2008 Worldwide Infrastructure Security Report

Growing financial pressures, unforeseen threats, and a volatile and rapidly changing business landscape — apt descriptions for both the world economy and this years Worldwide Infrastructure Security Survey.

Arbor Networks once again has completed a survey of the largest ISPs and content providers around the world. Some 70 lead security engineers responded to 90 questions covering a spectrum of Internet backbone security threats and engineering challenges. This fourth annual survey covered the 12-month period from August 2007 through July 2008.

A copy of the full report is available at http://www.arbornetworks.com/report

The most significant findings:

• ISPs Fight New Battles
  In the last four surveys, ISPs reportedly spent most of their available security resources combating distributed denial of service (DDoS) attacks. For the first time, this year ISPs describe a far more diversified range of threats, including concerns over domain name system (DNS) spoofing, border gateway protocol (BGP) hijacking and spam. Almost half of the surveyed ISPs now consider their DNS services vulnerable. Others expressed concern over related service delivery infrastructure, including voice over IP (VoIP) session border controllers (SBCs) and load balancers.
• Attacks Now Exceed 40 Gigabits
  From relatively humble megabit beginnings in 2000, the largest DDoS attacks have now grown a hundredfold to break the 40 gigabit barrier this year. The growth in attack size continues to significantly outpace the corresponding increase in underlying transmission speed and ISP infrastructure investment. The below graph shows the yearly reported maximum attack size.
• Services Under Threat
  Over half of the surveyed providers reported growth in sophisticated service-level attacks at moderate and low bandwidth levels attacks specifically designed to exploit knowledge of service weakness like vulnerable and expensive back-end queries and computational resource limitations. Several ISPs reported prolonged (multi-hour) outages of prominent Internet services during the last year due to application-level attacks.
• Fighting Back
  The majority of ISPs now report that they can detect DDoS attacks using commercial or open source tools. This year also shows significant adoption of inline mitigation infrastructure and a migration away from less discriminate techniques like blocking all customer traffic (including legitimate traffic) via routing announcements. Many ISPs also report deploying walled-garden and quarantine infrastructure to combat botnets.

Overall, ISP optimism about security issues reported in previous surveys has been replaced by growing concern over the new threats and budget pressures. ISPs say they are increasingly deploying more complex distributed VoIP, video and IP services that often poorly prepared to deal with the new Internet security threats. More than half of the surveyed ISPs believe serious security threats will increase in the next year while their security groups make do with “fewer resources, less management support and increased workload.”

ISPs were also unhappy with their vendors and the security community. Most believe that the DNS cache poisoning flaw disclosed earlier this year was poorly handled and increased the danger of the threat.

Finally, the surveyed ISPs also said their vendor infrastructure equipment continues to lack key security features (like capacity for large ACL lists) and suffers from poor configuration management and a near complete absence of IPv6 security features. While most ISPs now have the infrastructure to detect bandwidth flood attacks, many still lack the ability to rapidly mitigate these attacks. Only a fraction of surveyed ISPs said they have the capability to mitigate DDoS attacks in 10 minutes or less. Even fewer providers have the infrastructure to defend against service-level attacks or this year’s reported peak of a 40 gigabit flood attack.

As always, this work would not be possible without the support and participation of the Internet security community. The 2008-2009 survey will be released next Fall.