Arbor Networks, a provider of core-to-core network security and operational systems for large business networks, has released its highly interesting second annual Worldwide Infrastructure Security Report.
Addressing the second half of 2005, Arbor's report includes input from 55 self-classified tier-1, tier-2, and hybrid IP network operators in North America, Europe and Asia.
Large, and increasing number, of Attacks
The survey found that Distributed Denial of Service (DDoS) attacks are still the most significant threat to ISPs today. In fact, six years after the initial flurry of well-publicized DDoS attacks, the majority of surveyed operators are spending more resources addressing DDoS than any other security threat, including worms and other botnet-based attacks. Not only is the number of attacks (slowly) increasing, so is the size of the attacks. ISPs now regularly report attacks of up to a massive 10-20Gbps, more than enough to fill an entire OC192 (10 Gbps) circuit with a minimum packet size!
The respondents reported these details about attack size:
Second to DDoS attacks - which are largely executed by botnets - network operators (31 per cent of respondents) are most concerned with other malicious activity for which botnets are employed. These activities include
Perhaps surprisingly only 4 per cent of the ISPs saw route hijacking as the most important issue. I see that as a fundamental weakness in the Internet and have on numerous occasions over the past five or six years at least suggested a security revision of the Border Gateway Protocol, bringing the large backbone routers into an active security role.
Countermeasures in use
Lacking more intelligent filtering methods ISPs often respond to an attack by crudely filtering out all traffic to the user under attack, a cure which may be worse than the disease since it effectively completes the attack against the victim.
When asked about source IP geared mitigation techniques and why these aren't used more frequently the IPS quoted a lack of infrastructure capabilities to enable a large number of packet filters in routers' forwarding paths - or that doing so brings with it an unacceptable performance degradation. This is exactly one of the points where the BGP could help, e.g. by forwarding filter requests to the border router closets to the origin of the unwanted packages, thus avoiding a huge number of filters across the network or on machines with less power than the large routers. BGP blackhole routing of course exists but currently this is a quite crude and coarse-grained method. Take a closer look at RFCs 3704 and 3882 if you are interested in this.
The survey also shows that only about 1.5 per cent of all actionable attacks are reported to law enforcement, with the reason why this isn't done overwhelmingly (38 per cent) being that ISPs consider law enforcers to be incompetent in this respect.
Other findings
The miscreant economy continues to grow. There's been an observable uptick in botnets employment for revenue generating purposes - the game is changing as the "business of botnets" evolves.
ISPs' need for revenue streams continues. Network operators are concerned that as a renewed focus on return-on-investment (ROI) emerges, ISPs are finding themselves in a very difficult position when it comes to infrastructure security, botnets in particular. While a slight majority of ISPs believe they might actually be in a position to defend themselves against compromised hosts, they believe it will be extremely difficult to do so without first generating new revenue opportunities to fund the effort.
This is a very relevant point, and one I have often made in conversation and speeches. I advocate legislation in this area, forcing ISPs to participate actively and measurably in creating and maintaining the security of public networks. Firstly, this is the only way it will get done, and secondly, this is the only way ISPs will be able to recover expenses because the whole level of costs for Internet access will increase across competitive divides.
Emerging Threats
As a result of newly emerging network security threats, the study posed questions on infrastructure security threats ranging from DNS to VOIP attacks. Roughly half of the surveyed ISPs indicated they had deployed mechanisms to detect both DNS and VOIP threats. While many providers are still in the early stages of planning or deployment of commercial VOIP services and few reported attacks against VOIP infrastructure, providers are increasingly wary of this new and emerging security threat. As an aside, we can expect an increase in application level attacks, one reason why defence-in-depth is not going to go out of fashion as ISPs undertake a larger part of the defence burden.
Methodology
This edition of the Arbor survey consisted of 65 multiple choice and free response questions - as opposed to 32 questions in the previous edition - covering the major operational security issues faced by network security operators today. Questions included topics related to observed threats against backbone infrastructure and individual customers, what techniques are employed to protect network infrastructure, and what mechanisms are used to detect and respond to security incidents. In addition to the tier-1 ISPs, large content and hosting providers, and a broad cross-section of tier-2 networks included in the survey, a large number of "hybrid" network operators were surveyed as well. Hybrid networks represent large-scale globally distributed enterprise networks with multiple Internet access interconnections, and provide their organization with traditional end-users services as well as network connectivity.
You can get the whole report by following the link below.
Related links: (Open in a new window.)
www.arbornetworks.com/security-report
www.arbornetworks.com
asert.arbornetworks.com
Taken from Information Security Bulletin.