Author observations on Arbor’s 12th annual Worldwide Infrastructure Security Report

Arbor Networks 12th annual Worldwide Infrastructure Security Report provides direct insights from the global operational security community on a comprehensive range of issues from threat detection and incident response to staffing, budgets and partner relationships.

We asked the authors of the report for their perspective on this year’s findings. What did they find most interesting, relevant and surprising?

Darren Anstee

Chief Security Technologist

Increasingly the services and data our organizations need for day-2-day business continuity are hosted within public / hybrid cloud environments. Nearly two-third of our data-center respondents indicated that they operate public / private cloud services from these environments, indicating how pervasive these services have become. Migrating data and application services into the cloud enables new business models, cost savings and improved efficiency – but only if the data and applications are accessible.

The data-center’s hosting these cloud environments have a growing problem – the collateral damage that can be associated with a large scale DDoS attack. If one customer of a multi-tenant environment is targeted, many may feel the impact as connectivity congests. This year 61% of data-center respondents indicated that they have seen attacks which completely saturated their Internet connectivity. This is no surprise – ATLAS tracked 558 attacks over 100Gbps in 2016 and 87 attacks over 200Gbps.

The impact to data-center operators is clear, over a third of respondents saw more than 10 attacks in 2016 that affected their ability to deliver service, and overall attack frequencies jumped alarmingly – 21% of respondents are now seeing more than 50 attacks per month, versus only 8% in 2015.

This year’s data really brought home to me how much the DDoS problem is costing data-centers from both a revenue and customer churn perspective, with nearly a quarter of respondents now estimating the cost of a successful attack at over $100K. Putting the right defenses in place is no longer an option – it is a necessity – and the good news is that more and more data-centers are adopting best-practice specialized layered DDoS defense.

Gary Sockrider

Principal Security Technologist

IoT was clearly the biggest story of 2016. While it was benign, the first IoT botnet was actually created way back in 1993. By 2003, the first (unintentional) DDoS attack was launched by an IoT botnet. Malicious attacks based on exploits can be traced as far back as 2008 but he first high profile attack didn’t occur until 2013. LizzardStresser source code was used to carry out large scale attacks in the summer of 2016 and the release of Mirai in November in 2016 was also a real game changer. Today, anyone can easily and quickly build very large botnets based on Mirai or LizardStresser. Bad actors have already leveraged the exploits against high profile targets such as the Olympics, Brian Krebs, and Dyn DNS. Be sure to check out the ASERT and ATLAS special sections on IoT in this year’s annual report.

While IoT certainly stole the spotlight, reflection amplification attacks continued in earnest and should not be overlooked. While these attacks don’t have billions of devices to leverage they do have the advantage of amplifying the traffic up to 1000x to deliver an equally impressive volumetric attack. This year the largest monitored reflection amplification attack was 498Gbps – a 97% jump from last year. ATLAS tracked additional DNS and NTP attacks at over 400Gbps. Clearly, reflection amplification is not going away.

While many have predicted over the years that DDoS is a problem of the past or not a serious concern for the future, the numbers continue to tell a different story. Each year we see an increased level of volume, frequency and complexity in attacks around the globe. This year is no exception with two-thirds of service providers reporting multi-vector attacks this year up from 56% and 32% in the previous two years respectively. This clearly illustrates the need for a comprehensive defense strategy combining broad and deep visibility with intelligent mitigation both on network and upstream bolstered by focused and actionable threat intel.

Paul Bowen

Principal Security Technologist

This year the WISR results yielded some surprising results, most concerning to me is the fact that almost 10% fewer organizations said they have a dedicated security resource or team. This means while most major attack categories have grown in frequency, sophistication and size the amount of dedicated responders is dropping. While 10 % doesn’t sound significant but if 50 companies in the Fortune 500 have gone from ready to respond to responding after the next router upgrade is finished or once the firewall is patched, because the once dedicated resources now divides their time between two areas of responsibility. By dividing the attention of the responders, businesses are increasing their risk profile. A breach or a DDoS successful attack is likely to be more expensive than any cost savings, in this authors opinion. I understand that fiscal responsibilities require a tough decisions and tradeoffs when it comes to IT budgets. However, a significant decline to responders in the face of this threat environment is a troubling sign and one I hope does not become a trend.

C. F. Chui

Principal Security Technologist

This year Data Center Operators, similar to Services Providers, Enterprise, Government sectors have experienced a significant growth in terms of DDoS attacks size and frequency. In the process of finding the effective solution to mitigate the impact of DDoS attacks targeting the Data Center Operator, we have seen a huge drop in the percentage of using Firewall as a measure to stop DDoS attacks. This probably reflects the fact that the Industries realize that they need the right solution to protect critical resources and customers from damage brought along by DDoS attacks.

At the same time, 61 percent of Data Center Operators have experienced a DDoS attack that completely saturated their bandwidth. This comes as no surprise given the size of attacks has gone up significantly. This again points to the fact that a comprehensive DDoS protection solution should not be just an on- premise system; or a Provider-based or Cloud-based mitigation system. Businesses require both for comprehensive protection. A hybrid, or layered DDoS protection approach with the combination of an on-premise and a cloud-based mitigation service is the right way to go.

Download the report here.