Portal Home | IS News Menu | Portal Menu | ISB Menu | Main Content
ISPs Report Emergence of Massive (10-20Gbps) Attacks Over the Last 12 Months
14 Sep 12:12

Arbor Networks, a provider of core-to-core network security and operational systems for large business networks, has released its highly interesting second annual Worldwide Infrastructure Security Report.

Addressing the second half of 2005, Arbor's report includes input from 55 self-classified tier-1, tier-2, and hybrid IP network operators in North America, Europe and Asia.

Large, and increasing number, of Attacks
The survey found that Distributed Denial of Service (DDoS) attacks are still the most significant threat to ISPs today. In fact, six years after the initial flurry of well-publicized DDoS attacks, the majority of surveyed operators are spending more resources addressing DDoS than any other security threat, including worms and other botnet-based attacks. Not only is the number of attacks (slowly) increasing, so is the size of the attacks. ISPs now regularly report attacks of up to a massive 10-20Gbps, more than enough to fill an entire OC192 (10 Gbps) circuit with a minimum packet size!

The respondents reported these details about attack size:

  • 17 Gbps was largest sustained attack reported
  • 22 Mpps UDP flood was reported
  • 14 Mpps SYN flood was reported

Each of these attacks were experienced by large content and hosting provider networks having multiple Internet access interconnects via several service providers, and are well-distributed across the set of Internet links. Upstream providers of the respondents reporting these attacks confirmed that these numbers are plausible given their fraction of the aggregate connectivity provided to the networks in question and the size of attacks observed towards targets in those networks. This seems obvious, given that no single service provider would likely see all the traffic from a well-distributed attack. Any one of these attacks, or even a fraction thereof, can create significant pain for even the largest ISP networks in the world today.

Second to DDoS attacks - which are largely executed by botnets - network operators (31 per cent of respondents) are most concerned with other malicious activity for which botnets are employed. These activities include

  • spam as proxy or relay
  • DDoS
  • ID theft
  • espionage
  • form-logging
  • phishing
  • address harvesting
  • open proxy
  • scan and sploit
  • SSH brute force attacks
  • more marketing
  • lifting CD keys

Of those who responded that botnet-based threats were a primary concern, the following botnet trends were identified:
  • command and control channels are harder to infiltrate and better monitored by botherder (a botherder is a robot drone acting for the attacker)
  • more bots, botnets, and firepower exist as variations of older bots continue to emerge
  • bots are hiding better, are more difficult to remove and are more organized and
  • botnets are more resilient to take down, have more capabilities, are more flexible, and are better packed to resist detection and analysis.

The types of threats that spooked the ISPs were mainly:
  • DDoS - 46 per cent
  • bots and botnets - 31 per cent
  • worms - 7 per cent
  • compromised infrastructure - 6 per cent
  • DNS - 6 per cent
  • BGP route hijacking - 4 per cent

There is obviously some overlap in the responses here since botnets are used to carry out DDoS attacks. The findings do emphasize though, that botnets rule. Furthermore, the way botnets are used are subtly changing, making it increasingly difficult to detect and block them. I recently saw reports, for example, of botnets being used to mail out spam by having each bot send only a few messages at a time, while using a very large number of bots in a large number of countries, i.e. on a large number of ISP networks, making it impossible for ISPs to detect and block the attacks and indicating increasing sophistication in the control and command capabilities of botnets and their herders. (More about this in a forthcoming article about techniques used by spammers to avoid detection). So, this problem is not going to go away anytime soon. There are two way to address it: (1) proper authentication of users to computers and using the quality of this authentication to control network access (e.g. using IPv6) and (2) preventing computers from being Trojanized in the first place. Your humble editor recently suggested to a Parliamentary committee (in connection with a recent revision of the UK Computer Misuse Act) that it be made a criminal offence to connect an unsecured computer to the Internet. The suggestion was not adopted but it seems that the idea is gaining some ground.

Perhaps surprisingly only 4 per cent of the ISPs saw route hijacking as the most important issue. I see that as a fundamental weakness in the Internet and have on numerous occasions over the past five or six years at least suggested a security revision of the Border Gateway Protocol, bringing the large backbone routers into an active security role.

Countermeasures in use
Lacking more intelligent filtering methods ISPs often respond to an attack by crudely filtering out all traffic to the user under attack, a cure which may be worse than the disease since it effectively completes the attack against the victim.

When asked about source IP geared mitigation techniques and why these aren't used more frequently the IPS quoted a lack of infrastructure capabilities to enable a large number of packet filters in routers' forwarding paths - or that doing so brings with it an unacceptable performance degradation. This is exactly one of the points where the BGP could help, e.g. by forwarding filter requests to the border router closets to the origin of the unwanted packages, thus avoiding a huge number of filters across the network or on machines with less power than the large routers. BGP blackhole routing of course exists but currently this is a quite crude and coarse-grained method. Take a closer look at RFCs 3704 and 3882 if you are interested in this.

The survey also shows that only about 1.5 per cent of all actionable attacks are reported to law enforcement, with the reason why this isn't done overwhelmingly (38 per cent) being that ISPs consider law enforcers to be incompetent in this respect.

Other findings
The miscreant economy continues to grow. There's been an observable uptick in botnets employment for revenue generating purposes - the game is changing as the "business of botnets" evolves.

ISPs' need for revenue streams continues. Network operators are concerned that as a renewed focus on return-on-investment (ROI) emerges, ISPs are finding themselves in a very difficult position when it comes to infrastructure security, botnets in particular. While a slight majority of ISPs believe they might actually be in a position to defend themselves against compromised hosts, they believe it will be extremely difficult to do so without first generating new revenue opportunities to fund the effort.

This is a very relevant point, and one I have often made in conversation and speeches. I advocate legislation in this area, forcing ISPs to participate actively and measurably in creating and maintaining the security of public networks. Firstly, this is the only way it will get done, and secondly, this is the only way ISPs will be able to recover expenses because the whole level of costs for Internet access will increase across competitive divides.

Emerging Threats
As a result of newly emerging network security threats, the study posed questions on infrastructure security threats ranging from DNS to VOIP attacks. Roughly half of the surveyed ISPs indicated they had deployed mechanisms to detect both DNS and VOIP threats. While many providers are still in the early stages of planning or deployment of commercial VOIP services and few reported attacks against VOIP infrastructure, providers are increasingly wary of this new and emerging security threat. As an aside, we can expect an increase in application level attacks, one reason why defence-in-depth is not going to go out of fashion as ISPs undertake a larger part of the defence burden.

Methodology
This edition of the Arbor survey consisted of 65 multiple choice and free response questions - as opposed to 32 questions in the previous edition - covering the major operational security issues faced by network security operators today. Questions included topics related to observed threats against backbone infrastructure and individual customers, what techniques are employed to protect network infrastructure, and what mechanisms are used to detect and respond to security incidents. In addition to the tier-1 ISPs, large content and hosting providers, and a broad cross-section of tier-2 networks included in the survey, a large number of "hybrid" network operators were surveyed as well. Hybrid networks represent large-scale globally distributed enterprise networks with multiple Internet access interconnections, and provide their organization with traditional end-users services as well as network connectivity.

You can get the whole report by following the link below.

Related links: (Open in a new window.)
External link www.arbornetworks.com/security-report
External link www.arbornetworks.com
External link asert.arbornetworks.com

View Printable View printable version (opens in new window)
Back Back