Insight Into the Global Threat Landscape

NETSCOUT Arbor's 13th Annual Worldwide Infrastructure Security Report

Key Findings

NETSCOUT Arbor produces this annual report based upon a survey that specifically includes individuals within the operational security community. Survey participation continues to grow despite additional efforts to encourage recusal of respondents without direct network or security operational experience.

Survey Respondents

45% Enterprise, Government + Education
55% Service Provider

We are continuing the trend toward a more balanced mix of SP and EGE organizations.

Multi-Vector Attacks

48% of EGE experienced multi-vector attacks.

Top DDoS Attack Motivations

  1. Online Gaming

  2. Criminals demonstrating attack capabilities

  3. Extortion

EGE Internet Bandwidth

57% of EGE respondents saw their internet bandwidth saturated due to DDoS attacks, up from 42% in the previous year.

Service Provider

Service providers represent the majority of respondents, continuing the trend toward a more balanced mix of service providers and enterprise, government and education (EGE) organizations. DDoS attacks represent the dominant threat observed by the vast majority of service providers. Infrastructure outages also continue to be a threat with over half of operators experiencing this issue.

Targeted Customers

70% End-User/Subscriber
26% eCommerce
39% Cloud/Hosting
21% Gambling
37% Government
14% Manufacturing
41% Financial Services
10% Healthcare
32% Gaming
10% Energy/Utilities
29% Education
9% Law Enforcement

Organizational Security

60% of Service Providers have their own internal Security Operations Center (SOC) Team.
20% of Service Providers either fully or partially outsource SOC capabilities.

This highlights the global challenges organizations face to build and maintain an internal security team of skilled practitioners.


NETSCOUT Arbor’s Active Threat Level Analysis System (ATLAS) gathers statistics from Arbor SP deployments around the world. There are currently more than 400 networks participating in the ATLAS initiative. Statistics are shared hourly which include DDoS attack details, along with other traffc information.

Peak Attack Size Monitored By Atlas

641 Gbps

Targeted Countries

Top two countries being targeted by DDoS attacks.
  1. United States
  2. South Korea
Top two countries being targeted by DDoS attacks greater than 10 Gbps.
  1. United States
  2. Hong Kong

Largest Reflection/Amplification Attacks

641 Gbps Largest DNS Reflection/Amplification Attack
662 Gbps Largest NTP Reflection/Amplification Attack


This special report section contains analysis from Arbor’s Security Engineering & Response Team (ASERT).

The year 2017 was one in which IoT bots became the preferred weapon of choice for launching DDoS attacks. The number of unsecured internet of things (IoT) devices that are connected to the internet every day continues to increase dramatically.

As the number of IoT devices increases, so do the security vulnerabilities. Attackers have invented new ways to detect, infect and compromise IoT devices, even those thought to be secure behind corporate firewalls.

IoT Devices

IHS Markit predicts the number of IoT devices will rise.

2017 27 billion Connected Devices
2030 125 billion Connected Devices

Professional Malware Arms Dealer

In 2017, there were two highly visible cases of more advanced attacks requiring the use of professional malware arms dealers.

The Windows Mirai Trojan was only active for 5 days but received multiple new updates in that time period.
The IoT Reaper had the potential to infect millions of IoT Devices but was deliberately blocked from doing so by its authors.

DDoS Attack Trend

Looking at the number of DDoS incidents, and the appearances of new IoT malware in the 2016–2017 time frame, it becomes apparent that the attacker/incident economy is of cyclical nature.

Enterprise, Government + Education

Enterprise, Government + Education organizations faced an increasingly active and complex threat environment this year. Attackers focused on complexity, leveraging weaponization of IoT devices while shifting away from reliance on massive attack volume to achieve their goals. The results of the WISR survey, together with our ATLAS data, demonstrate why an integrated multi-layer defense from the data center to the cloud is required.

EGE Breakdown

  • 67% Enterprise
  • 19% Education
  • 14% Government

Top EGE Threats

  1. Ransomware
  2. Internet connectivity congestion due to DDoS attacks
  1. Internet connectivity due to genuine traffic growth/spike


EGE SDN/NFV Deployment
We are investigating/trailing now
We are implementing now
Plan to implement in the next year
Plan to implement in next 2+ years

Organizational Security

90% of EGE respondents with dedicated security personnel.
14% of EGE respondents have 30 or more dedicated security staff internally.

The smaller security teams may be as a result of the reliance on outsourcing for SOC capabilities.

DNS Operators

Global DNS infrastructure provides the critical function of mapping the seemingly random sets of numbers in IP addresses (like to a human-readable name that an internet consumer may recognize (like To scale to a global level, the DNS system was designed as a multi-level reference network that would allow any user on the internet to query a set of servers that will iteratively find where a specific domain is owned and get the name to IP address mapping from that location. This system based on trusting the legitimacy of these requests that this year’s WISR report demonstrates why DDoS attacks continue to be a major threat to the availability of the DNS network.

DNS Infrastructure

of all respondents indicated that they operate a DNS infrastructure.

Slightly down from 74 percent in 2016, but in line with 2015.


Operating a DNS infrastructure is more common in North America and Europe than in Latin America, the Middle East, Africa, or Asia Pacific Regions.

DDoS Attacks

DDoS attacks against DNS Infrastructure that led to a publicly visible service outage:

57% No
25% Yes
18% Do not know

Visibility of DNS Traffic

of Respondents indicated visibility at Layers 3 and 4
of Respondents indicated visibility at Layer 7

Organizational Security

of service providers have a special security group for DNS.

This is disappointing considering the criticality of DNS to these organizations.


The Worldwide Infrastructure Security Report is designed to help network operators understand the breadth of the threats that they face, gain insight into what their peers are doing to address these threats, and comprehend both new and continuing trends. We hope that you fnd the information useful in protecting your business for the coming year.

To download the full report, please complete/submit this form.