Wisr2011 en

Arbor Special Report

Worldwide Infrastructure
Security Report
2011 Volume VII

About Arbor Networks
Arbor Networks, Inc. is a leading provider of network security and management
solutions for next-generation data centers and carrier networks. Arbor’s proven
solutions help grow and protect our customers’ networks, businesses and brands.
Arbor’s unparalleled, privileged relationships with worldwide service providers
and global network operators provide unequalled insight into and perspective
on Internet security and traffic trends via the ATLAS®—a unique collaborative effort
with 100+ network operators across the globe sharing real-time security, traffic
and routing information that informs numerous business decisions. For technical
insight into the latest security threats and Internet traffic trends, please visit our
Web site at www.arbornetworks.com and our blog at asert.arbornetworks.com.

Arbor Special Report: Worldwide Infrastructure Security Report

Table of Contents
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Key Findings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Demographics of Survey Respondents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Survey Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Most Significant Operational Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Scale, Targeting and Frequency of Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Attack Detection, Classification and Traceback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Attack Mitigation Techniques and Average Time to Mitigate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Managed Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Observations on OPSEC Groups, Law Enforcement, CERTs and CSIRTs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Infrastructure Protection Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
IPv6 Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Data Center Operator Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Mobile and Fixed Wireless Operator Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
DNS and DNSSEC Migration Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
VoIP Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Respondent Survey Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
About the Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

List of Figures
Figure 1 Organizational Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Figure 2 Geographic Distribution of Organizational Headquarters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Figure 3 Geographic Coverage of Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Figure 4 Role of Respondent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Figure 5 Services Offered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Figure 6 Most Significant Operational Threats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Figure 7 Application-Layer DDoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Figure 8 Application-Layer DDoS Attack Methodologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Figure 9 Security Concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Figure 10 Concerns Regarding Integrity of Infrastructure Vendor Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Figure 11 Influence of Integrity Concerns on Product Procurement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

1


Figure 12 Influence of Geopolitical Origin of Network Traffic on Threat Perception . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Figure 13 DDoS Threat Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Figure 14 Factors Impacting DDoS Threat Awareness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Figure 15 Largest Bandwidth Attacks Reported . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Figure 16 Target of Highest-Bandwidth DDoS Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Figure 17 Average Number of DDoS Attacks per Month . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Figure 18 Tools Used to Measure Highest-Bandwidth DDoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Figure 19 Multi-Vector DDoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Figure 20 Attack Motivations Considered Common or Very Common . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Figure 21 Experienced IPv6 DDoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Figure 22 Detection of Outbound/Crossbound DDoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Figure 23 Mitigation of Outbound/Crossbound DDoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Figure 24 Use of Network Traffic Detection/Classification Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Figure 25 Tools Used to Measure Highest-Bandwidth DDoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Figure 26 Deployment of Event-Correlation Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Figure 27 DDoS Mitigation Tools Used . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Figure 28 Average Time Required to Mitigate DDoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Figure 29 Tools Used to Mitigate Outbound/Crossbound DDoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Figure 30 Proactive Blocking of Botnet Command-and-Controls, Malware Drop Sites and Phishing Servers . . . 27
Figure 31 Offer Managed Security Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Figure 32 Type of Managed Security Services Offered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Figure 33 Self-Initiated DDoS Mitigation for Clean Pipes Customers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Figure 34 Managed Security Service Head Count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Figure 35 OPSEC Team Head Count . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Figure 36 Systemic OPSEC Team Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Figure 37 NOC Presence by Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Figure 38 SOC Presence by Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Figure 39 Frequency of DDoS Defense Rehearsals/Drills . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Figure 40 Maintain Current Contact Information for Peers/Transits/Customers/OPSEC Teams . . . . . . . . . . . . . . . 32
Figure 41 External Sources of Operationally Relevant Security Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Figure 42 Participation in Vetted OPSEC Groups/Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Figure 43 Efficacy of Global OPSEC Communities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Figure 44 Systemic Challenges to Participation in Vetted OPSEC Groups/Systems . . . . . . . . . . . . . . . . . . . . . . . . . 34
Figure 45 Attacks/Incidents Referred to Law Enforcement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

2


Figure 46 Systemic Challenges in Law Enforcement Referrals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Figure 47 Confidence in Law Enforcement Investigative Efficacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Figure 48 Perceived Changes in Law Enforcement Investigative Efficacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Figure 49 Internal CERT Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Figure 50 Engagement with National/Government CERT/CSIRT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Figure 51 Desirability of National/Government CERT/CSIRT Engagement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Figure 52 Concerned with Government Efforts for Critical Infrastructure Protection . . . . . . . . . . . . . . . . . . . . . . . . . 36
Figure 53 Network Infrastructure BCPs Implemented . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Figure 54 Layer 2 Infrastructure BCPs Deployed in Data Center Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Figure 55 Explicit Filtering of Customer Routing Advertisements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Figure 56 Explicit Filtering of Inbound Peer/Upstream Routing Advertisements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Figure 57 Concerns Regarding IPv4 Address Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Figure 58 IPv6 Currently Implemented on Network Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Figure 59 IPv6 Deployed Currently or Within Next 12 Months . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Figure 60 IPv6 Used for Infrastructure Addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Figure 61 Criticality of IPv6 Network Traffic Visibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Figure 62 Network Infrastructure Support for IPv6 Flow Telemetry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Figure 63 Anticipated IPv6 Traffic Volume Growth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Figure 64 IPv6 Security Concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Figure 65 Current and Planned IPv6 DDoS Attack Mitigation Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Figure 66 Data Center Present in Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Figure 67 Observed DDoS Attacks Targeting Data Centers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Figure 68 DDoS Attacks Exceeding Data Center Bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Figure 69 Targets of DDoS Data Center Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Figure 70 Average DDoS Attacks per Month on Data Centers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Figure 71 Impact from Data Center DDoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Figure 72 Failure of Stateful Firewall/IPS Due to DDoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Figure 73 Failure of Load Balancers Due to DDoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Figure 74 Primary Mechanism for DDoS Attack Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Figure 75 Mobile/Fixed Wireless Operator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Figure 76 Number of Wireless Subscribers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Figure 77 Deployed Wireless Technology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Figure 78 Anticipated Deployment Dates of Forthcoming 4G Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Figure 79 Security and Visibility in Mobile Packet Core . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

3


Figure 80 Security and Visibility at Mobile Gi Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Figure 81 Attacks Explicitly Targeting Wireless Network Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Figure 82 DDoS Attacks per Month on Wireless Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Figure 83 Security Incidents Leading to Customer Outages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Figure 84 Wireless Network Infrastructure Affected by DDoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Figure 85 Observed DDoS Attacks Against Stateful Firewalls and/or NAT Devices in Wireless Networks . . . . . . 53
Figure 86 Application-Layer DDoS Attacks Against Wireless Network Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Figure 87 Outbound/Crossbound Attacks from Wireless Subscribers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Figure 88 Percentage of Wireless Subscriber Nodes Participating in Botnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Figure 89 DDoS Attacks Targeting Gi Demarcation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Figure 90 Security Measures Deployed on Wireless Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Figure 91 IPv6 Addressing Deployed for Wireless Subscribers/Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Figure 92 DNS Server in Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Figure 93 DNS Security Responsibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Figure 94 DNS Recursive Lookups Restricted . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Figure 95 Customer-Visible DNS Outages Due to DDoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Figure 96 DNS Cache-Poisoning Attacks Observed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Figure 97 DDoS Attacks Against Recursive DNS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Figure 98 DDoS Attacks Against Authoritative DNS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Figure 99 DNSSEC Deployment Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Figure 100 DNSSEC Infrastructure Support Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Figure 101 Concerns Regarding DNSSEC Response Sizes Enabling DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Reflection/Amplification DDoS Attacks
Figure 102 Offered VoIP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Figure 103 VoIP Security Responsibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Figure 104 Toll Fraud Observed on VoIP Services/Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Figure 105 Brute-Force Attack Techniques Observed in VoIP Toll Fraud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Figure 106 Concerns Regarding Caller ID Spoofing on VoIP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Figure 107 Tools Used to Detect VoIP Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Figure 108 Primary Tool Used to Mitigate DDoS Attacks Against VoIP Services/Infrastructure . . . . . . . . . . . . . . . . . 63
Figure 109 SBCs Deployed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Figure 110 SBCs Protected Against DDoS by Additional Tools/Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

4


Overview
Arbor Networks, in cooperation with the broader operational security
community, has completed the seventh edition of an ongoing series of
annual security surveys. This survey, covering roughly a 12-month period
from October 2010 through September 2011, is designed to provide
industry-wide data to network operators.

This data is intended to enable more informed decisions about the use of network security technology to protect
mission-critical Internet and other IP-based infrastructure. The survey output serves as a general resource for the
Internet operations and engineering community, recording information on the employment of various infrastructure
security techniques and other trends. It also provides the direct observations, insights and anecdotal experiences
of respondents that may be of value to others.

Operational network security issues—the day-to-day aspects of security in commercial networks—are the primary focus
of survey respondents. As such, the results provided in this survey are intended to more accurately represent real-world
concerns rather than the theoretical and emerging attack vectors addressed and speculated about elsewhere.

Key Findings
Ideologically-Motivated ‘Hacktivism’ and Vandalism Are the Most Readily-Identified DDoS
Attack Motivations
A new and extremely important finding in the 2011 Worldwide Infrastructure Security Report points to the ‘why’
behind DDoS attacks. Ideology was the most common motivating factor for DDoS attacks in 2011, followed by
a desire to vandalize. When this is coupled with the fact that anyone can be attacked, and anyone can initiate an
attack, it is clear a sea-change in the risk assessment model for network operators and end-customers is required.
Today, increased situational awareness has become a necessity for all Internet-connected organizations.

• 35% reported political or ideological attack motivation
• 31% reported nihilism or vandalism as attack motivation

10 Gbps and Larger Flood-Based DDoS Attacks Are the ‘New Normal’
During the survey period, respondents reported a significant increase in the prevalence of flood-based DDoS
attacks in the 10 Gbps range. This represents the “mainstreaming” of large flood-based DDoS attacks, and indicates
that network operators must be prepared to withstand and mitigate large flood attacks on a routine basis.

The largest reported DDoS attack during the survey period was 60 Gbps, in contrast with the 100 Gbps attack
reported in the previous report. Attacks of this magnitude continue to constitute an extremely serious threat to
network infrastructure and ancillary support services such as DNS, not to mention end-customer properties.

5


Increased Sophistication and Complexity of Application-Layer (Layer 7) DDoS Attacks and
Multi-Vector DDoS Attacks Are Becoming More Common
Application-layer (Layer 7) DDoS attacks continue to grow in both prevalence and sophistication. Respondents
indicated that sophisticated application-layer DDoS attack methodologies have become commonplace, and that
complex multi-vector DDoS attacks with both flood-based and application-layer attack components are rapidly
gaining in popularity with attackers.

Visibility and Security of Mobile and Fixed Wireless Networks Are an Ongoing Concern
A significant minority of mobile and fixed wireless operators report continuing challenges to detection of security
threats on their networks. The majority of respondents indicated that their network visibility was much stronger
than it was in 2010; however, their general lack of ability to detect infected hosts and the wide-spread data
concerning attacks point to significant blind spots still resident in their capabilities.

First-Ever Reports of IPv6 DDoS Attacks ‘in the Wild’ on Production Networks
For the first time, respondents to this year’s survey indicated that they had observed IPv6 DDoS attacks on their
networks. This marks a significant milestone in the arms race between attackers and defenders, and confirms that
network operators must have sufficient visibility and mitigation capabilities to protect IPv6-enabled properties.

Rarity of IPv6-Enabled Attacks Indicates Low IPv6 Market Penetration and Lack of Critical Mass
Even though IPv6 DDoS attacks are now being reported, IPv6 security incidents are relatively rare. This is a clear
indication that while IPv6 deployment continues to advance, IPv6 is not yet economically or operationally significant
enough to warrant serious attention by the Internet criminal underground. This also indicates that much of the
IPv6 network traffic may be un-monitored, masking the real threats on IPv6 networks.

Stateful Firewalls, IPS and Load-Balancer Devices Continue to Fall Short on DDoS
Protection Capabilities
Respondents continue to report that stateful firewalls and IPS devices are failing under DDoS attacks due to
state-table exhaustion, and report similar findings with regard to load-balancer devices. Network operators must
have the capability to defend these stateful devices against DDoS attacks if they are deployed in front of Internet
facing services.

The Overwhelming Majority of Network Operators Do Not Engage Law Enforcement for Security
Incident Response and Follow Up
The perennial disengagement of most network operators from law enforcement continues, with network
operators continuing to lack confidence in law enforcement’s capabilities and willingness to investigate online
attack activity. Respondents also continue to evince strong dissatisfaction with current governmental efforts to
protect critical infrastructure.

6


Demographics of Survey Respondents
Survey participants included 114 self-classified Tier 1, Tier 2 and other IP
network operators (Figure 1) from the U.S. and Canada, Latin/South America,
EMEA, Africa and Asia (Figure 2).

This year’s respondent pool shows roughly the same demographic distribution of service provider categories
as last year’s report.

Organizational Type

40% Tier 2/3 Provider or Regional ISP
Tier 1 Service Provider
35%
Hosting/Data Center/Colo Services
30% Educational/Research
Survey Respondents

Mobile/Fixed Wireless
25%
DNS Registrar/DNS Service Provider
20% Wireline Broadband
Enterprise/ASP
15%
CDN/Content Delivery

10% Cloud Service Provider
Government
5% Managed Service Provider
Other
0%

Figure 1 Source: Arbor Networks, Inc.

While the number of respondents increased slightly from the 2010 survey, geographical diversity (Figure 2)
and operational focus diversity (Figure 3) remained relatively the same year over year.

Geographic Distribution of Organizational Headquarters

19% 11%
Asia Pacific/Oceania
Latin America (including Central and South America)
7%
Middle East and Africa
1%
US and Canada
Western, Central and Eastern Europe

28% 34%


7


Geographic Coverage of Network

60% Asia Pacific/Oceania
Latin America (including Central and South America)
50% Middle East and Africa
US and Canada
Survey Respondents

40% Western, Central and Eastern Europe

30%

20%

10%

0%


All survey participants are directly involved in network security operations at their respective organizations
(Figure 4) and/or make direct contributions to the global operational security community. Once again, the diversity
of geographical presence and operational focus has an impact on various results and observable trends over the
seven-year survey lifetime—something we attempt to highlight accordingly where considered pertinent.

Role of Respondent

50% Network Engineer
Security Engineer
Manager/Director
40%
Operations Engineer
Survey Respondents

Vice President
30% Officer
Other

20%

10%

0%


A strong plurality of respondents self-identified their specific job role as that of network engineer, while security
engineers and managers were represented in second and third places, respectively. In addition to the titles listed
in Figure 4, other job categories included security architects, security analysts, security researchers and managed
security services product managers.

8


Figure 5 illustrates that nearly 32 percent of respondents offer mobile/fixed wireless broadband access and more
than 42 percent offer managed security services. In addition to the specific services described in Figure 5, some
respondents also offer video-on-demand (VOD) services, e-government-focused services, IPv6 tunnel-broker
services and Extensible Provisioning Protocol (EPP) registry services.

Services Offered

70% Hosting/Colocation
Direct Internet Access to Business
60%
DNS Services
Consumer ISP
Survey Respondents

50%
Cloud Services

40% Managed Security Services
CDN/Content Services
30% Mobile Services
Satellite Services
20% No Internet Services Offered
Other
10%

0%


Survey Methodology
The survey consisted of 132 free-form and multiple-choice questions,
representing the array of issues facing network operators today. Questions
addressed such topics as threats against backbone infrastructure and individual
customers; techniques employed to protect network infrastructure itself; and
mechanisms used to manage, detect and respond to security incidents.

The survey also included questions specific to data center operators, IPv6 security evolution, managed services,
VoIP, DNS, as well as mobile and fixed wireless operators. All data is presented in an aggregated and anonymous
manner and provided with the permission of the respondents. Standard mathematical methods to weight responses
have been applied where incomplete answers were provided for a given question. Several refinements occurred in
this edition of the survey, primarily based on respondent feedback. Some questions were deleted, some added and
many simply honed in an attempt to capture the most pertinent data sets.1

1 As in previous reports, several survey questions included multiple selections.

9


Several questions were added based upon suggestions by respondents to a previous survey, or as a result
of direct feedback from one of the many network security and operations forums from which survey review was
expressly solicited.

Arbor Networks intends to continue conducting this survey annually and sharing the results with the global Internet
security and operations communities. Our goals are:

1. To continually refine the questionnaire in order to provide more timely, detailed and relevant information
in future editions.

2. To increase the scope of the survey respondent pool to provide greater representation of the global
Internet network operations community.

Most Significant Operational Threats
More than 71 percent of respondents indicated that DDoS attacks toward
end customers were a significant operational threat encountered during this
12-month survey period (Figure 6).

Most Significant Operational Threats

80% DDoS attacks towards your customers
Infrastructure outages due to failure/misconfiguration
70%
Botted/compromised hosts on your network
60% Infrastructure outages due to DDoS
Survey Respondents

DDoS attacks towards your infrastructure
50%
DDoS attacks towards your services
40% New vulnerabilities
Zero-day exploits
30%
Under-capacity for bandwidth

20% Hacktivism
Other
10%

0%


Over 62 percent also identified misconfigurations and/or equipment failures as contributing to outages during
the survey period. Botnets and their unwanted effects (including DDoS attacks) were rated highly, as were DDoS
attacks targeted at operators’ network infrastructure and ancillary support services, such as DNS, Web portals
and email servers. Spam and VoIP-related attacks were included in the “Other” category.

10


With regards to application-layer attacks (Figure 7), respondents listed HTTP, DNS and SMTP as the most-frequently
targeted applications, with HTTP/S and SIP/VoIP coming in at fourth and fifth place, respectively. The percentage of
HTTP and IRC increased slightly year over year since 2010. DNS, SNMP, HTTP/S and SIP/VoIP decreased slightly
over the same period. Targeted applications in the “Other” category include SSH, online gaming, FTP, Telnet, RDP,
SQL databases, IRC, PHP and TCP port 123.

Application-Layer DDoS Attacks

90% HTTP
DNS
80%
SMTP
70%
HTTP/S
Survey Respondents

60% SIP/VoIP
IRC
50%
Other
40%

30%

20%

10%

0%


Figure 8 shows that while HTTP GET and HTTP POST were the most common application-layer DDoS attack
vectors, more sophisticated mechanisms such as Slowloris, LOIC, Apache Killer, SIP call-control floods, SlowPost
and HOIC are increasingly prevalent.

Application-Layer DDoS Attack Methodologies

80% HTTP GET flood
HTTP POST flood
70%
Slowloris
60% LOIC or variants
Survey Respondents

Apache Killer
50%
SIP call-control flood
40% SlowPost
HOIC or variants
30%
nkiller2 (TCP Persist)

20% Recoil

10%

0%


11


Top security concerns for the next 12 months (Figure 9) include: attacks against end customers; attacks against
operators’ network infrastructure devices and ancillary support services such as DNS and Web portals; botnet
activities, which include DDoS attacks; and, as in last year’s report, new vulnerabilities.

Security Concerns

60% DDoS attacks towards your customers
DDoS attacks towards your infrastructure
50% DDoS attacks towards your services
Infrastructure outages due to DDoS attacks
Survey Respondents

40% Infrastructure outages from failure
New vulnerabilities
30% Botted/compromised hosts on your network
Zero-day exploits

20% Hacktivism
Under-capacity for bandwidth

10%

0%


Based upon responses described later, we believe that the prominently highlighted concern over new vulnerabilities
continues, at least in part, to be related to the deployment of IPv6. Other forward-looking security concerns
expressed include VoIP-specific attacks and data loss or leakage due to botnet and/or malicious insider activity.

While there has been much speculation in the press surrounding possible concerns about the integrity of network
infrastructure equipment sourced from various countries, these concerns are not strongly reflected in our findings.
Figures 10 and 11 indicate that the overwhelming majority of respondents do not view this as a serious issue, and
it appears to have little impact on product procurement decisions, echoing last year’s findings.

Concerns Regarding Integrity of Influence of Integrity Concerns
Infrastructure Vendor Products on Product Procurement

33% 67% 25% 75%
Yes Yes
No No

Figure 10 Source: Arbor Networks, Inc. Figure 11 Source: Arbor Networks, Inc.

12


Respondents who indicated concerns regarding product origins offered the following comments:
• “We are not directly concerned, but our customers are.”
• “Recently, word-of-mouth advice from regulators suggests we avoid equipment originating from nations
perceived as hostile.”
• “‘Intelligence’ is being built into what used to be low-level equipment, like media converters and so on.
Couple this with the ubiquity of Internet access, and it makes backdoor access a lot more of a risk.”
• “Will not buy boxes with hard-coded support passwords.”
• “There are certain vendors that from a global view are either not preferred from a security perspective
or have to achieve specific internal accreditation.”

By way of contrast, nearly 75 percent of respondents (Figure 12) indicated that the purported geopolitical origin
of traffic ingressing and traversing their networks has a significant impact on their perception of the threat that
this traffic may pose to their organization and/or end customers.

Influence of Geopolitical Origin of Network
Traffic on Threat Perception

25% 75%
Yes
No


13


Figure 13 indicates that awareness of DDoS attacks amongst end-customer organizations has greatly increased
over the last 12 months. Unfortunately, as seen in Figure 14, the most common reason for this raised awareness
is that they have been the target of a DDoS attack. This emphasizes the point that many network operators are
ignoring the news about increased attack activity until they themselves fall victim.

DDoS Threat Awareness

60% Higher level of awareness
Same level of awareness
50% I do not know
Lower level of awareness
Survey Respondents

40%

30%

20%

10%

0%


Factors Impacting DDoS Threat Awareness

80% Experienced a DDoS attack
Highly-publicized DDoS attacks
70%
Business continuity planning risk assessment
60% Brand reputation concerns
Survey Respondents

Financial/legal liability assessment
50%
Legislative/regulatory requirements
40%

30%

20%

10%

0%


14


Scale, Targeting and Frequency of Attacks
During the survey period, respondents reported a significant increase in the
prevalence of flood-based DDoS attacks in the 10 Gbps range. This represents
the “mainstreaming” of large flood-based DDoS attacks, and indicates that
network operators must be prepared to withstand and mitigate large flood
attacks on a routine basis.

As illustrated in Figure 15, the highest-bandwidth attack observed by respondents during the survey period was
a 60 Gbps DNS reflection/amplification attack. This represents a 40 percent decrease from the previous year in
terms of sustained attack size for a single attack.

Largest Bandwidth Attacks Reported

100 2002

90 2003
2004
80
2005
70
2006
60 2007
Gbps

50 2008
2009
40
2010
30
2011
20

10

0


Based upon our experiences working with operators over the last year and data collected using Arbor’s ATLAS®
portal, we believe that this apparent decrease in attack magnitude at the high end does not represent a significant
reduction of risk from flood-based DDoS attacks. Sixty Gbps is a very large attack, and the increased prominence
of 10 Gbps and higher attacks reflected in survey responses indicates that the volume of traffic in large-scale
flood attacks remains a significant risk.

Over 74 percent of respondents reported that the highest-bandwidth DDoS attack they experienced during
this survey period was directed at their end customers, while nearly 13 percent reported that their own ancillary
support services such as DNS and Web portals were targeted (Figure 16). Almost 11 percent indicated that their
own network infrastructure was the target of the highest-bandwidth attack they experienced.

15


Target of Highest-Bandwidth DDoS Attack

80% Customer
Service
70%
Infrastructure
60% Other
Survey Respondents

50%

40%

30%

20%

10%

0%

S

Several respondents shared details of the highest-bandwidth attacks they’ve observed during the survey period:

• “We were a primary target of the WikiLeaks/Anonymous incident, experiencing ~100 attacks over 10 days
and covering more or less the full gamut of DDoS attack types. Unrelated 6.5 Gbps attack was IP fragments,
1500-byte packets, highly distributed.”

• “DDoS against UDP/80, 29 Mpps. Do I need to say more?”

• “Slowloris-based attack linked to WikiLeaks.”

• “We faced a side-effect of a spam botnet which tried to resolve nonexistent domain names, causing high
loads of NXDOMAIN answers.”

• “Mostly invalid packets that were stopped at our border routers via ACLs. Sources were mostly from Europe,
target was a Russian Webcam recruitment site. The observed size of the attack was 30 Gbps, but the overall
attack was larger than 50 Gbps and hitting capacity restraints within our providers’ networks.”

• “Attackers leveraging large amounts of insecure game servers to carry out multi-gigabit reflection/
amplification attacks.”

• “Flood of UDP traffic to an unused IP address within our mobile data network.”

• “4.4 Mpps attack was an attack using malformed DNS queries toward our DNS resolvers—payloads included
either a bunch of NULL characters or the string ‘0123456789ABCDE.’ Unknown which of our customers
the attack was aimed at or what the motive was. 3.4 Gbps attack was a DNS reflection/amplification attack
against our DNS infrastructure in which the attacker sent ANY–record queries for isc.org to approximately
3,300 recursive DNS servers, mainly in the U.S.”

16


• “Not sure of the initial exploitation vector (possibly several), but a large number of compromised US-based
Web servers had a Perl script uploaded into /tmp and executed several times over several months. This script
caused the servers to send out large volumes of UDP packets to the targeted host. There was ramp-up
from 200 Mbps up to 12 Gbps as we applied reverse proxy services on a variety of networks. Attack volume
was scaled up over a 3-month period to always slightly exceed our capacity, and the timings of that scaling
seemed to indicate a human was doing this deliberately in response to our defensive moves. After we handled
12 Gbps successfully for about 6 hours, the attacks stopped ‘permanently’—it has now been 6 months since
that last attack of this type. Some of the big US hosts that were running the attackers’ Perl script were
sending upwards of 500 Mbps individually, and it was difficult (read: impossible) to contact their owners to
have them stop it (in many cases it seemed they didn’t even notice it) in a timely manner. So, with that said,
the number of attacking hosts wasn’t the problem—a small number of very large, high-bandwidth attacking
hosts was the main issue (I’d say less than 20 single hosts accounted for 6-8 Gbps of the attack!). Traffic was
not spoofed and was the legitimate source as all web hosts who did end up responding to us found the script
leftover in /tmp, or running at the time they investigated.”

• “Motivation: take down a games Web site. Methodology: pure, old-fashioned bandwidth-based attack.”

• “Attack against a Web server—many unanswered requests which hit the firewall, taking it down.”

• “There was 1.2 Gbps attack towards single host. Varied packet size—mostly 1500-byte packets and quite
a lot of 64-byte packets to bring down the processing power of the customer access router.”

• “Automated system made malformed HTTP requests. It moved with the DNS, but couldn’t handle HTTP/S,
so we moved the site to HTTP/S-only for a month. No motivation understood or known—wasn’t even a
major site of ours. Possibly a miscreant used the target IP address in a PTR-record entry previously, and
an angry criminal rival attacked, thinking it was still in use by the original miscreant?”

• “SYN-flood which peaked an inbound interface, and was measured at ~14 Mpps.”

• “UDP flood towards an online auction site.”

• “Packet-based flood, motivation was immature—site was a community Web forum.”

• “The largest DDoS attacks we’ve seen have been focused on our email infrastructure—i.e., POP3/SMTP.
Not so much large amounts of data, just thousands of individual connections.”

17


As shown in Figure 17, nearly 47 percent of respondents indicated that they experienced 1 to 10 DDoS attacks per
month during the survey period, while over 44 percent experienced 10 to 500 or more DDoS attacks per month.

Average Number of DDoS Attacks per Month

50% 0
1-10
11-20
40%
21-50
Survey Respondents

51-100
30% 101- 500
500+

20%

10%

0%


As illustrated in Figure18, commercial flow-telemetry collection/analysis systems, such as Arbor’s Peakflow® SP
solution (“Peakflow SP”), were the leading tools used to detect and classify the highest-bandwidth attacks experi-
enced by respondents during the survey period. Custom in-house developed tools and various other mechanisms
were the second- and third-most popular solutions in this category, respectively.

Tools Used to Measure Highest-Bandwidth DDoS Attacks

50% Commercial NetFlow analyzers
In-house developed scripts/tools
Open Source NetFlow analyzers
40%
Open Source SNMP-based tools
Survey Respondents

Deep Packet Inspection
30% Commercial SNMP-based tools
Other

20%

10%

0%


18


While the prevalence of complex multi-vector DDoS attacks has steadily increased over the last several years,
Figure 19 indicates that nearly 27 percent of survey respondents have experienced multi-vector DDoS attacks
involving both flood-based and application-layer components during the last 12 months. This represents a
significant escalation on the part of attackers and is consistent with their increased usage of application-layer
attack methodologies.

Multi-Vector DDoS Attacks

41%
Yes
No
I do not know

27%

32%


During the last 12 months, our experiences in working with network operators worldwide in mitigating DDoS attacks
seemingly coincided with an apparent increase in the prevalence of ideologically-motivated “hacktivist” DDoS attacks.
While we noted this trend, it was our belief that this was merely indicative of our subjective experiences and those of
our customers, combined with generally heightened awareness of ideologically-motivated DDoS attacks following the
well-publicized WikiLeaks/Anonymous series of incidents.

When we made the decision to query this year’s survey respondents regarding their assessment of DDoS attack
motivations, we expected “Unknown” to constitute the overwhelming majority of responses, with nihilism/vandalism,
DDoS-enabled extortion and inter-criminal disputes making up most of the remainder.

19


Therefore, the results in Figure 20—which indicate that ideology or ”hacktivism” ranks as the single most commonly
observed motivation for DDoS attacks, with online gaming-related attacks ranked second—were surprising, while
at the same time confirming our subjective observations during the survey period.

Attack Motivations Considered Common or Very Common

35% Political/ideological
Nihilism/vandalism
30%
Online gaming
Criminals demonstrating capabilities
Survey Respondents

25%
Social networking

20% Misconfiguration/accidental
Unknown
15% Inter-personal/inter-group rivalries
Competitive
10% Criminal extortion attempts

5%

0%


We believe this finding may well comprise one of the single most important data points in this year’s report, with
major implications in terms of threat assessment, situational awareness and continuity of operations for network
operators, governmental bodies, law enforcement agencies and end customers alike.

Some additional free-form comments in response to this question follow:

• “As a network operator, we see the traffic, but seldom are privy to the motivation behind the attack.
I think that in many cases, our customers (colleges and universities) don’t know why the attack happened
either—they just deal with it.”

• “[We see] attacks against online auction sites which are similar to attacks against online gaming sites
and attacks intended to manipulate financial markets.”

• “We’ve experienced Quake 3/Source Engine-based exploit attacks. Attackers are abusing legitimate game
servers to send specially-crafted attack packets directing them to attack others, similar to DNS reflection/
amplification attacks.”

In this year’s survey, we asked respondents about the longest-duration DDoS attack they had observed during the
survey period. Responses varied widely, ranging from “a few minutes” to “six months, with bursts and calm stages.”

20


We also asked respondents about the average cost to their organizations of handling a DDoS attack. Several
free-form responses follow:

• “Approximately $250,000 USD/incident.”
• “$8,000 USD/incident.”
• “Approximately 1,000EUR/incident.”
• “Roughly $1M USD to $1.5M USD/incident.”
• “$300,000 USD/incident.”
• “$1M USD/incident.”
• “More than $100,000 USD/month.”
• “Net revenue-generator—we offer commercial DDoS mitigation services.”

In another significant development, Figure 21 reflects what we believe to be the first documented occurrences
of IPv6 DDoS attacks on production Internet networks.

Experienced IPv6 DDoS Attacks

75% 21%
Yes
No

4% I do not know


This is a significant milestone in the arms race between attackers and defenders. We believe that the scope
and prevalence of IPv6 DDoS attacks will gradually increase over time as IPv6 is more widely deployed. It is also
important to note that more than 75 percent of respondents do not have sufficient visibility into IPv6 traffic on
their networks to detect and classify IPv6 DDoS attacks.

At the same time, the small number of reported IPv6 security incidents is an indication of how slowly IPv6 deployment
and market penetration are progressing. There is a strong correlation between the economic significance of a given
technology and criminal activity taking advantage of said technology. In the assessment of the Internet criminal
underground, it is apparent that IPv6-enabled Internet properties simply are not yet worth the time and effort required
to attack them with any frequency.

21


When asked why he robbed banks, career criminal Willie Sutton famously replied, “Because that’s where the
money is.” One can draw a strong analogy between this and the way that modern Internet miscreants think.
They attack where the money is.

Figure 22 indicates that over 57 percent of respondents detected and classified outbound/crossbound DDoS
attacks during the survey period, a 16 percent decrease from last year’s tally. Only 34 percent mitigated these
attacks (Figure 23). We believe that this mitigation deficit is due in part to an almost exclusive focus on technical
means for mitigating inbound attacks, along with some level of misperception that outbound/crossbound attacks
are somehow less serious from an operational point of view.

Detection of Outbound/Crossbound Mitigation of Outbound/Crossbound
DDoS Attacks DDoS Attacks

43% 34%
Yes Yes
No No

57% 66%


Outbound/crossbound DDoS attacks consume end-customer and operator bandwidth and often affect ancillary
operator services such as DNS. This adversely affects peering ratios and results in increased transit costs. These
attacks can also lead to SLA and billing disputes with end customers. Therefore, outbound/crossbound DDoS
attacks warrant the same mitigation actions as inbound attacks as a matter of self-preservation.

22


Attack Detection, Classification and Traceback
The composition of tools used to detect, classify and traceback DDoS attacks
(Figure 24) generally corresponds to responses noted in the section of this
report entitled “Scale, Targeting and Frequency of Attacks” (page 15).

Use of Network Traffic Detection/Classification Tools

60%
Commercial SNMP-based tools
Survey Respondents

50%

40% Deep packet inspection
Other
30%

20%

10%

0%


This section identifies the tools used to detect and classify the single-largest DDoS attack experienced by
respondents during the survey period (Figure 25). Again, commercial flow-telemetry collection/analysis systems
were by far the most commonly used tool. More day-to-day emphasis has been placed by operators on in-house
developed tools, open source NetFlow analyzers, open source SNMP-based tools and deep packet inspection
over commercial SNMP-based tools.

Tools Used to Measure Highest-Bandwidth DDoS Attacks

60%
Commercial SNMP-based tools
Survey Respondents

50%

40% Deep packet inspection
Other
30%

20%

10%

0%


23


Other tools reported in use by respondents include IDS, syslog-based analysis systems, sinkholes, darknets,
honeypots and NMS.

Figure 26 illustrates that while over 41 percent of respondents indicate they do not employ event-correlation tools
to assist in detecting and classifying DDoS attacks, nearly 59 percent make use of either commercial, in-house
developed or open-source correlation systems.

Deployment of Event-Correlation Systems

50% No
Yes, we use commercial tools
Yes, we use open-source tools
40%
Yes, we use in-house tools
Survey Respondents

30%

20%

10%

0%


24


Attack Mitigation Techniques and Average Time
to Mitigate
As in previous reports, despite their functional and operational limitations,
ACLs continue to be the single most widely used tool to mitigate DDoS attacks
(Figure 27). Destination-based, remotely-triggered blackholes (D/RTBH) and
intelligent DDoS mitigation systems (IDMS) such as the Peakflow® SP Threat
Management System (“TMS”) and the now-discontinued Cisco Guard are the
second and third most widely used mitigation mechanisms, respectively.

DDoS Mitigation Tools Used

70% Access control lists (ACLs)
Destination-based remote-triggered blackhole (D/RTBH)
60%
Intelligent DDoS mitigation systems (IDMS)
Firewall
Survey Respondents

50%
Source-based remote-triggered blackhole (S/RTBH)

40% Load-balancer
IPS
30% Content delivery network (CDN)
FlowSpec
20% DPI systems
None
10%
Other

0%


Approximately 53 percent of respondents indicated that D/RTBH is still in common use—despite the fact that
D/RTBH blocks all traffic to the target and essentially completes the DDoS attack for the attacker, penalizing the
victim. Other techniques utilized by respondents include custom-coded application-layer classification tools, CDNs,
DPI systems, load-balancers and GeoIP-based blocking of attack traffic purportedly emanating from specific
geopolitical localities.

Once again this year, no respondents indicated that QoS is still in general use as an attack mitigation technique
for inbound DDoS attacks. Rate-limiting inbound traffic to attack targets invariably has the unintended side effect
of enabling attack traffic to “crowd out” traffic from legitimate sources.

25


Nearly 47 percent of respondents indicated that they are able to successfully mitigate DDoS attacks within 20 minutes
(Figure 28), a slight decrease from last year. Nearly 33 percent indicated mitigation times in excess of 30 minutes,
more than double the number of operators reporting longer mitigation times than last year. This may be a result of
the increasing popularity of complex application attacks that are often more difficult to detect and mitigate.

Average Time Required to Mitigate DDoS Attacks

35% Automatically through scripts/tools
Less than 10 minutes
30%
More than 10 minutes but less than 20 minutes
More than 20 minutes but less than 30 minutes
Survey Respondents

25%
More than 30 minutes

20% We do not mitigate attacks

15%

10%

5%

0%


Focusing specifically on outbound/crossbound DDoS attacks (Figure 29), ACLs once again are the single most
widely utilized tool to mitigate attack traffic. Over 29 percent of respondents indicated that firewalls were used
to mitigate outbound/crossbound attacks, raising the specter of firewall state-table depletion as a possible DDoS
vector. Meanwhile, nearly 28 percent indicated that they do not mitigate outbound/crossbound attacks at all.

Tools Used to Mitigate Outbound/Crossbound DDoS Attacks

50% Access control lists (ACLs)
Firewall
None
40%
Destination-based remote-triggered blackhole (D/RTBH)
Survey Respondents

Source-based remote triggered blackhole (S/RTBH)
30% Intelligent DDoS mitigation systems (IDMS)
IPS
Quarantine system
20%
FlowSpec
Load-balancer
10% DPI systems
Content delivery network (CDN)

0% Other

S

26


Other tools and techniques utilized to mitigate outbound/crossbound DDoS attacks include D/RTBH, S/RTBH,
IDMS, IPS, FlowSpec and in-house-developed quarantine systems.

The overwhelming majority of respondents indicated that they do not proactively block known botnet C&C servers,
malware drop servers and phishing servers at this time (Figure 30). Nearly 24 percent indicated that they do in
fact attempt to block these undesirable hosts on a proactive basis.

Proactive Blocking of Botnet C&Cs, Malware
Drop Sites and Phishing Servers

24%
Yes
No

76%


27


Managed Security Services
Forty-five percent of respondents indicated that they offer managed security
services (Figure 31), with the most popular being managed router, managed
VPN and CPE firewalls (Figure 32). Of this pool of respondents, more than
58 percent offer Clean Pipes managed DDoS mitigation services, a slight
increase over last year.

Offer Managed Security Services

45%
Yes
No

55 %


Type of Managed Security Services Offered

80% Managed router
Managed VPN
70%
On-premise firewall
60% DDoS attack detection
Survey Respondents

DDoS attack mitigation (Clean Pipes)
50%
Traffic visibility
40% In-cloud firewall
Unified threat management (UTM)
30%
Data loss prevention (DLP)

20% Other

10%

0%


28


Of the respondents offering Clean Pipes managed DDoS mitigation services, 54 percent offer end customers the
option of self-initiating DDoS mitigation (Figure 33), a significant increase over previous reports. This year-over-year
continuity in the availability of self-mitigation options indicates that network operators view Clean Pipes as a
mature service and that end customers may safely be provided with the ability to mitigate incoming DDoS attacks
upon demand.

Self-Initiated DDoS Mitigation for Clean Pipes Customers

50% No, we do not allow customers to initiate mitigations
Yes, with a portal user interface
We do not offer a managed DDoS service
40%
Yes, with changes to DNS records
Survey Respondents

Yes, with a BGP announcement
30%

20%

10%

0%


Respondents offering managed security services reported a small head count of dedicated managed security
services personnel, with nearly 28 percent employing more than 10 dedicated staff members (Figure 34), an
11 percent increase year over year.

Managed Security Service Head Count

50% None
1-3 employees
4-6 employees
40%
7-10 employees
Survey Respondents

11-15 employees
30% 16-20 employees
20+ employees

20%

10%

0%

S

29


Observations on OPSEC Groups, Law Enforcement,
CERTs and CSIRTs
Figure 35 identifies the numbers of network engineering personnel, network
operations personnel and dedicated OPSEC personnel employed by
respondents. The majority of respondents employ 10 or fewer dedicated
OPSEC staff members.

OPSEC Team Head Count

50% None, no dedicated security resources
1-5
6-10
40%
11-15
Survey Respondents

16-20
30% 21-30
30+

20%

10%

0%

S

As in previous reports, lack of head count and/or resources topped the list of operational security challenges
faced by respondents (Figure 36). Other significant challenges reported by this year’s respondents include the
difficulty of finding and retaining skilled personnel, lack of management support, lack of stakeholder support
and CAPEX/OPEX funding. Free-form responses to this question included the following:

• “Customers do not want to pay for it.”
• “Size of organization insufficient to warrant a dedicated team.”
• “Cost of good people.”
• “Lack of awareness on the part of managers and business decision-makers. In our region, many
organizations are just starting to become cognizant of information security risks.”

30


Systemic OPSEC Team Challenges

60% Lack of headcount/resources
Difficulty of finding/retaining skilled personnel
50% OPEX funding
Lack of internal stakeholder support
Survey Respondents

40% Lack of management support
CAPEX funding
30% Other

20%

10%

0%

S

Figures 37 and 38 illustrate that approximately 90 percent of respondent organizations operate a NOC, and only
46 percent operate a SOC—the latter representing a 9 percent increase year over year.

NOC Presence by Organization SOC Presence by Organization

11% 46%
Yes Yes
No No

89% 54%


31


OPSEC teams response readiness saw a marked improvement over last year. Over 58 percent of respondent
organizations never rehearse their operational security plans and procedures or conduct OPSEC drills (Figure 39),
while in the last survey, 72 percent of respondents indicated that they did not exercise their plans. We believe this
improvement is directly related to the increasing number of victims combined with the fact that the DDoS problem
is now a top-of-mind concern for IT executives and their security teams. One comment from this section follows:

• “We don’t practice, but we do have basic plans that we would implement. We also maintain close relationships
with external upstream network providers for rapid escalation of problems.”

Frequency of DDoS Defense Rehearsals/Drills

60% Never
Yearly
50% Quarterly
Monthly
Survey Respondents

40% Weekly
Daily
30% Other

20%

10%

0%

S

Nearly 81 percent of respondents indicated that their OPSEC organizations make it a point to maintain current
contact information for the OPSEC teams and/or other empowered groups within their peer, transit provider and
customer organizations (Figure 40).

Although this seems like a very basic requirement for any Internet-connected organization, we continue to observe
numerous instances in which outage-inducing DDoS attacks are unnecessarily prolonged due to the lack of this
basic contact information by the relevant parties.

Maintain Current Contact Information for
Peers/Transits/Customers/OPSEC Teams

19%
Yes
No

81%


32


Security-related email lists remain the single most popular way of staying aware of relevant security information
from outside sources (Figure 41). Other popular methods reported by this year’s respondents include industry
conferences, vendor-specific email lists and blogs, and social networking systems such as Twitter, Facebook, etc.

Other primary sources of security-related information utilized by respondents include closed and vetted operational
security groups, FIRST, and various CERT and CSIRT organizations. These responses are in line with findings from
last year’s report.

External Sources of Operationally Relevant Security Information

90%

80%
Security mailing lists

70% Security conferences
Weblogs/syndication feeds
Survey Respondents

60% Vendor mailing lists
Social networking services
50%
Security-focused publications
40% Other

30%

20%

10%

0%

S

Forty-one percent of respondents indicated that they participate in closed or vetted global operational security
groups (Figure 42), while nearly 87 percent indicated that they believe these groups are highly effective in
handling operational security issues on an inter-organizational basis (Figure 43).

Participation in Vetted OPSEC Groups/Systems Efficacy of Global OPSEC Communities

41% 13 %
Yes Yes
No No

59% 87%


33


As with OPSEC teams in general, significant systemic challenges to full participation in closed/vetted global
OPSEC groups persist (Figure 44). Lack of time/resources is the most frequently cited challenge, along with
lack of management support, policy barriers, unclear benefits and legal concerns.

Systemic Challenges to Participation in Vetted OPSEC Groups/Systems

80% Not enough time/resources
Management/policy
70%
Benefits unclear
60% Legal concerns
Survey Respondents

My organization is very active in global OPSEC
50%
Concerns surrounding participant vetting
40% Other

30%

20%

10%

0%

S

Nearly 74 percent of respondents indicated that they do not refer security incidents to law enforcement (Figure 45),
a marked increase from last year. This is due to a variety of reasons, including lack of resources and time, low
confidence in law enforcement investigative efficacy and corporate policy (Figure 46). Some free-form comments
from respondents who do not currently make law enforcement referrals follow:

• “Attacks we see are sourced from foreign jurisdictions.”
• “Responsibility and decision rest with our customers.”

Attacks/Incidents Referred to Law Enforcement

80% None
1-5 referrals
70%
6-10 referrals
60% 10+ referrals
Survey Respondents

50%

40%

30%

20%

10%

0%

S

34

Wisr2011 en

More Related Content

Wisr2011 en