180 likes | 297 Views
Internet Security Trends LACNOG 2011. Julio Arruda LATAM Engineering Manager. 2010 Infrastructure Security Survey. 6 th Annual Survey Survey conducted in September – October 2010 Diversity Service providers Content/ASPs Enterprises Broadband Mobile DNS Educational.
E N D
Internet Security TrendsLACNOG 2011 Julio Arruda LATAM Engineering Manager
2010 Infrastructure Security Survey • 6th Annual Survey • Survey conducted in September – October 2010 • Diversity • Service providers • Content/ASPs • Enterprises • Broadband • Mobile • DNS • Educational
Key Findings of the Survey • Threat severity and complexity continue to increase • Attack size increases dramatically, impacting underlying network infrastructure • Application layer attacks continue with some new applications being targeted more frequently. • The Threat-to-Defense gap is the widest observed to date • DDoS attack capabilities of miscreants are outpacing the defensive measures taken by network service providers • Firewall and IPS equipment represents critical points of failure during DDoS attacks • Mobile network growth is a game changer – availability of limitless botnets with greater bandwidth and few network control points • New technologies affect fragility of Internet Infrastructure
DDoS Attack Sizes Over Time • Over 102% increase YOY in attack size shows resurgence of brute force and volumetric attack techniques • Internet providers have focused on application threats so miscreants turned back towards attacking network capacity
Application Layer Attacks • Application detection is becoming common place • 77% of respondents have successfully detected application layer attacks • Lynchpin service infrastructure remain top targets • Application attacks are advancing to more sophisticated services
Attack Frequency and Targets • Attack frequency is increasing • 69% of respondents see at least 1 DDoS attack per month • 35% of respondents see 10 or more DDoS attacks per month compared to 18% in 2009 • Customers or services comprise 90% of targeted victims • Major collateral events are less common, but drive greater impact
Failure of Firewall and IPS in the IDC • Nearly half of all respondents have experienced a failure of their firewalls or IPS due to DDoS attack
Mobile Provider Security Posture • Roughly 50% report security problems with mobile subscribers • Mobile respondents demonstrate poor visibility into compromised hosts • 56% have no visibility into scale of compromised handsets • Optimistically, 17% say that there are none in the network • And 13% operators say at least 5% of customer base is compromised • Majority use NAT, firewalls and ACLS • 47 to 60% • DDoS mitigation and SMS filtering less common
Mobile Security Incidents • More than half of carriers have had outages in last year due to security incidents! • 79% of mobile respondents say they have not had a DDoS attack explicitly targeting their infrastructure • Over 50% admit they have limited network visibility • How many DDoS events are they having that they simply don’t know about? • Mobile operators are more concerned about DNS, AAA, Mail attacks than fixed line providers • 70% compared to 58% in fixed line
DNSSEC Threats • 24% of respondents have deployed DNSSEC • Already 25% have experienced or expect problems and 31% expect increase in amplification attacks
The IPv6 Security Arms Race • Vendors and network operators are rushing to introduce IPv6 visibility and security as networks scale up
Smaller Attacks Still Make up the Majority • As in 2010 most monitored attacks still small in 2011 : • 78.5% less than 1Gb/sec (down from 93% in 2009 and 79% in 2010) • 63.5% less than 1Mpps (down from 94% in 2009 and 87% in 2010) • Average size of attacks, • Less than 1Mpps: • 2010 is 558.96Mbps / 228.139Kpps • 2011 is 599.2Mbps / 335.7Kpps • Less than 1Gb/sec: • 2010 is 197.41Mbps / 307.72Kpps • 2011 is 332.1Mbps / 739.2Kpps
Attack Sizes have Grown Steadily since 2009 • Average monthly attack size since start of 2009. • Average attack is 1.31Gbps / 1.62Mpps, July 2011 • Average attacks sizes have grown by 40.6% / 165.7% since start of 2010
Large packet per second attacks increasing • Proportion of monitored attacks over 10Gb/sec has dropped by 48% so far in 2011. • Proportion of monitored attacks over 10Mpps has increased by 98.4% so far in 2011, compared to 2010.
Increased Proportion of Attacks Targeting Port 80 • In 2009, 19.6% of monitored attacks targeted port 80. • In 2010 this had increased to 31%, and so far in 2011 we are at 37.3%. • Attacks targeting fewer ports • 80 and 53 most prevalent. • 75% drop in proportion of attacks over 10Gb/sec, from 2010 – still 47% up from 2009.
Proportion of Attacks Over 10Gbps and 10Mpps • Proportion of monitored attacks over 10Gb/sec fell back at the start of the 2011. • Growing again now. • Spikes in number of attacks over 10Mpps in March and July. • March = Belize Attacks
Questions? Thank You! Julio Arruda jarruda@arbor.net