to 38% from 25% last year • Top 3 motivations stay the same, but order changes – Ideological hacktivism knocked off top spot! • Continued increase in extortion, market manipulation or disguise as motivations
  19. 19. DDoS : A Top Priority for ISP Customers • 70% of service providers see increased demand for DDoS detection and mitigation services from their customers • Cloud / Hosting providers top vertical interested in DDoS services – Not surprising given big jump in proportion of respondents seeing attacks targeting cloud (29%, up from 19%) • Finance, Government and e-commerce also top list
  20. 20. ISP Threat Detection and Mitigation • NetFlow analyzers are the most effective and most commonly deployed detection mechanism • Firewall logs, the 2nd most commonly deployed detection mechanism rank 6th in terms of effectiveness • IDMS moves ahead of ACLs as most common mitigation mechanism • Firewalls fall back again • Proportion of respondents able to mitigate in < 20 mins up to 60%
  21. 21. Data Center DDoS, Attacks & Impact • Almost two thirds reported DDoS attacks, down from last year • Most common attack target is now customer, rather than service infrastructure • 38% see attacks exceed total Internet bandwidth, same as last year • As last year 81% see increased operational expenses as top issue • Big increase in proportion seeing revenue loss, from 27% to 44%
  22. 22. Protecting the Data Center • Firewalls, application firewalls and IPS are still top three deployed security technologies • Big rises in use of IDMS, 6% to 48%, and ACLs, 13% to 30% • 49% see firewalls fail due to DDoS • 37% offer DDoS protection services to their customers, either as standard or as an option. 21% offer multiple tiers of service
  23. 23. DNS, Still not a Security Focus • Proportion of respondents with NO security group with formal responsibility for DNS continues to rise, now 33% • Only 17% of respondents of respondents saw a customer visible outage due to DDoS, down from 36% last year – Maybe due to attacker focus on other protocols • Layer 7 visibility improved to 41% from, 37% last year and 27% in 2012
  24. 24. Best Current Practices • 94% of respondents have dedicated security resources • The challenges facing organizations in building out teams remain the same - hiring / retaining skilled personnel is a key issue • The proportion of respondent implementing anti-spoofing has fallen – This is a big concern given reflection amplification attacks • The proportion of respondents who practice DDoS defense continues to fall
  25. 25. MNOs : LTE Becoming Pervasive • 68% of respondents who operate mobile networks have over 1 million subscribers – 22% have more than 25M • LTE deployments becoming pervasive • 80% of MNOs do NOT support IPv6 in either subscriber devices or mobile infrastructure
  26. 26. Mobile Security • 36% experienced poorly implemented mobile applications impacting service • 17% of respondents indicated that they have suffered a customer-visible outage due to a security incident • Three quarters of respondents cannot detect a compromised subscriber on their networks • iACLs and NAT/PAT are still the most common defensive measures used by MNOs, but there have also been big increases in the use of other technologies
  27. 27. DDoS in the MNO • 36% of respondents see attacks against their mobile users, RAN, back-haul or packet core, up from 25% last year • Only 7% see attacks on the Internet (Gi) Infrastructure, down from 24% last year – 57% still don’t know due to lack of visibility – External firewalls top attack target
  28. 28. Conclusions • Arbor has been conducting the WISR now for 10 years, and there have been some big changes – Networks, and the way in which we use them, have changed – Massive increase in respondents – More diverse respondent mix – Broader range of question topics • The WISR represents a hugely valuable repository of the observations, experiences and concerns of the OpSec community – Identifies ongoing trends – Unexpected shifts in behavior • Goals remain the same – Educate the broader community – Share solutions to common issues
  29. 29. Thank You

×