1 / 37

Agenda

2011 Infrastructure Security Report 7 th Annual Edition CE Latinamerica Carlos A. Ayala cayala@arbor.net twitter: @caar2000. Agenda. DDoS Basics Worldwide Infrastructure Security Report and ATLAS LAT statistics. Distributed Denial of Service (DDoS). Filling up your network capacity.

adele
Download Presentation

Agenda

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. 2011 Infrastructure Security Report7th Annual EditionCE Latinamerica Carlos A. Ayalacayala@arbor.nettwitter: @caar2000

  2. Agenda • DDoS Basics • Worldwide Infrastructure Security Report and ATLAS • LAT statistics

  3. Distributed Denial of Service (DDoS) Filling up your network capacity

  4. Distributed Denial of Service (DDoS) Targeting your underlying infrastructure

  5. Distributed Denial of Service (DDoS) Taking down your services

  6. What is a DDoS Attack? During a Distributed Denial of Service (DDoS) attack, compromised hosts (bots) or vigilante users from distributed sources overwhelm the target with illegitimate traffic so that the servers can not respond to legitimate clients.

  7. The DDoS Attack Surface • Any part of your network or services that is vulnerable to an attack • Network Interfaces • Infrastructure • Firewall/IPS • Servers • Protocols • Applications • Databases • Attackers will find the weakness

  8. DDoS Threats are Top of Mind • 4 of the top 6 threats seen over the last 12 months are DDoS related • The top 4 perceived threats for the next 12 months are DDoS related • DDoS threat awareness is high Source: Arbor Networks 2011 Infrastructure Security Report

  9. Sources of Data • 2011 Worldwide Infrastructure Security Report • Survey of Internet operators focused on security practices, incidents and trends • 114 respondents worldwide • Data based on measurements, insights and opinions of respondents • ATLAS Data Trends • Data collected from 100+ Arbor deployments and honeynets sharing attack and traffic statistics • Empirical data based on measurements taken in production deployments

  10. 2011 Infrastructure Security Survey • Survey conducted in October through November 2011 • 114 total respondents across different market segments • 54% service providers, 15% T1 providers • “Other” includes VOIP, wholesale internet, DDoS mitigation, database repository payment and credit sites

  11. Key Findings in the Survey • Ideologically-motivated ‘Hacktivism’ and On-line vandalism DDoS attacks are the most commonly identified attack motivations • 10 Gbps and Large Flood-Based DDoS Attacks Are The “New Normal” • First-Ever Reports of IPv6 DDoS Attacks 'in the Wild' on Production Networks • Increased Sophistication and Complexity of Application Layer (Layer 7) DDoS Attacks and MultivectorDDoS Attacks Are Becoming More Common • Continued Uncertainty Around Visibility & Security of Mobile/Fixed Wireless Networks • Stateful Firewalls, IPS and Load-Balancers Devices continue to Fall Short on DDoS

  12. DDoS Attack Frequency over last 12 Months • 91% of respondents see at least 1 DDoS attack per month up from 76% in 2010 • 44% of respondents see 10 or more attacks per month up from 35% in 2010

  13. Top DDoS Motivations • Top two attack motivation categories are fueled by personal beliefs and inclinations of attackers • Exponential increase in risk of being attacked

  14. Large Attacks are Now Commonplace • Aggregate attack sizes have leveled off but remain at levels capable of overwhelming most Internet operators • 13% of respondents report attacks above 10 Gbps • 40% of respondents report attacks above 1 Gbps • Largest pps attack reported is 35 Mpps keeping pace with 2010

  15. Max BPS Misuse DDoS attacks per country in LAT 2011 • Largest bps attack in LAT 10.465 Gbps in Brazil • Largest bps attack reported is 60 Gbps WW

  16. Avg BPS Misuse DDoS attacks per country in LAT 2011 • Top AvgBPS attacks above 1 Gbps in LAT, Perú and Uruguay. • 40% of respondents report WW attacks above 1 Gbps

  17. Max PPS Misuse DDoS attacks per country in LAT 2011 • Largest pps attack in LAT 10.836 Mpps in Brazil • Largest pps attack reported is 35 MppsWW

  18. Avg PPS Misuse DDoS attacks per country in LAT 2011 • Top Misuse AvgPPS attacks in LAT 3.064 M pps in Perú

  19. Application Layer and Multi-vector DDoS • A higher percentage of attacks reported on HTTP and IRC relative to 2010 • HTTP (87% vs 84%) and on IRC (11% vs 0%) relative to 2010 • Lower percent of attacks on DNS, SMTP, HTTPS and VOIP • DNS (67% vs 76%), SMTP (25% vs 40%), HTTPS (24% vs 35%) and VOIP (19% vs 38%) • SSL based attacks reported included TCP and UDP floods against port 443, port scanning attempts and Slowloris

  20. Destination ports breakout DDoS attacks in LAT 2011 • 9%  53 • 7%  80 • 4%  IP fragment (0)

  21. Most Common Application Layer Attacks Seen • Majority of known attack types are focused against web properties

  22. DDoS Attacks Against Data Centers • 56% of Data Center respondents observed DDoS attacks in 2011 • The percentage is down from 2010 which showed 69% • 25% of respondents observed DDoS attacks that exceeded the total bandwidth into the Data Center • 2010 which was only 15%

  23. Fragility of Stateful Devices in the IDC • Over 40% of respondents reported an inline firewall and/or IPS failing due to a DDoS attack. • This is slightly lower number than 2010 where 49% reported a firewall and/or IPS failure. • 10% of respondents do not put firewalls/IPS in front of IDCs • 96% of respondents use load balancers within their IDCs • 43% of respondents reported a stateful Load Balancer (or ADC) going down due to a DDoS attack

  24. DDoS Event Response Drills • Almost 70% of survey respondents have never practiced responding to a DDoS Attack event • Only 2% improvement in percentage of respondents that have rehearsed attack responses

  25. CERTs • Does your organization have a CERT or CSIRT (e.g., KPRCERT)? • Not my job • None in my region • We don’t see a need • Organization not big enough • Input from such bodies not deemed useful • 66% of respondents collaborate with a Government or National CERT/CSIRT • Those that don’t cite several reasons why. Most due to lack of time or CERT

  26. Mobile Services are Pushing Technology Adoption • 27% of survey respondents offered mobile services • Ranging from 1M to over 100M subs • Range of subs shifted up, reflecting growth in Mobile • LTE availability accelerating • LTE offered by 28.6%, up from 9% last year • Another 52% plan to have LTE deployed by 2014 • IPv6 goes ahead • 50% plan to introduce IPv6 within next 12 months. • 9.6% already have it.

  27. Mobile Infrastructure DDoS Attacks • 50% see application layer attacks on their networks • Broad spread of attack types - similar to what we see elsewhere • DNS is the most common target– target with the most widespread damage potential • Surprise that HTTP was not top as last year, especially given general trends

  28. IPv6 Rollout and Growth • Two thirds of respondents have deployed IPv6 in their networks • Majority of those who deployed IPv6 are using IPv6 for internal addressing of their network infrastructure • Two thirds of those who have not deployed IPv6 plan to do so in near term • Traffic and volume remain low with varied forecasts for growth • One respondent provided following answer indicating overall mood: • “depends of what youtubeand company are doing ;)”

  29. IPv6 DDoS Attacks • First report of an IPv6 DDoS attack in the history of the WISR • Low frequency of attacks reflect low adoption of IPv6 for critical services

  30. DNS Security is a Focus • 87% of all respondents offer DNS services. • 77% have security teams responsible for DNS Services • 63% Main Security Group • 23% No Security Group • 14% Specific Security Group • Numbers are consistent with 2011 survey.

  31. Outages from DNS Attacks • Overall attack frequency has increased year over year • DNS attacks are down a little • 67% in 2011 vs 76% in 2010 • Outages from DNS attacks are much lower • 13% in 2011 vs 32% in 2010 • Conclusion: DNS attack defense is improving

  32. Misuse BPS breakout DDoS attacks in LAT 2011/2010

  33. Misuse PPS breakout DDoS attacks in LAT 2011/2010

  34. Duration breakout DDoS attacks in LAT 2011 • >30 <60min – 43% • >1 <3 hrs - 30%

  35. Misuse Duration DDoS attacks in LAT 2011 • Top 3 longest DDoS attacks • Brazil 14d 6h 29m • Argentine 2d 0h 25m • Dominican Rep 1d 0h 14m • Average duration DDoS attacks • 1h 45 m

  36. Overallbreakoutcomparison LAT 2011vs2010

  37. Thank You CE LatinaméricaCarlos A. Ayalacayala@arbor.nettwitter: @caar2000

More Related