By Chris Cubbage, Executive Editor
According to the latest annual report from Arbor Networks, the security division of Netscout, security concerns of Service Providers in 2017 should continue to be dominated by Distributed Denial of Service (DDoS) attacks.
The 2016 Worldwide Infrastructure Security Report (WISR) is based on a 133 free-form and multiple choice question survey, with two-thirds of all respondents being security, network or operations professionals. Service providers make up the majority of respondents at 64 percent. The remaining 36 percent came from enterprise, government and education (EGE) network operators. Participation from Asia Pacific and Oceana increased significantly to represent 23 percent.
DDoS attacks against customers remained the most commonly experienced threat among the service providers. NetFlow analysers are the most commonly used and most effective tool to detect threats, followed by firewall logs, which fared poorly in terms of effectiveness. Respondents also indicated increased utilisation of Simple Network Management Protocol (SNMP) based tools and inline DDoS detection/mitigation systems. The majority, or 83 percent, of respondents reported using intelligent DDoS Mitigation systems (IDMS) to mitigate attacks.
About one third of respondents reported peak attack sizes over 100 Gbps and one eighth reported attacks over 200 Gbps. End-user subscribers were the most common type of customer targeted by DDoS attacks and Government was the second most common. Ninety-five percent of service providers experienced application-layer attacks.
Importantly, but not surprisingly, the report highlighted a significant, trending increase in the scale and frequency of volumetric attacks around the world. This trend is continuing, with 800Gbps attacks recorded, a 60 percent increase over the previous year, plus other large scale attacks recorded at 500 Gbps, 550 Gbps and 600 Gbps, with frequency of attacks also observed to increase dramatically. The peak monitored attack by Arbor was 579Gbps.
The Australian Security Magazine spoke with CF Chui, Principal Security Technologist at Arbor Networks who confirmed, “there has been an increase in infected hosts and a lot of firepower, which has increased the frequency and magnitude. The attackers have discovered the use of other tools and devices they can compromise to launch attacks. Because of the easy access to these tools and options that are available, we are probably going to see, and what we are worried about, is these attacks getting more frequent and larger – there are a lot of IoT devices on the internet that will be exploitable.”
Last year saw a number of DDoS attacks exploit IoT devices which were used as botnets and caused flooding of the application layer. These did not involve reflection amplification, as they are using the IP address. With reflection amplification, then the attacks will potentially double or more in size, potentially and likely to increase into the terabits per second (Tbps).
CF asserted, “This year we have already seen the trend and we had expected the size and frequency to increase as the IoT is not a new thing. But the attacker will always see what is available and what else can be used – we expect to see more and more use of IoT devices that are easily infected and which are very difficult to patch and therefore can be used again and again. The focus is on the development and trend towards the attack size and the actual impact.”
With Service Providers being the main target, 67 percent experienced multi-vector attacks, up from 56 percent and 42 percent in the previous two years. According to CF, “we have seen the amount of multi-vector attacks increase but the majority of attacks are volumetric, the application layer attacks are increasing due to the ease of infection and it has not been too difficult to take down and attack the application layer – the capability of the attacker has become more sophisticated and computing power is also increasing.”
Loss of revenue to organisations as a result of DDoS is also up from 33 percent to 42 percent, mainly due to the increasing amount of downtime from e-commerce opportunities and also resulting media and stakeholder coverage. With greater reliance on internet business and online services the disruption impacts are ever increasing on revenues.
Potentially a positive is the drop in firewall use in mitigating DDoS attacks, falling from 71 percent to 40 percent as firewalls are not designed to handle a DDoS attack. Organisations need devices specifically designed to handle these attacks and an on-premise device is often not designed for these sized attacks and it is a sign that people are understanding that a different solution is needed and being implemented. DDOS simulations are also increasing as solutions being deployed are increasingly being tested and tested regularly. Simulations include directing traffic to a cloud based solution and alongside any other upgrades and ensure the system is working as expected, operating as it is designed to work, including any internal routing and rerouting traffic to a scrubbing centre. Most organisations may not try to actually send a lot of traffic in a simulation, as this would have already been done in the lab, so it is not the traffic size but it is ensuring the workflow is routing correctly.
Finally, the report highlighted organisations continue to have difficulty in hiring and retaining staff. CF confirmed, “when we talk to the people in the industry, most people are aware of DDoS and are investing more into this area. This requires more expertise but this places a demand on this sector and it would appear as the demand has increased there is a reduction in supply – good people are difficult to find due to the experience and expertise required.”
The full report is available HERE.