Internet Security Trends

LACNOG 2011

Julio ArrudaLATAM Engineering Manager

Page 2 - Company Confidential

2010 Infrastructure Security Survey

6th Annual Survey Survey conducted in

September – October 2010

Diversity– Service providers– Content/ASPs– Enterprises– Broadband– Mobile– DNS – Educational

Page 3 - Company Confidential

Key Findings of the Survey

Threat severity and complexity continue to increase– Attack size increases dramatically, impacting underlying network

infrastructure– Application layer attacks continue with some new applications

being targeted more frequently. The Threat-to-Defense gap is the widest observed to date– DDoS attack capabilities of miscreants are outpacing the defensive

measures taken by network service providers Firewall and IPS equipment represents critical points of failure

during DDoS attacks Mobile network growth is a game changer – availability of

limitless botnets with greater bandwidth and few network control points

New technologies affect fragility of Internet Infrastructure

Page 4 - Company Confidential

DDoS Attack Sizes Over Time

Over 102% increase YOY in attack size shows resurgence of brute force and volumetric attack techniques

Internet providers have focused on application threats so miscreants turned back towards attacking network capacity

Page 5 - Company Confidential

Application Layer Attacks

Application detection is becoming common place– 77% of respondents have successfully detected application layer

attacks – Lynchpin service infrastructure remain top targets– Application attacks are advancing to more sophisticated services

Page 6 - Company Confidential

Attack Frequency and Targets

Attack frequency is increasing– 69% of respondents see at least 1 DDoS attack per month– 35% of respondents see 10 or more DDoS attacks per month

compared to 18% in 2009 Customers or services comprise 90% of targeted victims– Major collateral events are less common, but drive greater impact

Page 7 - Company Confidential

Failure of Firewall and IPS in the IDC

Nearly half of all respondents have experienced a failure of their firewalls or IPS due to DDoS attack

Page 8 - Company Confidential

Mobile Provider Security Posture

Roughly 50% report security problems with mobile subscribers

Mobile respondents demonstrate poor visibility into compromised hosts– 56% have no visibility into

scale of compromised handsets

– Optimistically, 17% say that there are none in the network

– And 13% operators say at least 5% of customer base is compromised

Majority use NAT, firewalls and ACLS– 47 to 60%

DDoS mitigation and SMS filtering less common

Page 9 - Company Confidential

Mobile Security Incidents

More than half of carriers have had outages in last year due to security incidents!

79% of mobile respondents say they have not had a DDoS attack explicitly targeting their infrastructure – Over 50% admit they have

limited network visibility– How many DDoS events are

they having that they simply don’t know about?

Mobile operators are more concerned about DNS, AAA, Mail attacks than fixed line providers

70% compared to 58% in fixed line

Page 10 - Company Confidential

DNSSEC Threats

24% of respondents have deployed DNSSEC Already 25% have experienced or expect problems and 31%

expect increase in amplification attacks

Page 11 - Company Confidential

The IPv6 Security Arms Race

Vendors and network operators are rushing to introduce IPv6 visibility and security as networks scale up

Page 12 - Company Confidential

As in 2010 most monitored attacks still small in 2011 : 78.5% less than 1Gb/sec (down from 93% in 2009 and 79% in 2010) 63.5% less than 1Mpps (down from 94% in 2009 and 87% in 2010)

Average size of attacks,

Smaller Attacks Still Make up the Majority

Less than 1Gb/sec: 2010 is 197.41Mbps / 307.72Kpps 2011 is 332.1Mbps / 739.2Kpps

Less than 1Mpps: 2010 is 558.96Mbps / 228.139Kpps 2011 is 599.2Mbps / 335.7Kpps

Page 13 - Company Confidential

Average monthly attack size since start of 2009.

Average attack is 1.31Gbps / 1.62Mpps, July 2011

Attack Sizes have Grown Steadily since 2009

Average attacks sizes have grown by 40.6% / 165.7% since start of 2010

Page 14 - Company Confidential

Proportion of monitored attacks over 10Gb/sec has dropped by 48% so far in 2011.

Large packet per second attacks increasing

Proportion of monitored attacks over 10Mpps has increased by 98.4% so far in 2011, compared to 2010.

Page 15 - Company Confidential

In 2009, 19.6% of monitored attacks targeted port 80.

In 2010 this had increased to 31%, and so far in 2011 we are at 37.3%.

Increased Proportion of Attacks Targeting Port 80

Attacks targeting fewer ports 80 and 53 most prevalent.

75% drop in proportion of attacks over 10Gb/sec, from 2010 – still 47% up from 2009.

Page 16 - Company Confidential

Proportion of monitored attacks over 10Gb/sec fell back at the start of the 2011.

Growing again now.

Proportion of Attacks Over 10Gbps and 10Mpps

Spikes in number of attacks over 10Mpps in March and July.

March = Belize Attacks

Page 17 - Company Confidential

ATLAS LATAM Specifics 2010

Questions?Thank You!

Julio Arrudajarruda@arbor.net