key findings from arbor's tenth world-wide infrastructure security report
TRANSCRIPT
![Page 1: Key Findings from Arbor's Tenth World-Wide Infrastructure Security Report](https://reader030.vdocument.in/reader030/viewer/2022032616/55a516e91a28abed7f8b46ba/html5/thumbnails/1.jpg)
Worldwide Infrastructure Security Report
C F Chui, Arbor Networks
![Page 2: Key Findings from Arbor's Tenth World-Wide Infrastructure Security Report](https://reader030.vdocument.in/reader030/viewer/2022032616/55a516e91a28abed7f8b46ba/html5/thumbnails/2.jpg)
Tenth Year of WISR…..
`The more things change, the more they stay the same.’
Ten years of surveying the operational security community on threats, concerns, mitigation/detection strategies and technologies.
Significant broadening in both survey scope and respondent mix over this time period
Some clear, ongoing trends and some new insights every year
Valuable repository of data on the evolution of threats and our means of combating them
![Page 3: Key Findings from Arbor's Tenth World-Wide Infrastructure Security Report](https://reader030.vdocument.in/reader030/viewer/2022032616/55a516e91a28abed7f8b46ba/html5/thumbnails/3.jpg)
Infrastructure Survey Demographics
• Survey conducted in October 2014
• 287 total respondents across different market segments
• 60% Internet Service Providers
![Page 4: Key Findings from Arbor's Tenth World-Wide Infrastructure Security Report](https://reader030.vdocument.in/reader030/viewer/2022032616/55a516e91a28abed7f8b46ba/html5/thumbnails/4.jpg)
Key Findings
• Continued growth in peak attack sizes
• Huge number of VERY large attacks reported / monitored
• Attack frequency jumps up again
• More respondents see cloud services being hit
• Intelligent DDoS Mitigation Solutions (IDMS) usage moves ahead of ACLs for the first time
DDoS in 2014:
A Time of Reflection…
• ISP and Enterprise/Government/Education (EGE) data this year
• Only half of respondents at least reasonably prepared for an incident
• DDoS a top threat for both ISP and EGE respondents
• Nearly half of EGE respondents saw DDoS attacks, with a significant proportion of attacks saturating connectivity
• APT a top concern for EGE going forward
Corporate Network Security
![Page 5: Key Findings from Arbor's Tenth World-Wide Infrastructure Security Report](https://reader030.vdocument.in/reader030/viewer/2022032616/55a516e91a28abed7f8b46ba/html5/thumbnails/5.jpg)
Key Findings
• Traffic growing strongly, but still not significant
• Nearly three-quarters of service providers now have some customers utilizing IPv6 services
IPv6
• Big increase in those seeing revenue loss due to DDoS
• Almost two thirds reported DDoS attacks, 38% see attacks exceed total Internet bandwidth
• Big rises in use of IDMS and ACLs
Data Center
• Worrying trend indicating a decrease in focus on DNS security
• Lower number of respondents see customer visible outagesDNS
• Most respondents have dedicated resources, but hiring / retaining still an issue
• Concerning reductions in anti-spoofing and DDoS incident rehearsal
Security Practices
• LTE being pervasively deployed
• Fewer respondents see customer visible outage due to a security incident
• Attacks targeting infrastructure up, but down against Gi/SGi
Mobile
![Page 6: Key Findings from Arbor's Tenth World-Wide Infrastructure Security Report](https://reader030.vdocument.in/reader030/viewer/2022032616/55a516e91a28abed7f8b46ba/html5/thumbnails/6.jpg)
ATLAS Demographics
• ATLAS provides invaluable data to Arbor customers and the broader operational security community
• 330+ participating customers
– 32% Europe
– 24% North America
– 17% Asia
– 9% South America
– 9% Global
• Tracking a peak of over 120Tbps
![Page 7: Key Findings from Arbor's Tenth World-Wide Infrastructure Security Report](https://reader030.vdocument.in/reader030/viewer/2022032616/55a516e91a28abed7f8b46ba/html5/thumbnails/7.jpg)
Substantial Growth in Largest Attacks
• Largest reported attacks ranged from 400Gbps at the top end, through 300Gbps, 200Gbps and 170Gbps
• Some saw multiple events above 100Gbps but only reported largest
![Page 8: Key Findings from Arbor's Tenth World-Wide Infrastructure Security Report](https://reader030.vdocument.in/reader030/viewer/2022032616/55a516e91a28abed7f8b46ba/html5/thumbnails/8.jpg)
2014 Q3/Q4 attacks summary :
BPS : 117.15Gbps / 31.26Mpps, NTP reflection (port 22), 15 mins.
APAC DDoS attacks summary
Period Average Attack size % Change Peak Attack Size % Change
Q3 588.74Mbps +10.98% 98.89Gbps -22.2%
Q4 500.68Mbps -15% 117.15Gbps +18%
Attack traffic size - APAC Q3 2014
>20Gbps
10-20Gbps
5-10Gbps
2-5Gbps
1-2Gbps
500Mbps-1Gbps
<500Mbps
Attack traffic size - APAC Q4 2014
>20Gbps
10-20Gbps
5-10Gbps
2-5Gbps
1-2Gbps
500Mbps-1Gbps
<500Mbps
![Page 9: Key Findings from Arbor's Tenth World-Wide Infrastructure Security Report](https://reader030.vdocument.in/reader030/viewer/2022032616/55a516e91a28abed7f8b46ba/html5/thumbnails/9.jpg)
2014, A Time of Reflection….. (part 1)
![Page 10: Key Findings from Arbor's Tenth World-Wide Infrastructure Security Report](https://reader030.vdocument.in/reader030/viewer/2022032616/55a516e91a28abed7f8b46ba/html5/thumbnails/10.jpg)
2014, A Time of Reflection….. (part 2)
• NTP significant throughout 2014
– 93 attacks over 100Gbps, 5 over 200Gbps.
• DNS has historically been the ‘leading’ protocol used for reflection amplification
• SSDP significant post Q3
– 25K attacks per month in Q4
– Largest at 131Gbps
• Other protocols still a concern
![Page 11: Key Findings from Arbor's Tenth World-Wide Infrastructure Security Report](https://reader030.vdocument.in/reader030/viewer/2022032616/55a516e91a28abed7f8b46ba/html5/thumbnails/11.jpg)
APAC – Reflection/Amplification attacks seen
Protocols for Amplification
Given the huge storm of NTP reflection
activity, there has been some focus on
other protocols that can be used in this
way.
Looking at attacks with source-ports of
services used for reflection.
DNS has been used by attackers for
several years.
Significant growth in attacks with source
port 1900 (SSDP)
2.1% of total attacks in Q4 are
SSDP
Max attack seen – 49Gbps
Exploited Protocol % Q1 % Q2 % Q3 % Q4 Max attack size (Gbps)
DNS (53) 0.7 2.4 3.6 1.3 97
NTP (123) 3.5 1.1 1.1 3.5 127
SSDP (1900) <0.1 <0.1 0.7 2.1 49
Chargen (19) 0.3 0.5 1.0 1.0 25
SNMP (161) <0.1 <0.1 <0.1 <0.1 4.8
![Page 12: Key Findings from Arbor's Tenth World-Wide Infrastructure Security Report](https://reader030.vdocument.in/reader030/viewer/2022032616/55a516e91a28abed7f8b46ba/html5/thumbnails/12.jpg)
ATLAS – Unprecedented Flood of Attacks
• Peak monitored attack at 325Gbps, up 32% on last year
– Attacks larger than 2013 peak in January, February, August and December 2014
• ATLAS also monitored more than 4x the number of attacks over 100Gbps in 2014, as compared to 2013
![Page 13: Key Findings from Arbor's Tenth World-Wide Infrastructure Security Report](https://reader030.vdocument.in/reader030/viewer/2022032616/55a516e91a28abed7f8b46ba/html5/thumbnails/13.jpg)
Large DDoS attacks seen in 2014 APAC
Peak Attack Growth trend in Gbps
235.6
127.16
98.89117.15
0
50
100
150
200
250
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Peak Monthly Gbps of Attacks
Q1 Q2 Q3 Q4
235Gbps / 63Mpps to India, NTP reflection attacktargeting port 80, 21 min
23 sec
127Gbps / 34Mpps to Malaysia , NTP reflection
attack targeting port 52606, 29 min
99Gbps / 26Mpps to India, NTP reflection attack
targeting port 80, 31 min
117Gbps / 31Mpps to India, NTP reflection
attack targeting port 22, 15 min 37 sec
![Page 14: Key Findings from Arbor's Tenth World-Wide Infrastructure Security Report](https://reader030.vdocument.in/reader030/viewer/2022032616/55a516e91a28abed7f8b46ba/html5/thumbnails/14.jpg)
Large Attacks Analysis
28 events over 50Gb/sec in Q4,
this gives 132 for year 2014.
Q4 saw numbers of larger events
trend down from Q4.
0.13% above 10Gbps,
compared to 0.22% in Q3
Large DDoS attacks analysis – 2014 APAC
NTP reflection attacks trending
down over the quarter (in terms of
large attacks): 3.51% of events overall (1.14% in
Q3)
2.11% of events (NTP reflection
attacks) over 10Gbps (5.34% in Q3)
0
100
200
300
400
500
600
700
800
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
no of events of attack size >10Gbps
>10Gbps
![Page 15: Key Findings from Arbor's Tenth World-Wide Infrastructure Security Report](https://reader030.vdocument.in/reader030/viewer/2022032616/55a516e91a28abed7f8b46ba/html5/thumbnails/15.jpg)
DDoS : Who is being hit?
• End users and e-commerce are top two targets, as last year
• Finance moves down to fifth, behind government and gaming
• Customers of respondents most common targets of attacks
• Percentage of attacks targeting Infrastructure continues to rise
![Page 16: Key Findings from Arbor's Tenth World-Wide Infrastructure Security Report](https://reader030.vdocument.in/reader030/viewer/2022032616/55a516e91a28abed7f8b46ba/html5/thumbnails/16.jpg)
DDoS : Attack Types
• HTTP and DNS are top targets of application-layer attacks
• Drop in proportion of respondents seeing attacks targeting HTTPS
• Two-thirds of attacks are volumetric, up slightly
– No surprise given reflection storm
• 90% of respondents report seeing application-layer attacks
– 4% fall in proportion of application-layer attacks
![Page 17: Key Findings from Arbor's Tenth World-Wide Infrastructure Security Report](https://reader030.vdocument.in/reader030/viewer/2022032616/55a516e91a28abed7f8b46ba/html5/thumbnails/17.jpg)
ATLAS attack types stats Q4 2014 APAC
Dest Port Break-Out (Q4)
Port 80 (HTTP) stays at number 1,
with 17% of events
Roughly the same as Q3 (17%)
Fragment stays at number 2 with
7%
Slightly decrease from 10% in Q3
Attacks targeting port 53 (DNS) in
top 3 for the past 6 months.
8% Q3, 4% Q4
Attack dest ports - APAC Q3 2014
80
NIF
53
32768-65535
ICMP
0-32767
7000
others
Attack dest ports - APAC Q4 2014
80
fragment
53
7000
ICMP
443
32768-65535
others
![Page 18: Key Findings from Arbor's Tenth World-Wide Infrastructure Security Report](https://reader030.vdocument.in/reader030/viewer/2022032616/55a516e91a28abed7f8b46ba/html5/thumbnails/18.jpg)
DDoS : Why? And, How Often?
• Significant increase in proportion of respondents seeing more than 21 attacks per month
– Up to 38% from 25% last year
• Top 3 motivations stay the same, but order changes
– Ideological hacktivism knocked off top spot!
• Continued increase in extortion, market manipulation or disguise as motivations
![Page 19: Key Findings from Arbor's Tenth World-Wide Infrastructure Security Report](https://reader030.vdocument.in/reader030/viewer/2022032616/55a516e91a28abed7f8b46ba/html5/thumbnails/19.jpg)
DDoS : A Top Priority for ISP Customers
• 70% of service providers see increased demand for DDoS detection and mitigation services from their customers
• Cloud / Hosting providers top vertical interested in DDoS services– Not surprising given big jump in
proportion of respondents seeing attacks targeting cloud (29%, up from 19%)
• Finance, Government and e-commerce also top list
![Page 20: Key Findings from Arbor's Tenth World-Wide Infrastructure Security Report](https://reader030.vdocument.in/reader030/viewer/2022032616/55a516e91a28abed7f8b46ba/html5/thumbnails/20.jpg)
ISP Threat Detection and Mitigation
• NetFlow analyzers are the most effective and most commonly deployed detection mechanism
• Firewall logs, the 2nd most commonly deployed detection mechanism rank 6th in terms of effectiveness
• IDMS moves ahead of ACLs as most common mitigation mechanism
• Firewalls fall back again
• Proportion of respondents able to mitigate in < 20 mins up to 60%
![Page 21: Key Findings from Arbor's Tenth World-Wide Infrastructure Security Report](https://reader030.vdocument.in/reader030/viewer/2022032616/55a516e91a28abed7f8b46ba/html5/thumbnails/21.jpg)
Data Center DDoS, Attacks & Impact
• Almost two thirds reported DDoS attacks, down from last year
• Most common attack target is now customer, rather than service infrastructure
• 38% see attacks exceed total Internet bandwidth, same as last year
• As last year 81% see increased operational expenses as top issue
• Big increase in proportion seeing revenue loss, from 27% to 44%
![Page 22: Key Findings from Arbor's Tenth World-Wide Infrastructure Security Report](https://reader030.vdocument.in/reader030/viewer/2022032616/55a516e91a28abed7f8b46ba/html5/thumbnails/22.jpg)
Protecting the Data Center
• Firewalls, application firewalls and IPS are still top three deployed security technologies
• Big rises in use of IDMS, 6% to 48%, and ACLs, 13% to 30%
• 49% see firewalls fail due to DDoS
• 37% offer DDoS protection services to their customers, either as standard or as an option. 21% offer multiple tiers of service
![Page 23: Key Findings from Arbor's Tenth World-Wide Infrastructure Security Report](https://reader030.vdocument.in/reader030/viewer/2022032616/55a516e91a28abed7f8b46ba/html5/thumbnails/23.jpg)
DNS, Still not a Security Focus
• Proportion of respondents with NO security group with formal responsibility for DNS continues to rise, now 33%
• Only 17% of respondents of respondents saw a customer visible outage due to DDoS, down from 36% last year
– Maybe due to attacker focus on other protocols
• Layer 7 visibility improved to 41% from, 37% last year and 27% in 2012
![Page 24: Key Findings from Arbor's Tenth World-Wide Infrastructure Security Report](https://reader030.vdocument.in/reader030/viewer/2022032616/55a516e91a28abed7f8b46ba/html5/thumbnails/24.jpg)
Best Current Practices
• 94% of respondents have dedicated security resources
• The challenges facing organizations in building out teams remain the same - hiring / retaining skilled personnel is a key issue
• The proportion of respondent implementing anti-spoofing has fallen
– This is a big concern given reflection amplification attacks
• The proportion of respondents who practice DDoS defense continues to fall
![Page 25: Key Findings from Arbor's Tenth World-Wide Infrastructure Security Report](https://reader030.vdocument.in/reader030/viewer/2022032616/55a516e91a28abed7f8b46ba/html5/thumbnails/25.jpg)
MNOs : LTE Becoming Pervasive
• 68% of respondents who operate mobile networks have over 1 million subscribers
– 22% have more than 25M
• LTE deployments becoming pervasive
• 80% of MNOs do NOT support IPv6 in either subscriber devices or mobile infrastructure
![Page 26: Key Findings from Arbor's Tenth World-Wide Infrastructure Security Report](https://reader030.vdocument.in/reader030/viewer/2022032616/55a516e91a28abed7f8b46ba/html5/thumbnails/26.jpg)
Mobile Security
• 36% experienced poorly implemented mobile applications impacting service
• 17% of respondents indicated that they have suffered a customer-visible outage due to a security incident
• Three quarters of respondents cannot detect a compromised subscriber on their networks
• iACLs and NAT/PAT are still the most common defensive measures used by MNOs, but there have also been big increases in the use of other technologies
![Page 27: Key Findings from Arbor's Tenth World-Wide Infrastructure Security Report](https://reader030.vdocument.in/reader030/viewer/2022032616/55a516e91a28abed7f8b46ba/html5/thumbnails/27.jpg)
DDoS in the MNO
• 36% of respondents see attacks against their mobile users, RAN, back-haul or packet core, up from 25% last year
• Only 7% see attacks on the Internet (Gi) Infrastructure, down from 24% last year
– 57% still don’t know due to lack of visibility
– External firewalls top attack target
![Page 28: Key Findings from Arbor's Tenth World-Wide Infrastructure Security Report](https://reader030.vdocument.in/reader030/viewer/2022032616/55a516e91a28abed7f8b46ba/html5/thumbnails/28.jpg)
Conclusions
• Arbor has been conducting the WISR now for 10 years, and there have been some big changes
– Networks, and the way in which we use them, have changed
– Massive increase in respondents
– More diverse respondent mix
– Broader range of question topics
• The WISR represents a hugely valuable repository of the observations, experiences and concerns of the OpSec community
– Identifies ongoing trends
– Unexpected shifts in behavior
• Goals remain the same
– Educate the broader community
– Share solutions to common issues
![Page 29: Key Findings from Arbor's Tenth World-Wide Infrastructure Security Report](https://reader030.vdocument.in/reader030/viewer/2022032616/55a516e91a28abed7f8b46ba/html5/thumbnails/29.jpg)
Thank You