[2012 Report] Arbor Networks’ Sixth Annual Worldwide Infrastructure Security Report

Overview

Arbor Networks, in cooperation with the broader operational security community, has completed the seventh edition of an ongoing series of annual security surveys. This survey, covering roughly a 12-month period from October 2010 through September 2011, is designed to provide industry-wide data to network operators.

This data is intended to enable more informed decisions about the use of network security technology to protect mission-critical Internet and other IP-based infrastructure. The survey output serves as a general resource for the Internet operations and engineering community, recording information on the employment of various infrastructure security techniques and other trends. It also provides the direct observations, insights and anecdotal experiences of respondents that may be of value to others.

Operational network security issues—the day-to-day aspects of security in commercial networks—are the primary focus of survey respondents. As such, the results provided in this survey are intended to more accurately represent real-world concerns rather than the theoretical and emerging attack vectors addressed and speculated about elsewhere.

Key Findings

Ideologically-Motivated ‘Hactivism’ and Vandalism Are the Most Readily-Identified DDoS Attack Motivations

 A new and extremely important finding in the 2011 Worldwide Infrastructure Security Report points to the ‘why’ behind DDoS attacks. Ideology was the most common motivating factor for DDoS attacks in 2011, followed by a desire to vandalize. When this is coupled with the fact that anyone can be attacked, and anyone can initiate an attack, it is clear a sea-change in the risk assessment model for network operators and end-customers is required.

 

 Today, increased situational awareness has become a necessity for all Internet-connected organizations.

• 35% reported political or ideological attack motivation

• 31% reported nihilism or vandalism as attack motivation

10 Gbps and Larger Flood-Based DDoS Attacks Are the ‘New Normal’

During the survey period, respondents reported a significant increase in the prevalence of flood-based DDoS attacks in the 10 Gbps range. This represents the “mainstreaming” of large flood-based DDoS attacks, and indicates that network operators must be prepared to withstand and mitigate large flood attacks on a routine basis.

The largest reported DDoS attack during the survey period was 60 Gbps, in contrast with the 100 Gbps attack reported in the previous report. Attacks of this magnitude continue to constitute an extremely serious threat to network infrastructure and ancillary support services such as DNS, not to mention end-customer properties.

Increased Sophistication and Complexity of Application-Layer (Layer 7) DDoS Attacks and Multi-Vector DDoS Attacks Are Becoming More Common

Application-layer (Layer 7) DDoS attacks continue to grow in both prevalence and sophistication. Respondents indicated that sophisticated application-layer DDoS attack methodologies have become commonplace, and that complex multi-vector DDoS attacks with both flood-based and application-layer attack components are rapidly gaining in popularity with attackers.

Visibility and Security of Mobile and Fixed Wireless Networks Are an Ongoing Concern

A significant minority of mobile and fixed wireless operators report continuing challenges to detection of security threats on their networks. The majority of respondents indicated that their network visibility was much stronger than it was in 2010; however, their general lack of ability to detect infected hosts and the wide-spread data concerning attacks point to significant blind spots still resident in their capabilities.

First-Ever Reports of IPv6 DDoS Attacks ‘in the Wild’ on Production Networks

For the first time, respondents to this year’s survey indicated that they had observed IPv6 DDoS attacks on their networks. This marks a significant milestone in the arms race between attackers and defenders, and confirms that network operators must have sufficient visibility and mitigation capabilities to protect IPv6-enabled properties.

Rarity of IPv6-Enabled Attacks Indicates Low IPv6 Market Penetration and Lack of Critical Mass

Even though IPv6 DDoS attacks are now being reported, IPv6 security incidents are relatively rare. This is a clear indication that while IPv6 deployment continues to advance, IPv6 is not yet economically or operationally significant enough to warrant serious attention by the Internet criminal underground. This also indicates that much of the IPv6 network traffic may be un-monitored, masking the real threats on IPv6 networks.

Stateful Firewalls, IPS and Load-Balancer Devices Continue to Fall Short on DDoS

Protection Capabilities Respondents continue to report that stateful firewalls and IPS devices are failing under DDoS attacks due to state-table exhaustion, and report similar findings with regard to load-balancer devices. Network operators must have the capability to defend these stateful devices against DDoS attacks if they are deployed in front of Internet facing services.

The Overwhelming Majority of Network Operators Do Not Engage Law Enforcement for Security Incident Response and Follow Up
The perennial disengagement of most network operators from law enforcement continues, with network operators continuing to lack confidence in law enforcement’s capabilities and willingness to investigate online attack activity. Respondents also continue to evince strong dissatisfaction with current governmental efforts to protect critical infrastructure.

[File Down]

arbornetworks_Worldwide Infrastructure Security Report VII,.pdf

 
 
[원문]
http://www.arbornetworks.com/arbor-networks%E2%80%99-sixth-annual-worldwide-infrastructure-security-report.html