2011 Infrastructure Security Report

7th Annual Edition

CE Latinamerica Carlos A. Ayalacayala@arbor.net

twitter: @caar2000

Page 2 - Company Confidential

Agenda

DDoS Basics

Worldwide Infrastructure Security Report and ATLAS

LAT statistics

Page 3 - Company Confidential

Distributed Denial of Service (DDoS)

Filling up your network capacity

Page 4 - Company Confidential

Distributed Denial of Service (DDoS)

Targeting your underlying infrastructure

Page 5 - Company Confidential

Distributed Denial of Service (DDoS)

Taking down your services

Page 6 - Company Confidential6

During a Distributed Denial of Service (DDoS) attack, compromised hosts (bots) or vigilante users from

distributed sources overwhelm the target with illegitimate traffic so that the servers can not respond to legitimate clients.

What is a DDoS Attack?

Page 7 - Company Confidential

The DDoS Attack Surface

Any part of your network or services that is vulnerable to an attack– Network Interfaces– Infrastructure– Firewall/IPS– Servers– Protocols– Applications– Databases

Attackers will find the weakness

Page 8 - Company Confidential

DDoS Threats are Top of Mind

4 of the top 6 threats seen over the last 12 months are DDoS related

The top 4 perceived threats for the next 12 months are DDoS related

DDoS threat awareness is high

Source: Arbor Networks 2011 Infrastructure Security Report

Page 9 - Company Confidential

Sources of Data

2011 Worldwide Infrastructure Security Report– Survey of Internet operators focused on security

practices, incidents and trends– 114 respondents worldwide– Data based on measurements, insights and opinions of

respondents ATLAS Data Trends– Data collected from 100+ Arbor deployments and

honeynets sharing attack and traffic statistics – Empirical data based on measurements taken in

production deployments

Page 10 - Company Confidential

2011 Infrastructure Security Survey

Survey conducted in October through November 2011 114 total respondents across different market segments 54% service providers, 15% T1 providers “Other” includes VOIP, wholesale internet, DDoS

mitigation, database repository payment and credit sites

Page 11 - Company Confidential

Key Findings in the Survey

Ideologically-motivated ‘Hacktivism’ and On-line vandalism DDoS attacks are the most commonly identified attack motivations

10 Gbps and Large Flood-Based DDoS Attacks Are The “New Normal”

First-Ever Reports of IPv6 DDoS Attacks 'in the Wild' on Production Networks

Increased Sophistication and Complexity of Application Layer (Layer 7) DDoS Attacks and Multivector DDoS Attacks Are Becoming More Common

Continued Uncertainty Around Visibility & Security of Mobile/Fixed Wireless Networks

Stateful Firewalls, IPS and Load-Balancers Devices continue to Fall Short on DDoS

Page 12 - Company Confidential

DDoS Attack Frequency over last 12 Months

91% of respondents see at least 1 DDoS attack per month up from 76% in 2010

44% of respondents see 10 or more attacks per month up from 35% in 2010

Page 13 - Company Confidential

Top DDoS Motivations

Top two attack motivation categories are fueled by personal beliefs and inclinations of attackers

Exponential increase in risk of being attacked

Page 14 - Company Confidential

Large Attacks are Now Commonplace

Aggregate attack sizes have leveled off but remain at levels capable of overwhelming most Internet operators

13% of respondents report attacks above 10 Gbps 40% of respondents report attacks above 1 Gbps Largest pps attack reported is 35 Mpps keeping pace with 2010

Page 15 - Company Confidential

Max BPS Misuse DDoS attacks per country in LAT 2011

Largest bps attack in LAT 10.465 Gbps in Brazil Largest bps attack reported is 60 Gbps WW

Page 16 - Company Confidential

Avg BPS Misuse DDoS attacks per country in LAT 2011

Top Avg BPS attacks above 1 Gbps in LAT, Perú and Uruguay. 40% of respondents report WW attacks above 1 Gbps

Page 17 - Company Confidential

Max PPS Misuse DDoS attacks per country in LAT 2011

Largest pps attack in LAT 10.836 Mpps in Brazil Largest pps attack reported is 35 Mpps WW

Page 18 - Company Confidential

Avg PPS Misuse DDoS attacks per country in LAT 2011

Top Misuse Avg PPS attacks in LAT 3.064 M pps in Perú

Page 19 - Company Confidential

Application Layer and Multi-vector DDoS

A higher percentage of attacks reported on HTTP and IRC relative to 2010– HTTP (87% vs 84%) and on IRC (11% vs 0%) relative to 2010

Lower percent of attacks on DNS, SMTP, HTTPS and VOIP– DNS (67% vs 76%), SMTP (25% vs 40%), HTTPS (24% vs 35%) and VOIP

(19% vs 38%) SSL based attacks reported included TCP and UDP floods against port

443, port scanning attempts and Slowloris

Page 20 - Company Confidential

Destination ports breakout DDoS attacks in LAT 2011

9% 53

7% 80

4% IP fragment (0)

Page 21 - Company Confidential

Most Common Application Layer Attacks Seen

Majority of known attack types are focused against web properties

Page 22 - Company Confidential

DDoS Attacks Against Data Centers

56%

44%

Observed DDoS Attacks Targeting IDCs

YesNo

56% of Data Center respondents observed DDoS attacks in 2011

The percentage is down from 2010 which showed 69%

25%

75%

DDoS Attacks Exceeding IDC Bandwidth

YesNo

25% of respondents observed DDoS attacks that exceeded the total bandwidth into the Data Center

2010 which was only 15%

Page 23 - Company Confidential

Fragility of Stateful Devices in the IDC

Over 40% of respondents reported an inline firewall and/or IPS failing due to a DDoS attack.

This is slightly lower number than 2010 where 49% reported a firewall and/or IPS failure.

10% of respondents do not put firewalls/IPS in front of IDCs

43%

54%

4%

Load Balancer Failure Due to DDoS

YesNoNot Deployed in IDCs

41%

48%

10%

Firewall/IPS Failure Due to DDoS

YesNoNot Deployed in IDCs

96% of respondents use load balancers within their IDCs

43% of respondents reported a stateful Load Balancer (or ADC) going down due to a DDoS attack

Page 24 - Company Confidential

DDoS Event Response Drills

Almost 70% of survey respondents have never practiced responding to a DDoS Attack event

Only 2% improvement in percentage of respondents that have rehearsed attack responses

Page 25 - Company Confidential

CERTs

Not my job None in my region We don’t see a need Organization not big

enough Input from such

bodies not deemed useful

Does your organization have a CERT or CSIRT (e.g., KPRCERT)?

66% of respondents collaborate with a Government or National CERT/CSIRT

Those that don’t cite several reasons why. Most due to lack of time or CERT

Page 26 - Company Confidential

Mobile Services are Pushing Technology Adoption

27% of survey respondents offered mobile services Ranging from 1M to over

100M subs Range of subs shifted up,

reflecting growth in Mobile LTE availability accelerating

LTE offered by 28.6%, up from 9% last year

Another 52% plan to have LTE deployed by 2014

IPv6 goes ahead 50% plan to introduce IPv6

within next 12 months. 9.6% already have it.

Page 27 - Company Confidential

Mobile Infrastructure DDoS Attacks

50% see application layer attacks on their networks Broad spread of attack types - similar to what we see elsewhere DNS is the most common target – target with the most widespread

damage potential Surprise that HTTP was not top as last year, especially given general

trends

Page 28 - Company Confidential

IPv6 Rollout and Growth

Two thirds of respondents have deployed IPv6 in their networks Majority of those who deployed IPv6 are using IPv6 for internal addressing of

their network infrastructure Two thirds of those who have not deployed IPv6 plan to do so in near term Traffic and volume remain low with varied forecasts for growth One respondent provided following answer indicating overall mood:– “depends of what youtube and company are doing ;)”

Page 29 - Company Confidential

IPv6 DDoS Attacks

First report of an IPv6 DDoS attack in the history of the WISR

Low frequency of attacks reflect low adoption of IPv6 for critical services

Page 30 - Company Confidential

DNS Security is a Focus

Numbers are consistent with 2011 survey.

87% of all respondents offer DNS services. 77% have security teams responsible for DNS Services– 63% Main Security Group– 23% No Security Group– 14% Specific Security Group

Page 31 - Company Confidential

Outages from DNS Attacks

Overall attack frequency has increased year over year DNS attacks are down a little – 67% in 2011 vs 76% in 2010

Outages from DNS attacks are much lower – 13% in 2011 vs 32% in 2010

Conclusion: DNS attack defense is improving

Page 32 - Company Confidential

Misuse BPS breakout DDoS attacks in LAT 2011/2010

Page 33 - Company Confidential

Misuse PPS breakout DDoS attacks in LAT 2011/2010

Page 34 - Company Confidential

Duration breakout DDoS attacks in LAT 2011

>30 <60 min – 43%

>1 <3 hrs - 30%

Page 35 - Company Confidential

Misuse Duration DDoS attacks in LAT 2011

Top 3 longest DDoS attacks Brazil 14d 6h 29m Argentine 2d 0h 25m Dominican Rep 1d 0h 14m

Average duration DDoS attacks 1h 45 m

Page 36 - Company Confidential

Overall breakout comparison LAT 2011vs2010

Thank You

CE Latinamérica Carlos A. Ayalacayala@arbor.net

twitter: @caar2000