7 th Annual Edition
CE Latinamerica Carlos A. Ayala cayala@arbor.net
twitter: @caar2000




Page 2 - Company Confidential

Page 3 - Company Confidential

Page 4 - Company Confidential

Page 5 - Company Confidential

During a Distributed Denial of Service (DDoS) attack , compromised hosts ( bots) or vigilante users from distributed sources overwhelm the target with illegitimate traffic so that the
6 servers can not respond to legitimate clients.
Page 6 - Company Confidential

 Any part of your network or services that is vulnerable to an attack
– Network Interfaces
– Infrastructure
– Firewall/IPS
– Servers
– Protocols
– Applications
– Databases
 Attackers will find the weakness
Page 7 - Company Confidential

Source: Arbor Networks 2011 Infrastructure Security Report
 4 of the top 6 threats seen over the last 12 months are DDoS related
 The top 4 perceived threats for the next 12 months are DDoS related
 DDoS threat awareness is high
Page 8 - Company Confidential

 2011 Worldwide Infrastructure Security Report
– Survey of Internet operators focused on security practices, incidents and trends
– 114 respondents worldwide
– Data based on measurements, insights and opinions of respondents
 ATLAS Data Trends
– Data collected from 100+ Arbor deployments and honeynets sharing attack and traffic statistics
– Empirical data based on measurements taken in production deployments
Page 9 - Company Confidential

 Survey conducted in October through November 2011
 114 total respondents across different market segments
 54% service providers, 15% T1 providers
 “Other” includes VOIP, wholesale internet, DDoS mitigation, database repository payment and credit sites
Page 10 - Company Confidential

 Ideologicallymotivated ‘Hacktivism’ and On-line vandalism
DDoS attacks are the most commonly identified attack motivations
 10 Gbps and Large Flood-Based DDoS Attacks Are The “New
Normal”
 First-Ever Reports of IPv6 DDoS Attacks 'in the Wild' on
Production Networks
 Increased Sophistication and Complexity of Application
Layer (Layer 7) DDoS Attacks and Multivector DDoS Attacks
Are Becoming More Common
 Continued Uncertainty Around Visibility & Security of
Mobile/Fixed Wireless Networks
 Stateful Firewalls, IPS and Load-Balancers Devices continue to Fall Short on DDoS

Page 11 - Company Confidential

 91% of respondents see at least 1 DDoS attack per month up from 76% in 2010
 44% of respondents see 10 or more attacks per month up from 35% in 2010
Page 12 - Company Confidential

 Top two attack motivation categories are fueled by personal beliefs and inclinations of attackers
 Exponential increase in risk of being attacked
Page 13 - Company Confidential

 Aggregate attack sizes have leveled off but remain at levels capable of overwhelming most Internet operators
 13% of respondents report attacks above 10 Gbps
 40% of respondents report attacks above 1 Gbps
 Largest pps attack reported is 35 Mpps keeping pace with 2010
Page 14 - Company Confidential

Max BPS Misuse DDoS attacks per country in LAT 2011
 Largest bps attack in LAT 10.465 Gbps in Brazil
 Largest bps attack reported is 60 Gbps WW
Page 15 - Company Confidential

Avg BPS Misuse DDoS attacks per country in LAT 2011
 Top Avg BPS attacks above 1 Gbps in LAT, Perú and Uruguay.
 40% of respondents report WW attacks above 1 Gbps
Page 16 - Company Confidential

Max PPS Misuse DDoS attacks per country in LAT 2011
 Largest pps attack in LAT 10.836 Mpps in Brazil
 Largest pps attack reported is 35 Mpps WW
Page 17 - Company Confidential

Avg PPS Misuse DDoS attacks per country in LAT 2011
 Top Misuse Avg PPS attacks in LAT 3.064 M pps in Perú
Page 18 - Company Confidential

 A higher percentage of attacks reported on HTTP and IRC relative to 2010
– HTTP (87% vs 84%) and on IRC (11% vs 0%) relative to 2010
 Lower percent of attacks on DNS, SMTP, HTTPS and VOIP
– DNS (67% vs 76%), SMTP (25% vs 40%), HTTPS (24% vs 35%) and VOIP
(19% vs 38%)
 SSL based attacks reported included TCP and UDP floods against port
443, port scanning attempts and Slowloris
Page 19 - Company Confidential

Destination ports breakout DDoS attacks in LAT 2011
9%  53
7%  80
4%  IP fragment (0)
Page 20 - Company Confidential

 Majority of known attack types are focused against web properties
Page 21 - Company Confidential

Observed DDoS Attacks Targeting IDCs
44%
56%
Yes
No
 56% of Data Center respondents observed
DDoS attacks in 2011
 The percentage is down from 2010 which showed
69%
 25% of respondents observed
DDoS attacks that exceeded the total bandwidth into the
Data Center
 2010 which was only 15%
DDoS Attacks Exceeding IDC Bandwidth
75%
25%
Yes
No
Page 22 - Company Confidential

 Over 40% of respondents reported an inline firewall and/or
IPS failing due to a DDoS attack.
 This is slightly lower number than 2010 where 49% reported a firewall and/or IPS failure.
 10% of respondents do not put firewalls/IPS in front of IDCs
Firewall/IPS Failure Due to DDoS
10%
48%
41%
Yes
No
Not Deployed in
IDCs
Load Balancer Failure Due to DDoS
54%
4%
43%
Yes
No
Not Deployed in
IDCs
 96% of respondents use load balancers within their IDCs
 43% of respondents reported a stateful Load Balancer (or
ADC) going down due to a
DDoS attack
Page 23 - Company Confidential

 Almost 70% of survey respondents have never practiced responding to a DDoS Attack event
 Only 2% improvement in percentage of respondents that have rehearsed attack responses
Page 24 - Company Confidential

 Does your organization have a CERT or CSIRT
(e.g., KPRCERT)?
 66% of respondents collaborate with a
Government or
National CERT/CSIRT
 Those that don’t cite several reasons why.
Most due to lack of time or CERT
 Not my job
 None in my region
 We don’t see a need
 Organization not big enough
 Input from such bodies not deemed useful
Page 25 - Company Confidential

Mobile Services are Pushing Technology Adoption
 27% of survey respondents offered mobile services
 Ranging from 1M to over
100M subs
 Range of subs shifted up, reflecting growth in Mobile
 LTE availability accelerating
 LTE offered by 28.6%, up from 9% last year
 Another 52% plan to have
LTE deployed by 2014
 IPv6 goes ahead
 50% plan to introduce IPv6 within next 12 months.
 9.6% already have it.
Page 26 - Company Confidential

 50% see application layer attacks on their networks
 Broad spread of attack types - similar to what we see elsewhere
 DNS is the most common target – target with the most widespread damage potential
 Surprise that HTTP was not top as last year, especially given general trends
Page 27 - Company Confidential

 Two thirds of respondents have deployed IPv6 in their networks
 Majority of those who deployed IPv6 are using IPv6 for internal addressing of their network infrastructure
 Two thirds of those who have not deployed IPv6 plan to do so in near term
 Traffic and volume remain low with varied forecasts for growth
 One respondent provided following answer indicating overall mood:
– “depends of what youtube and company are doing ;)”
Page 28 - Company Confidential

 First report of an IPv6 DDoS attack in the history of the WISR
 Low frequency of attacks reflect low adoption of IPv6 for critical services
Page 29 - Company Confidential

 87% of all respondents offer DNS services.
 77% have security teams responsible for DNS Services
– 63% Main Security Group
– 23% No Security Group
– 14% Specific Security Group
 Numbers are consistent with 2011 survey.
Page 30 - Company Confidential

 Overall attack frequency has increased year over year
 DNS attacks are down a little
– 67% in 2011 vs 76% in 2010
 Outages from DNS attacks are much lower
– 13% in 2011 vs 32% in 2010
 Conclusion: DNS attack defense is improving
Page 31 - Company Confidential

Misuse BPS breakout DDoS attacks in LAT 2011/2010
Page 32 - Company Confidential

Misuse PPS breakout DDoS attacks in LAT 2011/2010
Page 33 - Company Confidential

Duration breakout DDoS attacks in LAT 2011
>30 <60 min – 43%
>1 <3 hrs - 30%
Page 34 - Company Confidential

Misuse Duration DDoS attacks in LAT 2011
 Top 3 longest DDoS attacks
 Brazil 14d 6h 29m
 Argentine 2d 0h 25m
 Dominican Rep 1d 0h 14m
 Average duration DDoS attacks
 1h 45 m
Page 35 - Company Confidential

Page 36 - Company Confidential

CE Latinamérica Carlos A. Ayala cayala@arbor.net
twitter: @caar2000