2011 Infrastructure

Security Report

7 th Annual Edition

CE Latinamerica Carlos A. Ayala cayala@arbor.net

twitter: @caar2000

Agenda

DDoS Basics

Worldwide Infrastructure Security Report and

ATLAS

LAT statistics

Page 2 - Company Confidential

Distributed Denial of Service (DDoS)

Page 3 - Company Confidential

Distributed Denial of Service (DDoS)

Page 4 - Company Confidential

Distributed Denial of Service (DDoS)

Page 5 - Company Confidential

What is a DDoS Attack?

During a Distributed Denial of Service (DDoS) attack , compromised hosts ( bots) or vigilante users from distributed sources overwhelm the target with illegitimate traffic so that the

6 servers can not respond to legitimate clients.

Page 6 - Company Confidential

The DDoS Attack Surface

 Any part of your network or services that is vulnerable to an attack

– Network Interfaces

– Infrastructure

– Firewall/IPS

– Servers

– Protocols

– Applications

– Databases

 Attackers will find the weakness

Page 7 - Company Confidential

DDoS Threats are Top of Mind

Source: Arbor Networks 2011 Infrastructure Security Report

 4 of the top 6 threats seen over the last 12 months are DDoS related

 The top 4 perceived threats for the next 12 months are DDoS related

 DDoS threat awareness is high

Page 8 - Company Confidential

Sources of Data

 2011 Worldwide Infrastructure Security Report

– Survey of Internet operators focused on security practices, incidents and trends

– 114 respondents worldwide

– Data based on measurements, insights and opinions of respondents

 ATLAS Data Trends

– Data collected from 100+ Arbor deployments and honeynets sharing attack and traffic statistics

– Empirical data based on measurements taken in production deployments

Page 9 - Company Confidential

2011 Infrastructure Security Survey

 Survey conducted in October through November 2011

 114 total respondents across different market segments

 54% service providers, 15% T1 providers

 “Other” includes VOIP, wholesale internet, DDoS mitigation, database repository payment and credit sites

Page 10 - Company Confidential

Key Findings in the Survey

 Ideologicallymotivated ‘Hacktivism’ and On-line vandalism

DDoS attacks are the most commonly identified attack motivations

 10 Gbps and Large Flood-Based DDoS Attacks Are The “New

Normal”

 First-Ever Reports of IPv6 DDoS Attacks 'in the Wild' on

Production Networks

 Increased Sophistication and Complexity of Application

Layer (Layer 7) DDoS Attacks and Multivector DDoS Attacks

Are Becoming More Common

 Continued Uncertainty Around Visibility & Security of

Mobile/Fixed Wireless Networks

 Stateful Firewalls, IPS and Load-Balancers Devices continue to Fall Short on DDoS

Page 11 - Company Confidential

DDoS Attack Frequency over last 12 Months

 91% of respondents see at least 1 DDoS attack per month up from 76% in 2010

 44% of respondents see 10 or more attacks per month up from 35% in 2010

Page 12 - Company Confidential

Top DDoS Motivations

 Top two attack motivation categories are fueled by personal beliefs and inclinations of attackers

 Exponential increase in risk of being attacked

Page 13 - Company Confidential

Large Attacks are Now Commonplace

 Aggregate attack sizes have leveled off but remain at levels capable of overwhelming most Internet operators

 13% of respondents report attacks above 10 Gbps

 40% of respondents report attacks above 1 Gbps

 Largest pps attack reported is 35 Mpps keeping pace with 2010

Page 14 - Company Confidential

Max BPS Misuse DDoS attacks per country in LAT 2011

 Largest bps attack in LAT 10.465 Gbps in Brazil

 Largest bps attack reported is 60 Gbps WW

Page 15 - Company Confidential

Avg BPS Misuse DDoS attacks per country in LAT 2011

 Top Avg BPS attacks above 1 Gbps in LAT, Perú and Uruguay.

 40% of respondents report WW attacks above 1 Gbps

Page 16 - Company Confidential

Max PPS Misuse DDoS attacks per country in LAT 2011

 Largest pps attack in LAT 10.836 Mpps in Brazil

 Largest pps attack reported is 35 Mpps WW

Page 17 - Company Confidential

Avg PPS Misuse DDoS attacks per country in LAT 2011

 Top Misuse Avg PPS attacks in LAT 3.064 M pps in Perú

Page 18 - Company Confidential

Application Layer and Multi-vector DDoS

 A higher percentage of attacks reported on HTTP and IRC relative to 2010

– HTTP (87% vs 84%) and on IRC (11% vs 0%) relative to 2010

 Lower percent of attacks on DNS, SMTP, HTTPS and VOIP

– DNS (67% vs 76%), SMTP (25% vs 40%), HTTPS (24% vs 35%) and VOIP

(19% vs 38%)

 SSL based attacks reported included TCP and UDP floods against port

443, port scanning attempts and Slowloris

Page 19 - Company Confidential

Destination ports breakout DDoS attacks in LAT 2011

9%  53

7%  80

4%  IP fragment (0)

Page 20 - Company Confidential

Most Common Application Layer Attacks Seen

 Majority of known attack types are focused against web properties

Page 21 - Company Confidential

DDoS Attacks Against Data Centers

Observed DDoS Attacks Targeting IDCs

44%

56%

Yes

No

 56% of Data Center respondents observed

DDoS attacks in 2011

 The percentage is down from 2010 which showed

69%

 25% of respondents observed

DDoS attacks that exceeded the total bandwidth into the

Data Center

 2010 which was only 15%

DDoS Attacks Exceeding IDC Bandwidth

75%

25%

Yes

No

Page 22 - Company Confidential

Fragility of Stateful Devices in the IDC

 Over 40% of respondents reported an inline firewall and/or

IPS failing due to a DDoS attack.

 This is slightly lower number than 2010 where 49% reported a firewall and/or IPS failure.

 10% of respondents do not put firewalls/IPS in front of IDCs

Firewall/IPS Failure Due to DDoS

10%

48%

41%

Yes

No

Not Deployed in

IDCs

Load Balancer Failure Due to DDoS

54%

4%

43%

Yes

No

Not Deployed in

IDCs

 96% of respondents use load balancers within their IDCs

 43% of respondents reported a stateful Load Balancer (or

ADC) going down due to a

DDoS attack

Page 23 - Company Confidential

DDoS Event Response Drills

 Almost 70% of survey respondents have never practiced responding to a DDoS Attack event

 Only 2% improvement in percentage of respondents that have rehearsed attack responses

Page 24 - Company Confidential

CERTs

 Does your organization have a CERT or CSIRT

(e.g., KPRCERT)?

 66% of respondents collaborate with a

Government or

National CERT/CSIRT

 Those that don’t cite several reasons why.

Most due to lack of time or CERT

 Not my job

 None in my region

 We don’t see a need

 Organization not big enough

 Input from such bodies not deemed useful

Page 25 - Company Confidential

Mobile Services are Pushing Technology Adoption

 27% of survey respondents offered mobile services

 Ranging from 1M to over

100M subs

 Range of subs shifted up, reflecting growth in Mobile

 LTE availability accelerating

 LTE offered by 28.6%, up from 9% last year

 Another 52% plan to have

LTE deployed by 2014

 IPv6 goes ahead

 50% plan to introduce IPv6 within next 12 months.

 9.6% already have it.

Page 26 - Company Confidential

Mobile Infrastructure DDoS Attacks

 50% see application layer attacks on their networks

 Broad spread of attack types - similar to what we see elsewhere

 DNS is the most common target – target with the most widespread damage potential

 Surprise that HTTP was not top as last year, especially given general trends

Page 27 - Company Confidential

IPv6 Rollout and Growth

 Two thirds of respondents have deployed IPv6 in their networks

 Majority of those who deployed IPv6 are using IPv6 for internal addressing of their network infrastructure

 Two thirds of those who have not deployed IPv6 plan to do so in near term

 Traffic and volume remain low with varied forecasts for growth

 One respondent provided following answer indicating overall mood:

– “depends of what youtube and company are doing ;)”

Page 28 - Company Confidential

IPv6 DDoS Attacks

 First report of an IPv6 DDoS attack in the history of the WISR

 Low frequency of attacks reflect low adoption of IPv6 for critical services

Page 29 - Company Confidential

DNS Security is a Focus

 87% of all respondents offer DNS services.

 77% have security teams responsible for DNS Services

– 63% Main Security Group

– 23% No Security Group

– 14% Specific Security Group

 Numbers are consistent with 2011 survey.

Page 30 - Company Confidential

Outages from DNS Attacks

 Overall attack frequency has increased year over year

 DNS attacks are down a little

– 67% in 2011 vs 76% in 2010

 Outages from DNS attacks are much lower

– 13% in 2011 vs 32% in 2010

 Conclusion: DNS attack defense is improving

Page 31 - Company Confidential

Misuse BPS breakout DDoS attacks in LAT 2011/2010

Page 32 - Company Confidential

Misuse PPS breakout DDoS attacks in LAT 2011/2010

Page 33 - Company Confidential

Duration breakout DDoS attacks in LAT 2011

>30 <60 min – 43%

>1 <3 hrs - 30%

Page 34 - Company Confidential

Misuse Duration DDoS attacks in LAT 2011

 Top 3 longest DDoS attacks

 Brazil 14d 6h 29m

 Argentine 2d 0h 25m

 Dominican Rep 1d 0h 14m

 Average duration DDoS attacks

 1h 45 m

Page 35 - Company Confidential

Overall breakout comparison LAT 2011vs2010

Page 36 - Company Confidential

Thank You

CE Latinamérica Carlos A. Ayala cayala@arbor.net

twitter: @caar2000