Arbor Networks’ Fifth Annual Infrastructure Security Report Finds Service and Application-Layer Attacks Replace Large Scale Botnet-enabled Attacks as Top Operational Threat

Internet Architecture and Operations Community Facing ‘Perfect Storm’ of Challenges

Chelmsford, Mass., January 19, 2010 – Botnet-driven distributed denial of service (DDoS) attacks focused on services and applications are the number one operational security problem facing the service provider community, according to a report issued today by Arbor Networks®, a leading provider of security and network management solutions.

Arbor’s fifth annual Worldwide Infrastructure Security Report includes responses from 132 self-classified Tier 1, Tier 2 and other IP network operators from North America, South America, Europe, Africa and Asia. This year’s participation doubles the 66 respondents to last year’s survey and represents a notable increase in geographic and organizational diversity. This annual survey is designed to provide data useful to network operators to make more informed decisions about the use of network security technology mechanisms to protect mission-critical Internet and other IP-based infrastructures.

Attacks Shift to the Cloud
Nearly 35% of respondents believe that more sophisticated service and application attacks represent the largest operational threat over the next 12 months, displacing large scale botnet-enabled attacks, which came in second this year at 21%. Again this year, more than half of the surveyed providers reported growth in service-level attacks at one gigabit or less bandwidth levels. Such attacks, while also driven by botnets, are specifically designed to exploit service weaknesses, like vulnerable and expensive back-end queries and computational resource limitations.

"The complexity introduced by the continuing convergence of critical services onto IP networks and multi-tenant cloud-based solutions significantly increases the exposed risk profile of infrastructure and customer-visible services, and astute network operators seem to be rightly focused on this," said Danny McPherson, chief security officer, Arbor Networks.

Several respondents reported prolonged (multi-hour) outages of prominent Internet services during the last year due to application-level attacks. These service-level attack targets included distributed domain name system (DNS) infrastructure, load balancers and large-scale SQL server back-end infrastructure.

"Our customers face an array of threats in the areas of cloud and data center security as well as emerging operational challenges with DNS security and IPv6," said Ken Silva, chief technology officer, VeriSign. "The annual Arbor infrastructure security report provides the Internet security and operations community a valuable perspective on issues that we as an industry must address."

Attack Size Still on the Rise, But at a Slower Pace
In previous versions of the Worldwide Infrastructure Security Report, service providers reported near doubling in peak distributed denial of service (DDoS) attack rates year-over-year, with peak attack rates growing from 400 Mbps to more than 40 Gbps since 2001. This year, providers reported a peak sustained attack rate of 49 Gbps, a 22% growth over last year’s peak of a 40 Gbps attack, which shows the attack scale growth has slowed in the past 12 months. As comparison, last year’s 40 Gbps attack represented a 67% increase over the largest attack reported in the 2007 survey.

"We expect DDoS attack rates to continue to grow, but given that most enterprises are still connected to the Internet at speeds of one gigabit per second (Gbps) or less, any attack over one Gbps will be typically effective, and often trigger collateral damage to adjacent network or customer service elements as well,"said McPherson.

Additionally, only 19% of survey respondents reported the largest attacks they observed as being within the one-to-four Gbps range this year, as opposed to some 30% in 2008.

Internet Architecture and Operations Facing Perfect Storm
A convergence of issues is facing the Internet Architecture and Operations community, including looming IPv4 address exhaustion and the preparedness for migration to IPv6, DNS Security Extensions (DNS SEC) and to 4-byte ASNs (used for inter-domain routing on the Internet). Any one of these changes alone would constitute a significant architectural and operational challenge for network operators; considered together, they represent the greatest and potentially most disruptive set of circumstances in the history of the Internet, given its growth in importance to worldwide communications and commerce.

"Earlier major architecture changes were implemented when the Internet was an experimental network with little or no relevance to most people," said Jennifer Pigg, vice president, Enabling Technologies, Yankee Group. "Today, the majority of global business networks are entirely reliant on Internet availability, stability and integrity. With the introduction of DNSSEC, IPv4 exhaustion and IPv6 deployment, these networks are facing a perfect storm: multiple, simultaneous, large-scale changes."

The Internet is Not IPv6 Ready
A majority of surveyed providers reported concerns over the security implications of IPv6 adoption, and the slow rate of IPv4 to IPv6 migration, or at least the parallel deployment of IPv6. As in previous years, providers complained of missing IPv6 security features in routers, firewalls and other critical network infrastructure. Other providers worried the lack of IPv6 testing and deployment experience may lead to significant Internet-wide security vulnerabilities.

A recent Arbor study found IPv6 traffic accounts for 0.03% of all Internet traffic, up from just .002% a year earlier, and while representing a significant increase, IPv6 still only accounts for a tiny fraction of aggregate Internet traffic today.

"This year’s report shows that respondents are struggling to operate, maintain, secure and defend their networks in the face of looming IPv4 address exhaustion and concerns surrounding IPv6 migration and security," said Craig Labovitz, chief scientist, Arbor Networks.

Other Obstacles to Effective Threat Mitigation
Non-technical factors, such as a lack of skilled resources, clearly-defined operational policies and responsibilities, and management understanding and commitment are the most significant obstacles to reducing mitigation times and proactively strengthening operational security postures, respondents said.

"What hasn’t changed from last year is that ISPs are still facing strained operational resources," McPherson said. "In what might be considered a response to this strain, the survey showed an increase in the number of organizations turning to Managed Security Services – network security management from a network services provider. The number of respondents who offer attack detection and reporting services was up to 36% from 24% just last year, and the majority of Tier 1 and Tier 2 respondents said they currently offer DDoS detection and attack mitigation services."

Additional Resources:

• Arbor Networks Blog Post with additional details

• Worldwide Infrastructure Security Report

About Arbor Networks
Arbor Networks is a leading provider of security and network management solutions for global business networks, including more than 70 percent of the world’s Internet service providers and many of the largest enterprise networks in use today. Arbor’s secure service control solutions give customers a single, unified view into their networks’ performance, helping them to quickly detect anomalous behavior, mitigate threats and enforce policy. This translates into actionable business intelligence to generate new forms of revenue and to maintain a competitive advantage.

Arbor also maintains ATLAS – a unique collaborative effort with 100+ service providers across the globe sharing real-time security, traffic and routing information. No other entity today has both aggregated this much real-time information about what is happening across the Internet and developed the means for cross-provider collaboration that informs numerous business decisions.

For technical insight into the latest security threats and Internet traffic trends, please visit the ASERT blog .

Note to Editors: Arbor Networks, Peakflow, ATLAS and the Arbor Networks logo are trademarks of Arbor Networks, Inc. All other brand names may be trademarks of their respective owners.