Key Findings from Arbor's Tenth World-Wide Infrastructure Security Report
29
Worldwide Infrastructure Security Report C F Chui, Arbor Networks
Transcript of Key Findings from Arbor's Tenth World-Wide Infrastructure Security Report
Worldwide Infrastructure Security Report
C F Chui, Arbor Networks
Tenth Year of WISR…..
`The more things change, the more they stay the same.’
Ten years of surveying the operational security community on threats, concerns, mitigation/detection strategies and technologies.
Significant broadening in both survey scope and respondent mix over this time period
Some clear, ongoing trends and some new insights every year
Valuable repository of data on the evolution of threats and our means of combating them
Infrastructure Survey Demographics
• Survey conducted in October 2014
• 287 total respondents across different market segments
• 60% Internet Service Providers
Key Findings
• Continued growth in peak attack sizes
• Huge number of VERY large attacks reported / monitored
• Attack frequency jumps up again
• More respondents see cloud services being hit
• Intelligent DDoS Mitigation Solutions (IDMS) usage moves ahead of ACLs for the first time
DDoS in 2014:
A Time of Reflection…
• ISP and Enterprise/Government/Education (EGE) data this year
• Only half of respondents at least reasonably prepared for an incident
• DDoS a top threat for both ISP and EGE respondents
• Nearly half of EGE respondents saw DDoS attacks, with a significant proportion of attacks saturating connectivity
• APT a top concern for EGE going forward
Corporate Network Security
Key Findings
• Traffic growing strongly, but still not significant
• Nearly three-quarters of service providers now have some customers utilizing IPv6 services
IPv6
• Big increase in those seeing revenue loss due to DDoS
• Almost two thirds reported DDoS attacks, 38% see attacks exceed total Internet bandwidth
• Big rises in use of IDMS and ACLs
Data Center
• Worrying trend indicating a decrease in focus on DNS security
• Lower number of respondents see customer visible outagesDNS
• Most respondents have dedicated resources, but hiring / retaining still an issue
• Concerning reductions in anti-spoofing and DDoS incident rehearsal
Security Practices
• LTE being pervasively deployed
• Fewer respondents see customer visible outage due to a security incident
• Attacks targeting infrastructure up, but down against Gi/SGi
Mobile
ATLAS Demographics
• ATLAS provides invaluable data to Arbor customers and the broader operational security community
• 330+ participating customers
– 32% Europe
– 24% North America
– 17% Asia
– 9% South America
– 9% Global
• Tracking a peak of over 120Tbps
Substantial Growth in Largest Attacks
• Largest reported attacks ranged from 400Gbps at the top end, through 300Gbps, 200Gbps and 170Gbps
• Some saw multiple events above 100Gbps but only reported largest
2014 Q3/Q4 attacks summary :
BPS : 117.15Gbps / 31.26Mpps, NTP reflection (port 22), 15 mins.
APAC DDoS attacks summary
Period Average Attack size % Change Peak Attack Size % Change
Q3 588.74Mbps +10.98% 98.89Gbps -22.2%
Q4 500.68Mbps -15% 117.15Gbps +18%
Attack traffic size - APAC Q3 2014
>20Gbps
10-20Gbps
5-10Gbps
2-5Gbps
1-2Gbps
500Mbps-1Gbps
<500Mbps
Attack traffic size - APAC Q4 2014
>20Gbps
10-20Gbps
5-10Gbps
2-5Gbps
1-2Gbps
500Mbps-1Gbps
<500Mbps
2014, A Time of Reflection….. (part 1)
2014, A Time of Reflection….. (part 2)
• NTP significant throughout 2014
– 93 attacks over 100Gbps, 5 over 200Gbps.
• DNS has historically been the ‘leading’ protocol used for reflection amplification
• SSDP significant post Q3
– 25K attacks per month in Q4
– Largest at 131Gbps
• Other protocols still a concern
APAC – Reflection/Amplification attacks seen
Protocols for Amplification
Given the huge storm of NTP reflection
activity, there has been some focus on
other protocols that can be used in this
way.
Looking at attacks with source-ports of
services used for reflection.
DNS has been used by attackers for
several years.
Significant growth in attacks with source
port 1900 (SSDP)
2.1% of total attacks in Q4 are
SSDP
Max attack seen – 49Gbps
Exploited Protocol % Q1 % Q2 % Q3 % Q4 Max attack size (Gbps)
DNS (53) 0.7 2.4 3.6 1.3 97
NTP (123) 3.5 1.1 1.1 3.5 127
SSDP (1900) <0.1 <0.1 0.7 2.1 49
Chargen (19) 0.3 0.5 1.0 1.0 25
SNMP (161) <0.1 <0.1 <0.1 <0.1 4.8
ATLAS – Unprecedented Flood of Attacks
• Peak monitored attack at 325Gbps, up 32% on last year
– Attacks larger than 2013 peak in January, February, August and December 2014
• ATLAS also monitored more than 4x the number of attacks over 100Gbps in 2014, as compared to 2013
Large DDoS attacks seen in 2014 APAC
Peak Attack Growth trend in Gbps
235.6
127.16
98.89117.15
0
50
100
150
200
250
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Peak Monthly Gbps of Attacks
Q1 Q2 Q3 Q4
235Gbps / 63Mpps to India, NTP reflection attacktargeting port 80, 21 min
23 sec
127Gbps / 34Mpps to Malaysia , NTP reflection
attack targeting port 52606, 29 min
99Gbps / 26Mpps to India, NTP reflection attack
targeting port 80, 31 min
117Gbps / 31Mpps to India, NTP reflection
attack targeting port 22, 15 min 37 sec
Large Attacks Analysis
28 events over 50Gb/sec in Q4,
this gives 132 for year 2014.
Q4 saw numbers of larger events
trend down from Q4.
0.13% above 10Gbps,
compared to 0.22% in Q3
Large DDoS attacks analysis – 2014 APAC
NTP reflection attacks trending
down over the quarter (in terms of
large attacks): 3.51% of events overall (1.14% in
Q3)
2.11% of events (NTP reflection
attacks) over 10Gbps (5.34% in Q3)
0
100
200
300
400
500
600
700
800
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
no of events of attack size >10Gbps
>10Gbps
DDoS : Who is being hit?
• End users and e-commerce are top two targets, as last year
• Finance moves down to fifth, behind government and gaming
• Customers of respondents most common targets of attacks
• Percentage of attacks targeting Infrastructure continues to rise
DDoS : Attack Types
• HTTP and DNS are top targets of application-layer attacks
• Drop in proportion of respondents seeing attacks targeting HTTPS
• Two-thirds of attacks are volumetric, up slightly
– No surprise given reflection storm
• 90% of respondents report seeing application-layer attacks
– 4% fall in proportion of application-layer attacks
ATLAS attack types stats Q4 2014 APAC
Dest Port Break-Out (Q4)
Port 80 (HTTP) stays at number 1,
with 17% of events
Roughly the same as Q3 (17%)
Fragment stays at number 2 with
7%
Slightly decrease from 10% in Q3
Attacks targeting port 53 (DNS) in
top 3 for the past 6 months.
8% Q3, 4% Q4
Attack dest ports - APAC Q3 2014
80
NIF
53
32768-65535
ICMP
0-32767
7000
others
Attack dest ports - APAC Q4 2014
80
fragment
53
7000
ICMP
443
32768-65535
others
DDoS : Why? And, How Often?
• Significant increase in proportion of respondents seeing more than 21 attacks per month
– Up to 38% from 25% last year
• Top 3 motivations stay the same, but order changes
– Ideological hacktivism knocked off top spot!
• Continued increase in extortion, market manipulation or disguise as motivations
DDoS : A Top Priority for ISP Customers
• 70% of service providers see increased demand for DDoS detection and mitigation services from their customers
• Cloud / Hosting providers top vertical interested in DDoS services– Not surprising given big jump in
proportion of respondents seeing attacks targeting cloud (29%, up from 19%)
• Finance, Government and e-commerce also top list
ISP Threat Detection and Mitigation
• NetFlow analyzers are the most effective and most commonly deployed detection mechanism
• Firewall logs, the 2nd most commonly deployed detection mechanism rank 6th in terms of effectiveness
• IDMS moves ahead of ACLs as most common mitigation mechanism
• Firewalls fall back again
• Proportion of respondents able to mitigate in < 20 mins up to 60%
Data Center DDoS, Attacks & Impact
• Almost two thirds reported DDoS attacks, down from last year
• Most common attack target is now customer, rather than service infrastructure
• 38% see attacks exceed total Internet bandwidth, same as last year
• As last year 81% see increased operational expenses as top issue
• Big increase in proportion seeing revenue loss, from 27% to 44%
Protecting the Data Center
• Firewalls, application firewalls and IPS are still top three deployed security technologies
• Big rises in use of IDMS, 6% to 48%, and ACLs, 13% to 30%
• 49% see firewalls fail due to DDoS
• 37% offer DDoS protection services to their customers, either as standard or as an option. 21% offer multiple tiers of service
DNS, Still not a Security Focus
• Proportion of respondents with NO security group with formal responsibility for DNS continues to rise, now 33%
• Only 17% of respondents of respondents saw a customer visible outage due to DDoS, down from 36% last year
– Maybe due to attacker focus on other protocols
• Layer 7 visibility improved to 41% from, 37% last year and 27% in 2012
Best Current Practices
• 94% of respondents have dedicated security resources
• The challenges facing organizations in building out teams remain the same - hiring / retaining skilled personnel is a key issue
• The proportion of respondent implementing anti-spoofing has fallen
– This is a big concern given reflection amplification attacks
• The proportion of respondents who practice DDoS defense continues to fall
MNOs : LTE Becoming Pervasive
• 68% of respondents who operate mobile networks have over 1 million subscribers
– 22% have more than 25M
• LTE deployments becoming pervasive
• 80% of MNOs do NOT support IPv6 in either subscriber devices or mobile infrastructure
Mobile Security
• 36% experienced poorly implemented mobile applications impacting service
• 17% of respondents indicated that they have suffered a customer-visible outage due to a security incident
• Three quarters of respondents cannot detect a compromised subscriber on their networks
• iACLs and NAT/PAT are still the most common defensive measures used by MNOs, but there have also been big increases in the use of other technologies
DDoS in the MNO
• 36% of respondents see attacks against their mobile users, RAN, back-haul or packet core, up from 25% last year
• Only 7% see attacks on the Internet (Gi) Infrastructure, down from 24% last year
– 57% still don’t know due to lack of visibility
– External firewalls top attack target
Conclusions
• Arbor has been conducting the WISR now for 10 years, and there have been some big changes
– Networks, and the way in which we use them, have changed
– Massive increase in respondents
– More diverse respondent mix
– Broader range of question topics
• The WISR represents a hugely valuable repository of the observations, experiences and concerns of the OpSec community
– Identifies ongoing trends
– Unexpected shifts in behavior
• Goals remain the same
– Educate the broader community
– Share solutions to common issues
Thank You
