Documente Academic
Documente Profesional
Documente Cultură
CONTENTS
WORLDWIDE
INFRASTRUCTURE
3 INTRODUCTION
SECURITY REPORT 4 Survey Methodology
5 Demographics of
TABLE OF Survey Respondents
CONTENTS
ASERT SPECIAL
AT TACKS AG A INS T A P P LICAT ION SERV ERS
89 ABOUT THE AUTHORS
REPORT: PART 2 13 SERVICE PROVIDER AT TACKS AG A INS T SQL SERV ERS
90 About the Editor
14 Threats + Concerns 56 Mitigating Application-Layer Attacks
DNS OPERATORS 56 Summary
16 Scale + Targeting of DDoS Attacks
91 GLOSSARY
18 Type, Frequency + Motivation
CONCLUSION of DDoS Attacks
57 ENTERPRISE,
22 DDoS Threat Motivations
ABOUT THE
GOVERNMENT +
AUTHORS
25 SDN/NFV EDUCATION (EGE)
27 IPv6
58 Network Security
GLOSSARY 31 Organizational Security
60 DDoS Attacks
34 Data Center Operators
67 SDN/NFV
39 Mobile Network Operators
69 IPv6
7 1 Organizational Security
PREVIOUS 2 NEXT
NETSCOUT Arbor Special Report
INTRODUCTION
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT
TABLE OF
CONTENTS
INTRODUCTION
KEY FINDINGS
SERVICE PROVIDER W E L C O M E T O O U R 1 3 TH A N N U A L
WORLDWIDE INFRASTRUCTURE
ATLAS SPECIAL SECURITY REPORT (WISR).
REPORT
ASERT SPECIAL
REPORT: PART 1
—
The data within this document is based on the
collective experiences, observations and concerns
ENTERPRISE, of the global operational security community.
GOVERNMENT + NETSCOUT Arbor collected this data through a
EDUCATION (EGE) survey conducted in October 2017.
ASERT SPECIAL Since its inception, the WISR has been based upon
REPORT: PART 2 survey data collected from those who are directly
involved in day-to-day operational security, and
DNS OPERATORS this is our continued approach. The WISR has
changed immeasurably in terms of its scope and
CONCLUSION scale over the years, but the core goal is still to
provide real insight into infrastructure security
from an operational perspective.
ABOUT THE
AUTHORS
This document highlights key industry trends and
threats facing network operators, along with the
GLOSSARY
strategies used to mitigate them.
PREVIOUS 3 NEXT
NETSCOUT Arbor Special Report
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT
TABLE OF
CONTENTS
INTRODUCTION
KEY FINDINGS
Survey Methodology
SERVICE PROVIDER The 13th annual Worldwide Infrastructure Security Report (WISR) is based
on a survey comprised of 128 free-form and multiple-choice questions.
ATLAS SPECIAL In our ongoing attempt to streamline and improve the survey, this is
REPORT
down from 135 in 2016.
ASERT SPECIAL
REPORT: PART 1
2017 Beyond the reduction in the number of questions, the 2017 survey has more
1 2 8 F R E E F O R M + M U LT I P L E specific logic flows that enable service providers and enterprise, government
CHOICE QUESTIONS
and education (EGE) respondents to see a different set of questions depending
ENTERPRISE,
GOVERNMENT + upon their self-classification and earlier answers. The questions we ask
390 RESPONSES
EDUCATION (EGE)
diverge depending upon the nature of the respondent.
ASERT SPECIAL As in previous years, we have modified the survey questions to reflect
REPORT: PART 2
changes in the threat landscape and to address responses from last year’s
DNS OPERATORS 2016 survey. The current survey is divided into sections that address specific
topics such as DDoS attacks, NFV, IPv6, data centers, mobile and networking.
1 3 5 F R E E F O R M + M U LT I P L E
CONCLUSION CHOICE QUESTIONS Each section establishes the observations and concerns of respondents and,
where appropriate, the mechanisms put in place to manage their concerns.
356 RESPONSES
ABOUT THE
AUTHORS NETSCOUT Arbor distributes the WISR survey by specifically targeting
individuals within the operational security community to get the most
GLOSSARY accurate picture possible. Survey participation continues to grow despite
additional efforts to encourage recusal of respondents without direct
network or security operational experience.
PREVIOUS 4 NEXT
NETSCOUT Arbor Special Report
DE
P
CONTENTS
NT
E
45% Wireline broadband (MSO, DSL)
S E RV IC
S
INTRODUCTION
Service providers represent
the majority of respondents at
55% 45% Managed service provider/MSSP
DE
ASERT SPECIAL
D
+E
NT
REPORT: PART 2
NMENT
S
Significant numbers of providers
also offer hosting (63 percent), cloud 45% 4% Energy + Utilities
4% Manufacturing
(45 percent). The rise in hosting, cloud,
O
,G
PREVIOUS 5 NEXT
Respondent’s Role in the Organization
WORLDWIDE
32%
INFRASTRUCTURE Security Professional
SECURITY REPORT
7% Network Professional
Nearly two thirds of all respondents
3% Manager or Director
TABLE OF identify as security, network or operations
CONTENTS professionals (Figure 2), a similar result to 4% President or Officer
last year. Security professionals have the Operations Professional
highestRespondent’s
representation with 32 percent. 7% 24%
INTRODUCTION Geographic Information
Vice President
The survey garnered wide participation Other
KEY FINDINGS from all around the world (Figure 3). 23%
Figure 2 Respondent’s Role in the Organization
SERVICE PROVIDER
DNS OPERATORS
26% 30%
24%
CONCLUSION US + CANADA
21% 25%
18%
20%
ABOUT THE
AUTHORS MIDDLE EAST + AFRICA
15%
WESTERN, CENTRAL
GLOSSARY 6% + EASTERN EUROPE 2
1
Including Central + ASIA PACIFIC 10%
South America
4% + OCEANIA
2
Including Russia + Iceland
5%
LATIN AMERICA 1
0%
Figure 3 Respondent’s Geographic Information
PREVIOUS 6 NEXT
NETSCOUT Arbor Special Report
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT
TABLE OF
CONTENTS
INTRODUCTION
KEY FINDINGS
SERVICE PROVIDER
ATLAS SPECIAL
REPORT
ASERT SPECIAL
REPORT: PART 1
ENTERPRISE,
GOVERNMENT +
EDUCATION (EGE)
ASERT SPECIAL
REPORT: PART 2
DNS OPERATORS
KEY
CONCLUSION
ABOUT THE
AUTHORS
FINDINGS
GLOSSARY
PREVIOUS 7 NEXT
NETSCOUT Arbor Special Report
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT Service
TABLE OF
CONTENTS
Providers Attacks targeting cloud-based Online gaming was still viewed as the
services rebounded, back up leading impetus for DDoS attacks. Criminals
INTRODUCTION to over one third from only one demonstrating attack capabilities took second
quarter the previous year. place, with extortion rounding out the top
KEY FINDINGS OPERATIONAL THREATS three motivations.
SERVICE PROVIDER
DDoS ATTACKS
DDoS attacks represent the dominant
ATLAS SPECIAL threat observed by the vast majority of DDoS
REPORT service providers. Infrastructure outages
also continue to be a threat with over half
ASERT SPECIAL of operators experiencing this issue. LARGEST ATTACK SIZE MULTI-VECTOR ATTACKS
REPORT: PART 1 The largest attack reported by a service provider Complex, multi-vector attacks are experienced
2018 CONCERNS was 600 Gbps, down from 800 Gbps last year. by 59 percent of service providers.
PREVIOUS 8 NEXT
NETSCOUT Arbor Special Report
WORLDWIDE
INFRASTRUCTURE SDN/NF V IPv6
—
SECURITY REPORT This is the second consecutive
year the survey shows an
TABLE OF SDN/NFV IN PRODUCTION IPv6 GROWTH
CONTENTS Compared to last year, the proportion It appears the surge in IPv6 growth overall decline in service
of service providers having SDN or NFV or adoption is leveling off this year. providers implementing security
in production has doubled.
INTRODUCTION
IPv6 FLOW TELEMETRY SUPPORT
infrastructure best practices.
OPERATIONAL CONCERNS The majority of service providers now
KEY FINDINGS Operational concerns are the number one indicate they have full IPv6 flow telemetry
barrier followed by cost. SDN and NFV, even support from their vendors. ORGANIZATIONAL SECURIT Y
SERVICE PROVIDER though they are being adopted, did not make
a breakthrough in overcoming the concerns IPv6 TRAFFIC VISIBILITY
of service providers this year.
IPv6 traffic visibility, which is the key to SECURITY ANALYST SHORTAGE
ATLAS SPECIAL
REPORT detection and protection, has increased The worldwide shortage of security analysts and
NETWORK DOMAIN again this year. incident responders is still a key issue. Lack of
The data center is the most common network resources, along with the difficulty of hiring and
ASERT SPECIAL domain for SDN technologies. Quite surprisingly, TOP SECURITY CONCERN retaining skilled personnel, are again the two main
REPORT: PART 1 in second place is IP backbone infrastructure,
DDoS and botnets are once again top concerns for building an effective operational
where service providers usually demonstrate security team.
security concerns for operators of
ENTERPRISE, a very conservative approach to technology.
IPv6-enabled networks.
GOVERNMENT + DDoS SIMULATIONS
EDUCATION (EGE) OVERLAY NETWORKS DDoS MITIGATION The proportion that do not practice DDoS
Overlay networks, including SD-WAN services, simulations and have no plans to do so increased.
Overall there is a very welcome trend
ASERT SPECIAL are also becoming an attractive spot for SDN. This is discouraging as dealing effectively with
of increased DDoS mitigation capabilities
REPORT: PART 2 for IPv6 traffic. DDoS attacks is not just about technology, but
about the people using the technology and the
processes supporting it.
DNS OPERATORS
INCIDENT RESPONSE
CONCLUSION
Only 30 percent make time for incident response
rehearsals at least quarterly.
ABOUT THE 25% 60%
AUTHORS ANTI-SPOOFING FILTERS
Less than a quarter of Three fifths of service
service providers participate providers have their Surprisingly, given the popularity of reflection
GLOSSARY in global operational security own internal security attacks over the last five years, the adoption
communities or share operations center of anti-spoofing filters decreased.
or distribute observed (SOC) team while nearly
cyber-security threats one fifth either fully ACCESS CONTROL LISTS
and gathered intelligence. or partially outsource The use of access control lists at the network
SOC capabilities. edge also declined sharply.
PREVIOUS 9 NEXT
NETSCOUT Arbor Special Report
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT Enterprise, Government The most popular targets
+ Education (EGE)
of application-layer
TABLE OF attacks were once again:
CONTENTS
INTRODUCTION
1. HTTP 2. DNS 3. HTTPS
KEY FINDINGS DDoS
SERVICE PROVIDER
x2
INTERNET BANDWIDTH MULTI-VECTOR DDoS ATTACKS The percentage that
Fifty-seven percent of enterprise, government There was a clear increase in the proportion of observed more than
ATLAS SPECIAL and education (EGE) respondents saw their respondents experiencing multi-vector DDoS 100 DDoS attacks per
REPORT internet bandwidth saturated due to DDoS attacks, up from 40 percent in the previous year month more than doubled
attacks, up from 42 percent in the previous year. to 48 percent. over the previous year.
ASERT SPECIAL
REPORT: PART 1 ENCRYPTED ATTACKS BRAND DAMAGE
Looking at encrypted attacks, 53 percent targeted Reputation/brand damage and operational
ENTERPRISE, the encrypted service at the application layer and expense are still the top business impacts of
GOVERNMENT + 42 percent targeted the SSL/TLS protocol. DDoS attacks. There was also a big jump in
EDUCATION (EGE) respondents reporting revenue loss.
FIREWALLS NETWORK SECURIT Y
Over half of EGE organizations had firewalls ATTACK COST
ASERT SPECIAL
REPORT: PART 2 or IPS devices fail or contribute to an outage Survey responses broadly indicate that the cost
during a DDoS attack. of a major DDoS attack is increasingly significant. MOST COMMON ATTACK
Ransomware was the most commonly
DNS OPERATORS experienced attacks last year, with DDoS
EMAIL AND VoIP DDoS MITIGATION
in second place.
Email and VoIP services were more frequently DDoS mitigation was a part of business or IT risk
CONCLUSION targeted this year, suggesting the focus of assessments for 77 percent of respondents.
DDoS attackers shifted to exploiting more KEY THREATS
vulnerable services. Ransomware is also top of mind as a key threat
ABOUT THE
AUTHORS for the coming year, while advanced persistent
—
threat (APT) took second and DDoS dropped
to third place.
GLOSSARY
For the second consecutive year, there is a decrease DETECTION TOOLS
in volumetric attacks with a corresponding increase For the third consecutive year, firewall logs,
IDS and SIEM are were the top three most
in application-layer attacks. utilized tools to detect threats.
PREVIOUS 10 NEXT
NETSCOUT Arbor Special Report
WORLDWIDE
INFRASTRUCTURE IPv6
SECURITY REPORT
TABLE OF
CONTENTS
60% OPERATING IPv6
This year just over a third of respondents are
—
Sixty percent have deployed operating IPv6 in their environments or planning
Operational concerns are the top
INTRODUCTION
visibility solutions for IPv6 to in the coming year. barrier to SDN/NFV deployment.
traffic, a slight increase
from last year.
Cost has become less of a
INTERNET-FACING SERVICES
KEY FINDINGS
Sixty percent provide internet-facing services concern as operational concerns
with IPv6 support. are coming to the forefront.
SERVICE PROVIDER
PRIVATE NETWORKS WITH IPv6
ATLAS SPECIAL Sixty-five percent have already deployed
REPORT IPv6 on their private networks. SDN/NFV
TOP THREAT
ASERT SPECIAL
DDoS was cited as the top threat to IPv6 SDN/NFV DEPLOYMENT PLAN
REPORT: PART 1
50% networks by over two thirds of respondents. Only around 40 percent of EGE organizations
Nearly half of respondents have have plans to deploy SDN/NFV technologies.
ENTERPRISE,
GOVERNMENT + an internal security operations
EDUCATION (EGE) center (SOC) team in place but COMMON DOMAINS
38 percent rely on third-party ORGANIZATIONAL SECURIT Y Data center infrastructure and security were the
and outsourced services. most common domains where EGE respondents
ASERT SPECIAL
want to utilize SDN.
REPORT: PART 2
SECURITY ANALYST SHORTAGE
Looking at the challenges EGE organizations
SDN/NFV DEPLOYMENT PLAN
DNS OPERATORS Both EGE and service providers want to
face in building out operational security teams,
lack of resources and difficulty of hiring and apply SDN to build global overlay networks,
CONCLUSION retaining skilled personnel were again the including SD-WAN.
two main concerns.
ABOUT THE
AUTHORS DDoS SIMULATIONS
50%+ There was a small decrease in those running
DDoS defense simulations.
GLOSSARY More than half are preemptively
blocking known botnet
Command-and-Control servers
and malware drop servers.
PREVIOUS 11 NEXT
NETSCOUT Arbor Special Report
DNS
amplification and reflection actors. As a result,
TABLE OF it is disappointing again to note that 19 percent
CONTENTS of respondents still did not restrict access to
their recursive DNS servers.
INTRODUCTION
KEY FINDINGS
Operators VISIBILITY
Nearly three quarters of all respondents have
visibility at Layers 3 and 4, and 43 percent
SERVICE PROVIDER
— at Layer 7.
ASERT SPECIAL
REPORT: PART 2
DNS OPERATORS
CONCLUSION
ABOUT THE
AUTHORS #1 25%
Firewalls were the most popular Only one quarter of service providers
GLOSSARY choice for DNS defense in EGE have a special security group for DNS. It is
networks once again. disappointing considering the criticality of
DNS to the internet as a whole.
PREVIOUS 12 NEXT
NETSCOUT Arbor Special Report
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT
TABLE OF
CONTENTS
INTRODUCTION
KEY FINDINGS
SERVICE PROVIDER
ATLAS SPECIAL
REPORT
ASERT SPECIAL
REPORT: PART 1
ENTERPRISE,
GOVERNMENT +
EDUCATION (EGE)
ASERT SPECIAL
REPORT: PART 2
DNS OPERATORS
SERVICE
CONCLUSION
ABOUT THE
AUTHORS
PROVIDER
GLOSSARY
PREVIOUS 13 NEXT
NETSCOUT Arbor Special Report
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT Threats + DDoS attacks represented the top threat observed by service providers in 2017, with 87 percent
reporting attacks (Figure 4). Infrastructure outages also continued to be a threat with 52 percent
of operators experiencing this issue. This is up six percent from the previous year, halting a downward
Concerns
trend seen over the past few years. The percentage of service providers experiencing bandwidth
saturation has remained constant from 2016.
TABLE OF
CONTENTS
Invariably, for 2018, DDoS attacks remain the primary concern for 88 percent of the service providers
(Figure 4). This is not surprising, considering the continued concerns around weaponized IoT botnets
INTRODUCTION and the ease with which attackers can gain access to sophisticated attack techniques and capabilities.
KEY FINDINGS
87%
ATLAS SPECIAL DDoS ATTACKS
REPORT 88%
ABOUT THE 5%
AUTHORS PEER GAMING
8%
GLOSSARY
4%
OTHER
2%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
PREVIOUS 14 NEXT
NETSCOUT Arbor Special Report
WORLDWIDE 100% 10
INFRASTRUCTURE
SECURITY REPORT
90% 9
81%
TABLE OF
CONTENTS NetFlow-based analyzers 80% 8
7.36
(e.g., Arbor SP)
6.95
SNMP-based tools
INTRODUCTION
64%
Firewall logs 70% 7
60%
IDS/IPS
KEY FINDINGS Inline DDoS detection/mitigation 60% 6
5.39
5.25
system (e.g., Arbor APS)
5.21
51%
51%
4.96
4.90
48%
Customer call/help desk ticket
46%
4.59
SERVICE PROVIDER
In-house developed scripts/tools 50% 5
39%
Routing analysis and anomaly
38%
3.77
ATLAS SPECIAL detection tools
34%
40% 4
REPORT Security information and event
management (SIEM) platforms
Service assurance/monitoring 30% 3
ASERT SPECIAL solutions
REPORT: PART 1
Cloud-based third party services
15%
Other 20% 2
ENTERPRISE,
GOVERNMENT +
EDUCATION (EGE) 10% 1
1%
ASERT SPECIAL Figure 5 Threat Detection Tools 0% 0
and Threat Tool Effectiveness
REPORT: PART 2 THREAT DETECTION TOOLS THREAT TOOL EFFECTIVENESS
DNS OPERATORS
As in previous years, respondents still used a Inline DDoS detection/mitigation system usage grew
CONCLUSION wide variety of tools to detect threats against from 42 to 51 percent, an ongoing trend likely driven
their networks, customers and services (Figure 5). by the increased use of best-practice hybrid DDoS
The survey showed that NetFlow-based analysis tools defense solutions.
ABOUT THE remained the preferred option of service providers,
AUTHORS with a slight decrease from 86 to 81 percent in 2017. Overall, the results of the effectiveness of threat
detection tools remained similar to 2016, with
The use of SNMP-based tools also grew again to 64 NetFlow-based analyzers and inline DDoS detection/
GLOSSARY
percent, a significant increase over 53 percent in 2016, mitigation solutions ranked as the most effective
overtaking firewall logs, which continued to decline in ways to detect threats (Figure 5).
popularity but remain in the top four with IDS/IPS.
PREVIOUS 15 NEXT
NETSCOUT Arbor Special Report
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT Scale + Targeting In 2017, attackers continued to use reflection/amplification techniques to
exploit vulnerabilities in DNS, NTP, SSDP, CLDAP, Chargen and other protocols
to maximize the scale of their attacks. In addition, there was a marked
of DDoS Attacks
increase in the exploitation of IoT devices to generate large packet floods and
application-layer attacks. The largest attack reported by a service provider was
TABLE OF
CONTENTS 600 Gbps, with others reporting attacks of 588 Gbps, 423 Gbps, 338 Gbps
and 316 Gbps (Figure 6).
INTRODUCTION
Peak Attack Size
KEY FINDINGS
800
Gbps
SERVICE PROVIDER This represents a decrease over 2016,
800
which to some degree is a surprise given
ATLAS SPECIAL the latent capability within some of the
REPORT 700
weaponized DDoS services and botnets
currently active across the internet.
ASERT SPECIAL
REPORT: PART 1 600
ENTERPRISE,
GOVERNMENT + 500
600 Gbps
EDUCATION (EGE)
400
ASERT SPECIAL
REPORT: PART 2
309
Gbps
300
DNS OPERATORS
CONCLUSION 200
100
Gbps
ABOUT THE
AUTHORS 100 40
Gbps
GLOSSARY
0
2008 2009 2010 2011 2012 2013 2014 2015 2016 2017
PREVIOUS 16 NEXT
NETSCOUT Arbor Special Report
WORLDWIDE In 2016, nearly one third of respondents reported Attack Target As expected, end-user subscribers took the
INFRASTRUCTURE peak attacks over 100 Gbps, emphasizing the breadth Customer Verticals top spot as the most common type of customer
SECURITY REPORT of the DDoS problem in relation to large attacks. targeted (Figure 8). Financial services rose above
In 2017, about one quarter witnessed peak attacks hosting and government to reclaim the number
70% two spot. Gaming, which garnered sixth place
TABLE OF over 100 Gbps, and only seven percent reported attacks End-User/Subscriber
CONTENTS in 2016, rose to fifth place, edging out education.
over 200 Gbps. In general, peak attack sizes and the
frequency of very large attacks decreased, a trend also 41% The growth of cloud services continued as more
INTRODUCTION observed in 2017 ATLAS data (see ATLAS Attack Sizes). Financial Services organizations adopt cloud-based applications
and services. These services can offer significant
While these numbers represent a decline in the
KEY FINDINGS
39% performance, flexibility and cost advantages
very largest attacks, volumetric attacks were still the Cloud/Hosting to business. However, their value is completely
leading type of attack monitored by service providers. dependent on their availability to customers.
SERVICE PROVIDER Attackers are using more metered attack volumes to 37% In 2017, the proportion of respondents
achieve their goals while minimizing collateral damage Government seeing attacks targeting cloud-based services
and unwanted attention. rebounded, back up to over one third from
ATLAS SPECIAL only one quarter the previous year (Figure 9).
REPORT 32%
Looking at the targets of DDoS attacks monitored by Gaming
Cloud services rely heavily on service providers
service providers, customers remained the number one
ASERT SPECIAL for protection from DDoS threats given their
target at 75 percent, nearly identical to 2016 (Figure 7). 29%
REPORT: PART 1 multi-tenant nature. Collateral damage, where
Attackers continue to target their victims directly, Education
attacks targeting one customer impact another
rather than relying on collateral damage from indirect unintended victim, represents a significant risk
Attack TargetThe
Mix proportion of attacks targeting service Attacks Targeting Cloud Services
ENTERPRISE, attacks. 26% to all customers of a cloud service provider.
GOVERNMENT + infrastructures increased slightly, likely due to continued eCommerce An attack on one customer can potentially
EDUCATION (EGE) exploitation of vulnerable services such as DNS. impact many others.
21%
ASERT SPECIAL Gambling
REPORT: PART 2
Customers 14%
DNS OPERATORS Service infrastructure (DNS, web portal)
Manufacturing
36% 25%
10%
Network infrastructure (routers, firewalls) 10%
CONCLUSION Healthcare Yes No
9% 20% 19%
GLOSSARY Law Enforcement
Do not know Not applicable
Customers 6%
Service infrastructure (DNS, web portal)
Other
Figure 9 Attacks Targeting Cloud Services
Source: Arbor Networks, Inc.
0%
Network infrastructure (routers, firewalls)
Figure 8 Attack Target Customer Verticals Source: Arbor Networks, Inc.
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT Type, Frequency + Motivation DDoS Attack Types
TABLE OF
CONTENTS of DDoS Attacks ME
T R I C AT TA
CK
U
VOL
INTRODUCTION
S
While DDoS attack Volumetric Attacks 75.7%
KEY FINDINGS
vectors vary significantly, 1 These attacks attempt to consume the bandwidth either within
cybercriminals are constantly the target network or service, or between the target network
SERVICE PROVIDER or service and the rest of the internet. These attacks are simply
evolving the methodologies
about causing congestion.
they use to evade defenses
ATLAS SPECIAL
and achieve their goals.
REPORT
Generally, attack vectors USTION
HA
fall into one of three TCP State-Exhaustion Attacks EX A
2
TT
ASERT SPECIAL
-
P S TAT E
broad categories: These attacks attempt to consume the connection state tables
ACKS
REPORT: PART 1
that are present in many infrastructure components, such as
load balancers, firewalls, IPS and the application servers
11.8%
TC
ENTERPRISE, themselves. They can take down even high-capacity devices
GOVERNMENT + capable of maintaining state on millions of connections.
EDUCATION (EGE)
ASERT SPECIAL
REPORT: PART 2 Application-Layer Attacks
3 E R AT
These target some aspect of an application or service at L AY TA
Layer 7. They are the most sophisticated and stealthy attacks N-
DNS OPERATORS
CK
O
P L I C AT I
because they can be very effective with as few as one attacking
S
CONCLUSION
machine generating traffic at a low rate. 12.4%
AP
ABOUT THE
AUTHORS Looking at the mix of attack types experienced by service
providers, volumetric attacks remain the most common, as in
all previous iterations of this report (Figure 10). Like the previous
GLOSSARY two years, 2017 saw a significant increase in the frequency of Figure 10 DDoS Attack Types
volumetric attacks around the world. The percentage of attacks
that were volumetric in nature increased to approximately
76 percent in 2017, up from 73. This is not surprising, given Source: Arbor Networks, Inc.
the widely reported prevalence of reflection/amplification
and IoT-based attacks.
PREVIOUS 18 NEXT
NETSCOUT Arbor Special Report
ASERT SPECIAL
REPORT: PART 1
In 2017, the results were 50%
broadly similar to previous
ENTERPRISE, Looking deeper into attacks 48%
year, with over 20 percent
GOVERNMENT + targeting encrypted services,
EDUCATION (EGE) experiencing attacks in each 40%
there are four different categories: category (Figure 12). Given the
criticality of many encrypted
ASERT SPECIAL Attacks that target the applications, especially those 30%
REPORT: PART 2 1 SSL/TLS negotiation provided by financial and 32%
e-commerce organizations, 27%
Protocol/connection attacks a successful attack can have
DNS OPERATORS 2 against SSL service port significant impact.
20% 23%
21%
CONCLUSION olumetric attacks targeting
V
3 SSL/TLS service port 10%
Application-layer attacks
Protocol/connection
service port
SSL/TLS negotiation
Not applicable/
do not know
GLOSSARY
WORLDWIDE We specifically asked respondents about the protocols used to generate volumetric reflection/
INFRASTRUCTURE amplification attacks (Figure 13). Nearly all protocols showed similar activity to 2016, with DNS
SECURITY REPORT and NTP remaining the most commonly used vectors. Attackers continued to leverage poorly 59% Yes
configured or protected infrastructures to magnify their capabilities. The ATLAS Reflections
section of this report drills down into details on reflection/amplification trends.
TABLE OF
CONTENTS
15% No
INTRODUCTION 100%
NTP
CharGEN
SSDP
SNMP
Portmap
MSSQL
Not applicable
Other
BitTorrent
GLOSSARY
PREVIOUS 20 NEXT
NETSCOUT Arbor Special Report
SERVICE PROVIDER
ABOUT THE
AUTHORS
GLOSSARY 4% 4%
13–24 HOURS MORE THAN
1 MONTH
PREVIOUS 21 NEXT
NETSCOUT Arbor Special Report
TABLE OF
CONTENTS
As in previous years, we asked service providers While nihilism/vandalism made a return to the
to indicate the most common motivations top five in 2017, ideological hacktivism followed 48% Offnet
INTRODUCTION behind the DDoS attacks they monitored on closely, nearly tied for fourth place. The rise (outside your
network)
their networks. In 2016, the top motivation of criminals demonstrating their capabilities
was online gaming. Ideological hacktivism was is indicative of the continuing weaponization
KEY FINDINGS in second place, with criminals demonstrating of DDoS attacks via easy-to-procure services.
attack capabilities following closely in third. The ubiquitous availability of Booter/Stresser 29%
SERVICE PROVIDER services remains a serious problem.
However, the top motivations shifted in 2017
(Figure 17). Online gaming was still viewed as For the first time, we asked survey respondents 6%
ATLAS SPECIAL the leading impetus but only 50 percent saw this where IoT-based botnet attacks originated 16%
Not
REPORT as a common motivation, down from 63 percent (Figure 18). Nearly half indicated the attacks applicable
in 2016. In a near tie with gaming, criminals come from compromised devices outside of
demonstrating attack capabilities returned to their networks, as one might expect. Surprisingly, Combination Onnet
ASERT SPECIAL (inside your
REPORT: PART 1 prominence as it took second place, with extortion 22 percent said the traffic originated either fully network)
rounding out the top three motivations. or partially from inside their own networks. Figure 18 IoT-Botnet Attack Source
Source: Arbor Networks, Inc.
ENTERPRISE,
GOVERNMENT +
EDUCATION (EGE) Online gaming-related 50.5%
Criminals demonstrating DDoS attack
capabilities to potential customers
49.1%
ASERT SPECIAL Criminal extortion attempt 44.4%
REPORT: PART 2
Nihilism/vandalism 35.1%
Political/ideological disputes 34.5%
DNS OPERATORS
Inter-personal/inter-group rivalries 34.2%
CONCLUSION
Online gambling-related 31.3%
Social networking-related 25.0%
Diversion to cover
ABOUT THE compromise/data exfiltration 24.4%
AUTHORS Misconfiguration/accidental 21.7%
Competitive rivalry between
business organizations 20.0%
GLOSSARY National/state sponsored 17.1%
Financial market manipulation 14.0%
Intra-criminal disputes 11.6%
DNS OPERATORS
We do not 36% Automatically
mitigate attacks through script/tools
4%
CONCLUSION
More than 30 minutes 9%
ABOUT THE
AUTHORS More than 20 minutes 7%
but less than 30 minutes
PREVIOUS 23 NEXT
NETSCOUT Arbor Special Report
INCREASED SAME
GLOSSARY
38% 19% 7%
eCommerce Utilities Social Networking
31% 17%
Figure 21 Proportion of Outbound/Cross-Bound Education Media
Attacks Observed
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT SDN/NFV 21% WE ARE INVESTIGATING NOW
41% NO
TABLE OF
CONTENTS
NETSCOUT Arbor has been tracking
18% WE ARE IN PRODUCTION
KEY FINDINGS
helpful to analyze how service 9% PLAN TO IMPLEMENT IN 2+ YEARS
provider interest and adoption
rates have changed over time. 0% 10% 20% 30% 40% 50%
SERVICE PROVIDER
Figure 24 SDN/NFV Deployment
56%
ASERT SPECIAL had NFV deployed. Twenty-one percent were
REPORT: PART 1 investigating these technologies or running
52%
60%
trials, compared to 27 percent in the previous
46%
year. The percentage of those not looking
ENTERPRISE,
into SDN and NFV was also similar to last 50%
GOVERNMENT +
year (41 percent versus 38 percent).
39%
EDUCATION (EGE)
36%
36%
36%
34%
We asked service providers to identify the
40%
barriers to deploying these technologies
30%
ASERT SPECIAL
REPORT: PART 2 (Figure 25). Operational concerns were the
number one barrier at 56 percent, followed
30%
by cost at 52 percent and interoperability at
DNS OPERATORS
46 percent. These results were similar to last
year, which leads us to conclude that SDN
20%
CONCLUSION and NFV, even though they are being adopted,
did not make a breakthrough in overcoming
7%
the concerns of service providers.
5%
ABOUT THE 10%
AUTHORS
0%
GLOSSARY
System (BSS)
Operational
Concerns
Cost
Interoperability
Security
Concerns
Performance
Concerns
Stability
Vendor Support
Scalability
Business Support
Integration
Telemetry
Acquisition
Other
Figure 25 SDN/NFV Key Barriers
PREVIOUS 25 NEXT
NETSCOUT Arbor Special Report
SDN Network Domains NFV Network Domains
TABLE OF 48%
CONTENTS
46%
50% 50%
39%
INTRODUCTION 36% 35%
40% 40%
20% 20%
ATLAS SPECIAL
REPORT
10% 10%
ASERT SPECIAL
REPORT: PART 1
0% 0%
Data center Fixed line Mobile IP backbone Overlay Data center Mobile core IP backbone CPE (routers) Customers
infrastructure access network infrastructure networks security infrastructure infrastructure premise
ENTERPRISE, network infrastructure spanning functions security and
GOVERNMENT + infrastructure multiple load-balancers
domains
EDUCATION (EGE)
Figure 26 SDN Network Domains Figure 27 NFV Network Domains
ASERT SPECIAL
REPORT: PART 2
DNS OPERATORS Regarding network locations where SDN technologies are seeing the most When it comes to a functional domain for NFV, data center security
Source: Arbor Networks, Inc. Source: Arbor Networks, Inc.
interest, the data center was the most common at 63 percent (Figure 26). functions were in first place at 58 percent (Figure 27). However, CPE
Quite surprisingly, in second place was IP backbone infrastructure, where routers and CPE value-added functions were close behind at 48 percent
CONCLUSION service providers usually demonstrate a very conservative approach to and 46 percent respectively. This clearly indicates that the (virtual)
technology. However, 54 percent of respondents indicated they planned customer premise domain is where the industry wants to apply NFV.
to implement SDN technologies here. Overlay networks, including SD-WAN
ABOUT THE
AUTHORS services, were also becoming an attractive spot for SDN, according
to 36 percent of the providers.
GLOSSARY
PREVIOUS 26 NEXT
NETSCOUT Arbor Special Report
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT IPv6
TABLE OF
CONTENTS
Similar to last year, nearly
70 percent of service providers
INTRODUCTION have or will deploy IPv6 within
their networks in the coming
KEY FINDINGS year (Figure 28). It appears
the surge in IPv6 adoption
is leveling off this year.
27% 44% 13% 11% 4% Figure 29 Subscriber
SERVICE PROVIDER NONE We do not offer 1–25 26–50 51–75 76–100 IPv6 Usage
IPv6 service to end-users
ATLAS SPECIAL
P L ANN I NG T O OP E R AT E
REPORT
I P v 6 W I T H I N NE T WORK ?
Again, in-line with last year, 73 percent of providers indicated they offer IPv6 services to end-users
ASERT SPECIAL (Figure 29). However, looking more closely at the results we are now seeing higher adoption rates within
REPORT: PART 1 YES those organizations that do offer the service. Specifically, 15 percent now indicate more than half of
their end-users utilize IPv6 services compared to only eight percent last year.
ENTERPRISE,
GOVERNMENT +
EDUCATION (EGE)
68% Nearly identical to last year, 83 percent of service providers offer IPv6 services to business customers
(Figure 30). Adoption rates are also broadly similar to last year with one notable exception. Service providers
reporting adoption rates above 75 percent doubled to six percent from just three percent the previous year.
ASERT SPECIAL
REPORT: PART 2
DNS OPERATORS
NO
CONCLUSION
32%
ABOUT THE
AUTHORS Figure 28 IPv6 Operation
GLOSSARY
PREVIOUS 27 NEXT
NETSCOUT Arbor Special Report
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT Yes, fully
supported today 58%
TABLE OF
CONTENTS Partial, some vendors support
IPv6 flow telemetry today,
some do not
22%
INTRODUCTION
No, will
ASERT SPECIAL not support 5%
REPORT: PART 1
ASERT SPECIAL Figure 31 IPv6 Flow Telemetry 0% 10% 20% 30% 40% 50% 60% 70%
REPORT: PART 2
DNS OPERATORS
Source: Arbor Networks, Inc.
Nearly 60 percent of service providers now indicate full IPv6 flow telemetry HAV E A V I S I B I L I T Y S O L UTI O N I N
CONCLUSION
support from their vendors (Figure 31). An additional 22 percent cite at least PL AC E TO MO NI TO R I P v6 TR A F F I C ?
partial support for IPv6 flow telemetry showing further improvements in
ABOUT THE vendor support this year. This is good news for the customers leveraging
AUTHORS these networks and shows steady effort on the part of providers to satisfy
growth commitments to IPv6. YES NO
GLOSSARY IPv6 traffic visibility, which is the key to detection and protection, has
increased to 70 percent this year from just 60 percent last year (Figure 32).
This is a positive indication that service providers are keeping pace with
the growth of IPv6 and are focused on telemetry/visibility to help keep
70% 30%
the networks healthy and current.
Figure 32 IPv6 Traffic Visibility
PREVIOUS 28 NEXT
NETSCOUT Arbor Special Report
WORLDWIDE Generally, service providers expressed Overall, 57 percent of service providers projected However, 37 percent were unable
INFRASTRUCTURE concern over IPv6 attacks against some level of IPv6 traffic growth in the coming
SECURITY REPORT
to predict future growth this year
dual-stack devices having an impact year (Figure 34). Further, only six percent project
on IPv4 services (Figure 33). While no IPv6 traffic growth compared to 14 percent compared to only 18 percent last year.
44 percent expressed minor concern, last year.
TABLE OF
CONTENTS nearly one third indicated moderate
concern and 11 percent indicated
major concern over this issue.
INTRODUCTION
25%
ATLAS SPECIAL
REPORT
20%
40% growth
MINOR expected
ASERT SPECIAL CONCERN 15%
10%
REPORT: PART 1
44%
60% growth
expected 80% growth
10% expected
None, no growth
expected 4% 100% growth
ENTERPRISE, 5%
2% expected
GOVERNMENT + 6%
4%
EDUCATION (EGE) MODERATE 0%
CONCERN
ASERT SPECIAL
REPORT: PART 2
34%
DNS OPERATORS
MAJOR
CONCERN
CONCLUSION
11%
Figure 34 Anticipated IPv6 Traffic Growth
ABOUT THE
AUTHORS Figure 33 IPv6 Impact on IPv4 Services
(Dual-Stack Devices)
GLOSSARY
PREVIOUS 29 NEXT
NETSCOUT Arbor Special Report
GLOSSARY 8%
1%
0%
PREVIOUS 30 NEXT
NETSCOUT Arbor Special Report
Organizational Security
Security Operations Center Resources
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT
TABLE OF
CONTENTS
Sixty percent of service providers have their own internal
security operations center (SOC) team (Figure 37). However, the Internal SOC team
INTRODUCTION percentage of service providers without any SOC capabilities fell 6% No SOC resources
from 29 to 21 percent. This is positive news, and is likely due to
Internal SOC with supplemental third party
the increased use of third-party and third-party augmented SOC
KEY FINDINGS capabilities. Service providers are relying more on outsourcing 60%
12% Third party SOC
to enhance their internal security teams. This highlights the
SERVICE PROVIDER global challenges organizations face to build and maintain
Figure 37 Security Operations Center Resources
an internal security team of skilled practitioners.
21%
ATLAS SPECIAL
REPORT
13%
ASERT SPECIAL Eighty-seven percent 0 SECURITY
REPORT: PART 1 of service providers PERSONNEL
Source: Arbor Networks, Inc.
reported that they had
ENTERPRISE,
GOVERNMENT +
some dedicated security
personnel (Figure 38),
1–5 SECURITY
PERSONNEL 36%
EDUCATION (EGE) an identical result to
the previous year.
ASERT SPECIAL
Also, as in 2016, about
a quarter had security
6–10 SECURITY
PERSONNEL 12%
REPORT: PART 2
teams of 30 or more
DNS OPERATORS
people, compared
to only 14 percent for
11–15 SECURITY
PERSONNEL 8%
enterprise, government
CONCLUSION
and education
(EGE) respondents.
16–20 SECURITY
PERSONNEL 4%
ABOUT THE
AUTHORS
21–30 SECURITY
PERSONNEL 4%
GLOSSARY
30+ SECURITY
PERSONNEL 23%
PREVIOUS 31 NEXT
NETSCOUT Arbor Special Report
34%
ASERT SPECIAL 3%
10%
REPORT: PART 2 5%
DNS OPERATORS 2%
11%
0% stakeholder
21%
Lack of
management
support
Lack of internal
support
Other
CONCLUSION
or resources
expenditure
expenditure
and retaining
Operational
Capital
(CAPEX) funding
skilled personnel
(OPEX) funding
Lack of
headcount
Difficulty of hiring
11%
ABOUT THE
15%
AUTHORS
PREVIOUS 32 NEXT
NETSCOUT Arbor Special Report
ASERT SPECIAL
REPORT: PART 2
OPSEC Participation
DNS OPERATORS Another disappointing result in 2017 was the fact that less than a quarter PA RT I C I PATE I N G LO B A L O PS EC C O MMUNI T Y G RO UPS ?
of service providers participated in global operational security communities
(Figure 42), or share or distribute observed cyber-security threats and
CONCLUSION
gathered intelligence. The OPSEC communities have proven themselves very NO YES
useful during high profile attacks in the last five years. We can only suspect
76% 24%
ABOUT THE that this downward trend, which started two years ago, is due to the challenges
AUTHORS service providers face in building and maintaining an OPSEC team (Figure 42).
From 41 percent in 2015, to 26 percent last year, the service providers’
participation is down to 24 percent today.
GLOSSARY
Figure 42 OPSEC Participation
PREVIOUS 33 NEXT
Source: Arbor Networks, Inc.
NETSCOUT Arbor Special Report
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT Data Center Operators
TABLE OF
CONTENTS
To better understand the resources that need protection Unexpectedly, a lower proportion of data
in data centers, we asked respondents to identify what center operators saw DDoS attacks targeting
INTRODUCTION services their organizations offer (Figure 43). It comes as their environments (Figure 44), yet the financial 1–10 ATTACKS
no surprise that managed hosting was the most common impact of attacks grew significantly (Figure 47). PER MONTH
service offered.
CenterHowever,
Services it was surprising to see public or Only 40 percent indicated they observed DDoS
64%
Data
KEY FINDINGS private cloud services ranked second, pushing co-location incidents in 2017, a significant decrease from
services into third. 60 percent the previous year.
SERVICE PROVIDER
The frequency of attacks also decreased
sharply, with only 36 percent seeing more
ATLAS SPECIAL 80%
Datathan
Center
10 DDoS Attack
attacks Overview
monthly as compared to
REPORT 57 percent in 2016 (Figure 45). 11–20 ATTACKS
PER MONTH
70% 76%
18%
ASERT SPECIAL
REPORT: PART 1
69%
60%
ENTERPRISE, 63%
GOVERNMENT +
EDUCATION (EGE) 50%
30%
40%
Yes
5%
DNS OPERATORS
CONCLUSION 20%
GLOSSARY 0%
14%
Managed Co-Location Private/Public/
Hosting Hybrid Cloud
PREVIOUS 34 NEXT
NETSCOUT Arbor Special Report
WORLDWIDE Despite less frequent DDoS attacks, The average cost of a successful DDoS attack to a data center operator significantly changed
INFRASTRUCTURE the survey highlights the growing in 2017. In 2016, 45 percent of the operators reported an attack cost them less than $10,000 on
SECURITY REPORT impact of incidents. Of those who average. In comparison, 45 percent indicated the average total cost of major attacks was between
had DDoS attacks, 91 percent $10,000 and $50,000 per incident in 2017 (Figure 47). In fact, more than half of respondents
experienced a financial impact between $10,000 and $100,000, almost twice as many as in 2016.
TABLE OF observed at least one incident that
CONTENTS affected their ability to deliver service. Looking at the cost break-out, respondents continue to see operational expenses as having the
Seventy-eight percent experienced biggest impact on their business as a direct result of a DDoS attack (Figure 48). However, customer
INTRODUCTION between 1 and 20 service-affecting churn is now second at 48 percent. This demonstrates how sensitive customers are when it comes
attacks, a slight increase over to the availability of their services and the DDoS protection provided by a data center operator.
2016 (Figure 46). Putting this data into perspective, we believe that wide adoption of DDoS mitigation services made
KEY FINDINGS
Data Center Service Affecting Attacks it harder for attackers to affect business processes, making them more conscious about the size
and complexity of attacks they launched. Consequently, attacks were more advanced and once
SERVICE PROVIDER 51–100 they passed through defenses, there was a greater impact on data center operations.
21–50 0
11–20
ATLAS SPECIAL 45% 80%
REPORT 39%
9% 5% 71%
40%
5% 9% 70%
ASERT SPECIAL
REPORT: PART 1 33%
35%
60%
ENTERPRISE,
GOVERNMENT + 30%
EDUCATION (EGE) 50% 48%
25%
ASERT SPECIAL
REPORT: PART 2 73% 40% 38%
20%
Increased
Employee
Customer
operational
expense
churn
loss
turnover
Revenue
Less than
$10,000
$25,000
$50,000
$100,000
$100,000,000
$10,000 to
$25,000 to
$50,000 to
$100,000 to
Figure 47 Data Center DDoS Cost Figure 48 Data Center DDoS Business Impact
PREVIOUS 35 NEXT
Source: Arbor Networks, Inc. Source: Arbor Networks, Inc.
NETSCOUT Arbor Special Report
WORLDWIDE
INFRASTRUCTURE
The targets of DDoS attacks within data centers are
similar to those in the previous year, with customers the
68%
SECURITY REPORT INBOUND ATTACK
W E A S K E D D A TA C E N T E R most likely target (Figure 49). However, the percentage of
Data center management
O P E R AT O R S I F T H E Y data centers reporting outbound attacks generated by
hosting, cloud or
E X P E R I E N C E D AT T A C K S servers grew from 28 to 36 percent. Anecdotally, we have co-location customer
TABLE OF
CONTENTS E X C E E D I N G T H E T O TA L been aware for many years that compromised or rented
B A N D W I D T H AVA I L A B L E data center servers are used as ‘packet cannons.’ It seems
T O T H E D ATA C E N T E R . that data center operators are increasingly aware of this
INTRODUCTION problem as well.
Historically we observed 50%
As in previous years, we asked data center operators INBOUND ATTACK
KEY FINDINGS a growing trend of attacks
what level and type of visibility they have in place. Data center service
saturating data centers:
When it comes to visibility levels, there was mixed news. infrastructure
SERVICE PROVIDER The percentage with Layer 3 and 4 visibility dropped from (portal, management)
PREVIOUS 36 NEXT
NETSCOUT Arbor Special Report
SERVICE PROVIDER
14% None
ATLAS SPECIAL
REPORT 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
ENTERPRISE,
GOVERNMENT +
EDUCATION (EGE)
100% 96% When it comes to the technologies used to
protect data centers at their perimeter, the
ASERT SPECIAL increased frequency of DDoS attacks seen in
REPORT: PART 2 80% 2016 resulted in a wider adoption of Intelligent
73%
DDoS Mitigation Systems (IDMS) in 2017. About
DNS OPERATORS half of respondents indicated that an IDMS was
60% now a part of perimeter protection, a sharp
49% increase from the previous year’s 29 percent.
CONCLUSION While IDMS shared third place with application
40% firewalls, the most popular technologies
ABOUT THE
33% remained firewalls and IDS/IPS (Figure 52).
AUTHORS 25%
20% 18%
GLOSSARY
0%
Firewalls IDS/IPS Application Intelligent UTM iACL Sandboxing
firewalls DDoS system
mitigation
systems
on network edge
Destination-based remote
triggered blackhole (D/RTBH)
Data center
Firewalls
IPS/IDS
FlowSpec on gateway
or access routers
Layered intelligent DDoS
management network
Source-based remote
GLOSSARY
PREVIOUS 38 NEXT
Source: Arbor Networks, Inc.
NETSCOUT Arbor Special Report
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT Mobile Network Operators
TABLE OF
CONTENTS
In 2017, 60 percent of mobile operator In 2017, only 25 percent of mobile
respondents had more than one million operators had the capability to
INTRODUCTION subscribers, down from 70 percent the detect compromised devices from
previous year (Figure 54). their subscriber networks, down
KEY FINDINGS from 37 percent the previous
We asked mobile operators if they had
M OB I L E SU B SCRI B E R S year (Figure 56).
experienced any security incidents on
their networks that led to a customer-
SERVICE PROVIDER
visible outage, and only a fifth reported
D ETECT A
such an incident, down from a third in
ATLAS SPECIAL 40% 2016, a very positive trend (Figure 55).
NO C O MPRO MI S ED
REPORT S UB S C RI B ER?
75%
10%
S E C UR IT Y IN C ID E N T S T H AT LE D
ASERT SPECIAL
T O A C US T O M E R V IS IB LE O UTAG E ? YES
REPORT: PART 1
10% 40%
25%
Less than
ENTERPRISE, 5%
20%
No
10% 1 million subscribers
Figure 56
GOVERNMENT + 1–10 million subscribers
65%
Compromised
EDUCATION (EGE) 15% Subscribers
11–25 million subscribers
Detection
10% 26-50 million subscribers
ASERT SPECIAL 51–100 million subscribers
REPORT: PART 2 5%
Less than 1 million 20% More than
100 million subscribers
15%
DNS OPERATORS
1–10 million
11–25 million
Yes
This significant decrease
CONCLUSION
26-50 million
51–100 million
20% in the ability to detect
More than 100 million
compromised devices is
ABOUT THE worrisome, as gaining better
AUTHORS visibility of user devices is
Do not know key for proactive and effective
GLOSSARY
15% security incident handling.
PREVIOUS 39 NEXT
NETSCOUT Arbor Special Report
ATLAS SPECIAL
REPORT
None
Fifty-eight percent of operators once again did not see DDoS attacks originating
from their mobile user base (Figure 58). Of the remaining, one half noticed DDoS
ASERT SPECIAL
REPORT: PART 1 attacks from their subscriber network, while the other didn’t know if attacks
16%
were generated by their mobile users.
5%
DNS OPERATORS Do not
know
1–5% of
subscribers
No plans
Source: Arbor Networks, Inc.
Yes No, planning to in
37% 37% the next 12 months
6–10% of
CONCLUSION subscribers 26%
Figure 57 Compromised Subscribers
ABOUT THE Source: Arbor Networks, Inc.
AUTHORS
Figure 59 DDoS Attacks Mitigation from Mobile Users
It is very positive news that over a
GLOSSARY quarter are planning to start mitigating
outbound DDoS attacks in 2018.
PREVIOUS 40 NEXT
NETSCOUT Arbor Special Report
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT This year a much lower proportion of network operators observed DDoS
attacks targeting their mobile infrastructure/users, from 74 percent in
NUMBER OF DDoS ATTACKS 2016 to 58 in 2017 (Figure 60). However, for those seeing attacks, there
TABLE OF was an increase in those noticing between one and 10 attacks per month,
CONTENTS at 32 percent up from 21 percent the previous year. The percentage of
0 1–10 11–20 21–50 51–100 mobile network operators experiencing over 10 attacks per month fell
INTRODUCTION to 26 percent from 55 percent last year.
ASERT SPECIAL NUMBER OF DDoS ATTACKS TARGETING YES Layers 3/4 68%
REPORT: PART 2 IP (Gi/SGi) INFRASTRUCTURE
DNS OPERATORS
0 1–10 11–20 21–50 51–100
YES Layers 7 26%
CONCLUSION
NO 21%
ABOUT THE
53% 26% 5% 11% 5%
0% 10% 20% 30% 40% 50% 60% 70% 80%
AUTHORS
PREVIOUS 41 NEXT
NETSCOUT Arbor Special Report
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT
TABLE OF
CONTENTS
INTRODUCTION
KEY FINDINGS
ATLAS
SERVICE PROVIDER
ATLAS SPECIAL
REPORT
ASERT SPECIAL
Special Report
REPORT: PART 1
ENTERPRISE,
NETSCOUT Arbor’s
GOVERNMENT + Active Threat Level Analysis
EDUCATION (EGE)
System (ATLAS®) gathers
ASERT SPECIAL statistics from NETSCOUT
REPORT: PART 2
Arbor SP deployments
DNS OPERATORS around the world.
CONCLUSION
ATLAS delivers insight into approximately
one third of global internet traffic. There
ABOUT THE are currently more than 400 networks
AUTHORS participating in the ATLAS initiative.
Statistics are shared hourly which include
GLOSSARY EDITOR’S NOTE DDoS attack details, along with other
In early 2017, the NETSCOUT Arbor ATLAS team introduced a new data processing engine traffic information. NETSCOUT Arbor’s
for the ATLAS system; this new approach has improved Arbor’s ability to more accurately team collates and analyzes this unique
identify DDoS events. As a result, some of the ATLAS DDoS attacks figures for 2016 are data set to determine key trends in
different from the values used in last year’s report. For the sake of consistency, we have
DDoS attack activity.
run the data collected in 2016 through the new engine and that resulted in new figures.
PREVIOUS 42 NEXT
ATLAS Peak Monitored Attack Size (Gbps), 2016 vs. 2017
NETSCOUT Arbor Special Report
Attack Size
2016 2017
WORLDWIDE 900 841
INFRASTRUCTURE Gbps
SECURITY REPORT
800
1,087
DNS OPERATORS 100+ Gbps
444
CONCLUSION
Source:
Figure NETSCOUT
AT2 Growth inArbor
Large Attacks 2016 vs. 2017
PREVIOUS 43 NEXT
NETSCOUT Arbor Special Report
ATLAS Average Attack Size (Mbps) 2016–2017
2,000
WORLDWIDE Although the number of attacks over 1,800
INFRASTRUCTURE 100 Gbps in 2017 is down from last year,
SECURITY REPORT 1,600
the overall mix of attack sizes is still
shifting up. This year, the percentage 1,400
of attacks over 1 Gbps has increased to
TABLE OF 1,200
CONTENTS 22 percent, growing three years in a row.
The vast majority of attacks, 87 percent, 1,000
are still smaller than 2 Gbps (Figure AT3). 800
INTRODUCTION
600
ABOUT THE
AUTHORS Figure AT3 Attack Size Breakout Figure AT5 Number of DDoS Attacks 2016 vs. 2017
Source: NETSCOUT Arbor
PREVIOUS 44 NEXT
NETSCOUT Arbor Special Report
WORLDWIDE
INFRASTRUCTURE While the number of very 20,000
2–10 GBPS
SECURITY REPORT large attacks decreased 2–5 Gbps
INTRODUCTION
5,000 Linear (5–10 Gbps)
Again, this may be due
KEY FINDINGS to the fact that there 0
were major International 01/10/16 03/06/16 05/01/16 07/03/16 09/04/16 11/06/16 01/01/17 03/05/17 05/07/17 07/02/17 09/03/17 11/05/17 12/31/17
DNS OPERATORS
CONCLUSION 350
50–200 GBPS
50–100 Gbps
300
ABOUT THE 250 Linear (50–100 Gbps)
AUTHORS
200
PREVIOUS 45 NEXT
NETSCOUT Arbor Special Report
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT
ATLAS SPECIAL
• Africa
REPORT 125,000
• Asia-Pacific
ASERT SPECIAL
Using the same metrics —
REPORT: PART 1
number of DDoS attacks, 100,000
peak attack sizes and average
ENTERPRISE, attack sizes — the regions
GOVERNMENT + were compared.
EDUCATION (EGE)
Looking at the number of 75,000
DDoS events observed in the
ASERT SPECIAL
different regions (Figure AT7),
REPORT: PART 2
Latin America has a lower
number of attacks compared 50,000 APAC
DNS OPERATORS to the other regions.
EMEA
We also noticed that starting
CONCLUSION in August 2017, there is a NA
trend of more attacks seen in 25,000
PREVIOUS 46 NEXT
NETSCOUT Arbor Special Report
Attack Duration
WORLDWIDE Although the number of attacks is lower in the Latin America region, the largest attack monitored in 1.0%
INFRASTRUCTURE 2017 targeted Brazil. Overall, the difference in terms of peak attack size is not that significant between 1.0%
SECURITY REPORT the four regions. (Figure AT8). 1.3% 0.2%
4.5%
Comparison of average attack size between the regions reveals an interesting fact — the average in
TABLE OF
North America and Europe are actually higher than worldwide average (Figure AT9). In contrast, the Latin
CONTENTS Less t
America
Peak and
Attack Asia-Pacific
Sizes by Regionsregions
(Gbps)both show slightly lower attack sizes than the global number, this indicates 6.5%
a higher proportion of smaller attacks in Asia-Pacific and Latin America regions compared to the others. 30 mi
INTRODUCTION 1 hour
700 12 hou
SERVICE PROVIDER
More
600
85.4%
ATLAS SPECIAL 500
REPORT
400
Less than 30 minutes 6 hours –12 hours
ASERT SPECIAL 300
REPORT: PART 1 30 minutes – 1 hour 12 hours – 1 day
200 1 hour – 3 hours More than 1 day
3 hours –6 hours
ENTERPRISE, 100
GOVERNMENT +
EDUCATION (EGE) 0 Figure AT10 Attack Duration
01/08/16 02/05/16 03/05/16 04/02/16 05/07/16 06/04/16 07/02/17 08/06/17 09/03/17 10/01/17 11/05/17 12/03/17 12/31/17
Average Attack Sizes by Regions (Mbps)
ASERT SPECIAL Figure AT8 Peak Attack Sizes by Regions (Gbps)
Source: NETSCOUT Arbor
REPORT: PART 2 Similar to the previous two years,
92 percent of attacks last less than
GLOBAL APAC EMEA LATAM NA one hour (Figure AT10). The average
DNS OPERATORS 3,000
duration of an attack in 2017 was
around 46 minutes, down from
CONCLUSION 2,500 55 minutes last year.
Source: Arbor Networks, Inc.
2,000 As we stated last year, attackers usually
ABOUT THE start/stop an attack sporadically over an
AUTHORS extended period of time. As a result, the
1,500
average duration of an attack is less than
GLOSSARY an hour but a typical attack campaign
1,000
lasts much longer than that.
500
0
01/08/16 02/05/16 03/05/16 04/02/16 05/07/16 06/04/16 07/02/17 08/06/17 09/03/17 10/01/17 11/05/17 12/03/17 12/31/17
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT Target Looking at the top 10 countries attacked in 2017, it is very interesting that the top four spots are
exactly the same as last year, with similar percentage as well (Figure AT11). The top targets for
attacks greater than 10 Gbps were the United States and Hong Kong. While the other countries
Countries
in the top ten are nearly identical to last year, the positions vary quite a bit (Figure AT12).
TABLE OF
It should be noted that mapping DDoS source/destination IP addresses to geographical locations
CONTENTS
is challenging due to various reasons including source address spoofing by attackers, widely
deployed CGNAT and CDN technologies.
INTRODUCTION
KEY FINDINGS
SERVICE PROVIDER
ASERT SPECIAL
10.3% 10.2%
REPORT: PART 1 CHINA SOUTH AFRICA
8.7% 8.8%
ENTERPRISE, FRANCE CANADA
GOVERNMENT +
EDUCATION (EGE)
4.6% 5.5%
BRAZIL UNITED KINGDOM
ASERT SPECIAL
3.7% 4.9%
REPORT: PART 2 UNITED KINGDOM SOUTH KOREA
2.9% 4.4%
DNS OPERATORS MALAYSIA POLAND
2.7% 3.8%
CONCLUSION SOUTH AFRICA BRAZIL
2.7% 3.4%
ABOUT THE TURKEY AUSTRALIA
AUTHORS
2.1% 2.8%
AUSTRALIA FRANCE
GLOSSARY
1.9% 2.2%
Figure AT11 Top Targeted Countries for DDoS Attacks by Percentage Figure AT12 Top Targeted Countries for DDoS Attacks Greater Than 10 Gbps by Percentage
PREVIOUS 48 NEXT
NETSCOUT Arbor Special Report
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT Reflections
Reflection/Amplification Attacks, Count Per Week
TABLE OF
CONTENTS DNS NTP SSDP Chargen C-LDAP SNMP Portmap MSSQL
ENTERPRISE,
GOVERNMENT + Figure AT13
Source: Reflection/Amplification
NETSCOUT Arbor Attacks, Count Per Week
EDUCATION (EGE)
Number of Reflection/Amplication Attacks
CONCLUSION
4,000
2,000
GLOSSARY
1,000
0
01/08/17 02/05/17 03/05/17 04/02/17 05/07/17 06/04/17 07/02/17 08/06/17 09/03/17 10/01/17 11/05/17 12/03/17 12/31/17
Figure AT14
Source: Number of
NETSCOUT Reflection/Amplication Attacks
Arbor
PREVIOUS 49 NEXT
Reflection/Amplification Attacks by Percentage
1.8% 1.0%
WORLDWIDE Looking at the whole of 2017, once again DNS, NTP, Chargen and SSDP 4.7% 0.2%
INFRASTRUCTURE represent the top reflection/amplification attack vectors (Figure AT15).
SECURITY REPORT While the percentage of DNS and NTP attacks remain almost the same DNS Amplification
as last year, the number of attacks from Chargen and SSDP reflection/ 7.1% NTP Amplification
amplification attack has dropped from a combined total of more than
TABLE OF
400,000 attacks in 2016 to around 330,000 attacks in 2017. On the Chargen Amplification
CONTENTS 8.0%
other hand, C-LDAP reflection/amplification is definitely on the rise. SSDP Amplification
47.9%
INTRODUCTION It also worth mentioning that a lot of the attacks observed are C-LDAP Amplification
multi-vectors attacks, which are attacks where more than one type SNMP Amplification
of vector is deployed simultaneously. For example, in 2017, 10 percent
KEY FINDINGS 29.4% Portmap Amplification
of all reflection/amplification attacks included more than one attack
vector (Figure AT16). MSSQL Amplification
SERVICE PROVIDER
Figure AT15 Reflection/Amplification
Attacks by Percentage
ATLAS SPECIAL
REPORT
ENTERPRISE, 30,000
GOVERNMENT +
EDUCATION (EGE)
25,000
ASERT SPECIAL
REPORT: PART 2
20,000
As many as 5,000 attacks each week
DNS OPERATORS
were comprised of more than one type
15,000 Source: Arbor Networks, Inc.
of reflection/amplification attack.
CONCLUSION
10,000
ABOUT THE
AUTHORS
5,095
Attacks Per Week
5,000
GLOSSARY
0
01/08/17 02/05/17 03/05/17 04/02/17 05/07/17 06/04/17 07/02/17 08/06/17 09/03/17 10/01/17 11/05/17 12/03/17 12/31/17
PREVIOUS 50 NEXT
NETSCOUT Arbor Special Report
Reflection/Amplification Attacks, Average Size Trend
SERVICE PROVIDER
0
3,000
3,080 Mbps
01/01/17 02/05/17 03/05/17 04/02/17 05/07/17 06/04/17 07/02/17 08/06/17 09/03/17 10/01/17 11/05/17 12/03/17 12/31/17
ATLAS SPECIAL
REPORT
Portmap
SNMP
ASERT SPECIAL
2,580 Mbps
2,500 5,000
2,519 Mbps
2,494 Mbps
REPORT: PART 1
4,000
NTP
ENTERPRISE,
GOVERNMENT + 2,000
Chargen
2,007 Mbps
EDUCATION (EGE)
3,000
SSDP
1,740 Mbps
ASERT SPECIAL
REPORT: PART 2 2,000
1,602 Mbps
1,500
MSSQL
1,000
CONCLUSION 0
01/01/17 02/05/17 03/05/17 04/02/17 05/07/17 06/04/17 07/02/17 08/06/17 09/03/17 10/01/17 11/05/17 12/03/17 12/31/17
GLOSSARY The average attack sizes of the reflection/amplification attacks are slightly lower than 2016. Looking at
the 2017 timeline graph (Figure AT18), the average attack sizes of most reflection/amplification attacks
increased slightly throughout the year, except for Chargen and SSDP attacks.
0
PREVIOUS 51 NEXT
NETSCOUT Arbor Special Report
ATLAS Reflection/Amplification Attacks, Peak Size Trend (Gbps)
REPORT
NTP
622 Gbps
200
ENTERPRISE, 500
GOVERNMENT +
EDUCATION (EGE)
150
DNS OPERATORS 50
SSDP
300
C-LDAP
271 Gbps
CONCLUSION
SNMP
Portmap
0
Chargen
01/01/17 02/05/17 03/05/17 04/02/17 05/07/17 06/04/17 07/02/17 08/06/17 09/03/17 10/01/17 11/05/17 12/03/17 12/31/17
200
203 Gbps
203 Gbps
ABOUT THE Figure AT20 Reflection/Amplification Attacks, Peak Size Trend (Gbps)
182 Gbps
AUTHORS
MSSQL
100
GLOSSARY As mentioned before, DNS and NTP reflection/amplification attacks are the dominant attack vectors.
104 Gbps
In fact, both DNS and NTP have seen peak attack sizes greater than 600 Gbps. Looking at the peak
attack size timeline graph (Figure AT20), attackers are varying the attack vectors, with different protocols
being chosen to be the ‘weapon’ used. C-LDAP reflection/amplification became a popular choice during
0
the second half of 2017, growing in size as well as frequency.
Figure AT19 Reflection/Amplification Attacks,
Source: NETSCOUT Arbor
Peak Attack Sizes (Gbps)
PREVIOUS 52 NEXT
NETSCOUT Arbor Special Report
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT Reflection/Amplification
TABLE OF
CONTENTS
Attacks Source Countries
INTRODUCTION
40%
CHINA
UNITED
KINGDOM
GERMANY
ASERT SPECIAL
CANADA
REPORT: PART 2 20%
DNS OPERATORS 0%
CONCLUSION
REMAINING SOURCE COUNTRIES
Russia 61.68% Japan 56.60% Malaysia 47.30%
ABOUT THE Brazil Taiwan Ireland
60.90% 55.88% 46.38%
AUTHORS Netherlands 60.80% Vietnam 55.36% Austria 45.94%
France 60.66% Colombia 54.64% Switzerland 45.88%
Italy 60.03% Australia 53.53% Kazakhstan 45.74%
Poland 60.03% Indonesia 53.45% Latvia 45.20%
GLOSSARY Ukraine 58.86% Argentina 53.21% South Korea 45.14%
Romania 58.82% South Africa 53.11% Slovakia 45.03%
Spain 58.69% Thailand 52.37% Denmark 45.03%
Turkey 58.23% Hungary 52.37% Norway 43.93%
Czech Republic 57.80% Bulgaria 52.35% Portugal 43.89%
Mexico 57.33% Chile 51.69% Ecuador 43.87%
Hong Kong 57.30% Singapore 50.43% Bangladesh 43.73%
India 57.20% Philippines 48.60% Israel 43.44%
Sweden 57.18% Iran 48.15%
WORLDWIDE
ASERT Special Report
APPLICATION-LAYER
INFRASTRUCTURE
SECURITY REPORT
TABLE OF
CONTENTS
ATTACKS
INTRODUCTION
KEY FINDINGS
PREVIOUS 54 NEXT
NETSCOUT Arbor Special Report
The Anatomy of
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT
TABLE OF
CONTENTS Application-Layer Attacks
INTRODUCTION
KEY FINDINGS
SERVICE PROVIDER
Delivery of internet content typically utilizes a number ATTACKS AGAINST
of services, applications and infrastructure components.
ATLAS SPECIAL
REPORT OMAIN NAME
D A PPLICATION
DNS Infrastructures
1 SERVICES (DNS) 3 SERVERS
On October 21, 2016, a series of large DDoS attacks using IoT devices
ASERT SPECIAL Convert fully qualified Examine the URL and retrieve the
was launched against the managed DNS server provider Dyn, resulting
REPORT: PART 1 domain names (FQDNs) to content which the user is requesting
in the outage of major brand name services. In fact, these services were
IP addresses. The response from other services, including
perfectly okay and had no issues. However, Dyn’s DNS service was not
is often based on the user’s database servers. Modern service
ENTERPRISE, working, resulting in users being unable to resolve domain names to
GOVERNMENT + location and the state of the oriented architectures (SOAs) use a
IP addresses.
EDUCATION (EGE) services which the user is hierarchy of fine-grained, lightweight
attempting to reach. microservices, each optimized to
The attack used against Dyn was a Pseudo Random DNS Query
deliver its part of the response in
ASERT SPECIAL application-layer DDoS attack which attaches a pseudo random label,
the most efficient manner possible.
REPORT: PART 2 L OAD such as “4asg7vds6tsct.www.netflix.com,” to the DNS name of the victim.
2 BALANCERS
These queries are unlikely to be in cache for a recursive DNS service,
Use a combination of the DATABASE so they will be forwarded to the Authoritative DNS server for the domain.
DNS OPERATORS 4 SERVERS
URL contents and the state The Authoritative DNS server will respond with a NXDOMAIN message,
of the application servers Used by the application servers for which in turn will be returned by the Recursive DNS server back to the
CONCLUSION original client.
to redirect the user to an retrieving and storing content which
appropriate destination. is then presented to the user.
ABOUT THE If the client now sends another query with a different random label, the
AUTHORS same process will be repeated. If the attacker now instructs thousands
of clients to send these random queries as fast as they can, the Recursive
server and the Authoritative server will very quickly start to run out
GLOSSARY As IoT devices are now the preferred weapon of choice for launching of resources and be unable to answer queries from legitimate clients.
DDoS attacks, it has become easy to use those devices to launch When using shared DNS services, there is a risk that the attack will cause
advanced application-layer attacks. IoT devices are online 24x7 collateral damage, resulting in the outage of all customers using that
and have enough capabilities to launch complex attacks. service. This is what happened in the Dyn attack.
PREVIOUS 55 NEXT
NETSCOUT Arbor Special Report
WORLDWIDE
ATTACKS AGAINST
INFRASTRUCTURE
SECURITY REPORT
TABLE OF
Application Servers
Mitigating
CONTENTS
Application-layer attacks have been around for many years but in 2017
there was a significant increase in attacks focused on application servers.
Application-Layer
INTRODUCTION
Traditionally attackers used attacks like Slowloris, which opens multiple
HTTP connections and then keeps them open. Attackers also used SSL-based
KEY FINDINGS
Attacks
attacks, which start the establishment of SSL sessions but never complete
them. The goal of both of these attacks is to fill up connection tables and
SERVICE PROVIDER block legitimate users from connecting. In 2017, a new type of application-layer
attack focused on attacking modern service oriented architectures (SOA) was
discovered by Netflix. All of the attacks mentioned previously do not require
ATLAS SPECIAL
REPORT high bandwidth and will, in most cases, not be picked up
Microservices are becoming popular and are often implemented using Docker by volumetric DDoS defenses offered by managed DDoS
and other lightweight application frameworks that are designed to be modular providers. To detect and mitigate these attacks, it is usually
ASERT SPECIAL to develop and deploy. An application based on such an architecture will often necessary to have an application-centric DDoS mitigation
REPORT: PART 1 consist of hundreds of microservices, all of which are heavily interconnected device monitoring traffic destined to these servers. This kind
and use API calls to interact with each other. Some of these microservices will of device can identify and then either mitigate the attack itself
ENTERPRISE, require more CPU resources than others. A clever attacker can map out which
or automatically invoke cloud-based DDoS mitigation solutions
GOVERNMENT + microservices are more CPU intensive than others and then focus an attack
to filter away the attack traffic.
EDUCATION (EGE) on those. This can result in high CPU load on the application server.
ASERT SPECIAL
REPORT: PART 2 ATTACKS AGAINST
DNS OPERATORS
SQL Servers Summary
CONCLUSION
SQL injection attacks have existed for many years but they have As volumetric DDoS defenses become more
primarily been used for infiltrating websites and for exfiltration
ABOUT THE of valuable data.
effective, attackers have increasingly turned
AUTHORS to application DDoS attacks which focus on
In 2017, there was a major increase in specially crafted SQL injection
attacks which use benchmarking tools within the database to cause the
specific implementation of protocol weaknesses.
GLOSSARY
database server to consume as much CPU as possible. This attack forces Applications like DNS, HTTP and HTTPS, the
the SQL server to consume a massive amount of CPU resources for each
latter often used for API access as well as user
query. This leaves no resources for the application server and results in
the website being unable to respond to legitimate queries. One example interaction, must be protected using layered
of such an attack tool is the #RefRef DDoS tool which uses the MySQL DDoS defenses.
Benchmark command to inject CPU-intensive SQL commands.
PREVIOUS 56 NEXT
NETSCOUT Arbor Special Report
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT
TABLE OF
CONTENTS
INTRODUCTION
KEY FINDINGS
SERVICE PROVIDER
ATLAS SPECIAL
REPORT
ASERT SPECIAL
REPORT: PART 1
ENTERPRISE,
GOVERNMENT +
EDUCATION (EGE)
ASERT SPECIAL
ENTERPRISE,
REPORT: PART 2
DNS OPERATORS
GOVERNMENT +
CONCLUSION
ABOUT THE
AUTHORS
EDUCATION (EGE)
GLOSSARY
PREVIOUS 57 NEXT
NETSCOUT Arbor Special Report
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT Network With three major attacks in 2017, WannaCry, Petya and Bad Rabbit, it is not surprising to see
“ransomware” appearing right at the top of the list of threats experienced by enterprise, government
and education (EGE) organizations at 35 percent (Figure 63). DDoS dropped to second place, with a slight
Security
decrease in the proportion of respondents experiencing attacks. However, with DDoS and ransomware
both being experienced by over 30 percent, a significant number of organizations experienced one or
TABLE OF
CONTENTS both of these threats within the last 12 months.
Looking to the future, ransomware is top of mind as a key threat, with nearly two thirds concerned about
INTRODUCTION this risk (Figure 63). Advanced persistent threats (APT) are also still an important concern for 57 percent,
slightly down from 61 percent last year. It is notable that for the last couple of years, APTs ranked as a high
concern, yet only a small segment (15 percent in 2017 and 28 percent in 2016) actually experienced these
KEY FINDINGS
threats. The percentage of EGE respondents concerned about DDoS has increased slightly to 54 percent.
SERVICE PROVIDER
EGE THREAT EGE CONCERN
ATLAS SPECIAL 35%
REPORT Ransomware
64%
32%
Internet connectivity congestion due to DDoS attack
54%
ASERT SPECIAL
REPORT: PART 1 30%
Internet connectivity congestion due to genuine traffic growth/spike
29%
27%
ENTERPRISE, Accidental major service outage
38%
GOVERNMENT +
26%
EDUCATION (EGE) Accidental data loss
49%
17%
Extortion for DDoS threat/attack
ASERT SPECIAL 41%
REPORT: PART 2 17%
Botted or otherwise compromised hosts on your corporate network
36%
15%
DNS OPERATORS Advanced persistent threat (APT) on corporate network
57%
13%
Malicious insider
46%
CONCLUSION
12%
Exposure of sensitive, but non-regulated data
37%
ABOUT THE 6%
AUTHORS Exposure of regulated data
38%
5%
Industrial espionage or data exfiltration
31%
GLOSSARY
None of the above 14%
2%
Other 4%
4%
Figure 63 EGE Threats vs. Concerns 0% 10% 20% 30% 40% 50% 60% 70%
PREVIOUS 58 NEXT
NETSCOUT Arbor Special Report
100%
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT
83%
TABLE OF 80%
CONTENTS For the third consecutive year, firewalls, IPS/IDS
72% and SIEM were the top three most utilized tools
INTRODUCTION to detect threats on EGE networks (Figure 64),
all of which saw an increase in their use.
DNS OPERATORS
CONCLUSION
3%
0%
ABOUT THE
Customer call/
scripts/tools
NetFlow based analyzers
Service assurance/
monitoring solutions
Security information and event
In-house developed
Firewall logs
IDS/IPS
SNMP-based tools
(Arbor SP)
MSSP/cloud-based
third-party services
Other
mitigation system (Arbor APS)
AUTHORS
GLOSSARY
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT DDoS Forty-one percent of enterprise, government and education (EGE) organizations experienced DDoS attacks in
the past year. DDoS continues to be used as a diversion within advanced threat campaigns and other malicious
activity. The percentage of respondents that observed more than 100 DDoS attacks during 2017 (Figure 65)
Attacks
more than doubled over the previous year. This sharp increase was expected because of the proliferation
of IoT-based DDoS-for-hire services and anecdotal feedback from customers.
TABLE OF
CONTENTS
INTRODUCTION
KEY FINDINGS
ASERT SPECIAL
1–10 ATTACKS 11 –20 ATTACKS 21–50 ATTACKS 51–100 ATTACKS 100+ ATTACKS
REPORT: PART 1
IN L AST 12 MONTHS IN L AST 12 MONTHS IN L AST 12 MONTHS IN L AST 12 MONTHS IN L AST 12 MONTHS
80%
ASERT SPECIAL Source: Arbor Networks, Inc.
REPORT: PART 2 Nearly half of all respondents that were Up slightly from last year, 68 percent 70% 68%
attacked reported seeing 1 to 10 DDoS reported that customer-facing services 61%
attacks over the past year: 44 percent and applications were the most common 60%
DNS OPERATORS
in Europe, 50 percent in APAC and targets of DDoS attacks on EGE networks
68 percent in North America. (Figure 66). Networking infrastructure, 50%
CONCLUSION which was first last year, came in second
Of those that experienced DDoS attacks, at 61 percent. DDoS attacks increasingly 40%
57 percent saw their internet bandwidth targeted the application layer, a trend that
ABOUT THE saturated due to an attack, up from 30%
we have been observing in recent years.
AUTHORS
42 percent in the previous year. This This once again highlights the need for
20%
is unfortunate but clearly illustrates a layered-defense strategy.
the need for upstream or cloud-based
13% 11%
GLOSSARY
10%
mitigation services that can handle
large volumetric attacks.
0%
Customer Infrastructure Third-party data SAAS
facing services center or cloud services
+ applications service
WORLDWIDE Over half of EGE respondents had firewalls or IPS devices that experienced DDOS ATTACKS ARE TRADITIONALLY BROKEN
INFRASTRUCTURE a failure or contributed to an outage during a DDoS attack (Figure 67). While DOWN INTO THREE MAIN CATEGORIES:
SECURITY REPORT stateful security devices can play a useful role, they are especially vulnerable
to state-exhaustion attacks. Even the latest firewalls are susceptible to DDoS 1. Volumetric
attacks, so these issues remain consistent year-on-year.
TABLE OF 2. State-Exhaustion
CONTENTS
3. Application-Layer
51.6% 46.8% 1.6%
INTRODUCTION Yes No These devices are not
deployed in our infrastructure For the second consecutive year, there was a decrease
KEY FINDINGS in volumetric attacks, from 60 percent last year to
52 percent in 2017 (Figure 69). This was mirrored by an
SERVICE PROVIDER increase in application-layer attacks from 25 percent
to 32 percent. This is not surprising as large volumetric
attacks are typically mitigated upstream and EGE
ATLAS SPECIAL
REPORT network operators have better visibility of their
Figure 67 Firewall + IPS Failure own applications than service providers.
ASERT SPECIAL
These percentages are starkly different than those
REPORT: PART 1
reported by our service provider respondents, who
Looking at the longest DDoS attack duration (Figure 68), 84 percent experienced saw a far lower number of application-layer attacks
ENTERPRISE, DDoS attacks lasting less than one day, a decrease from 89 percent in the
GOVERNMENT + (12 percent) and more volumetric attacks (76 percent).
previous year. Further, there was a significant decline in attacks of less than
EDUCATION (EGE) seven hours, falling from 72 percent down to 59. This is surprising given the This further illustrates why a layered-defense strategy
general trend of shorter duration attacks we’ve observed in the wild. is key in the fight against DDoS attacks; a more focused
ASERT SPECIAL view of traffic at the enterprise or data center level is
Source: Arbor Networks, Inc.
REPORT: PART 2 needed to identify and block stealthy attacks.
DNS OPERATORS
8% 7–12 hours
Volumetric 52%
ABOUT THE
17% 13–24 hours
AUTHORS
11% 1–3 days Application-Layer 32%
GLOSSARY 3% 4–7 days
2% 1–4 weeks
State-Exhaustion 16%
Figure 68 DDoS Attack Duration
0% 10% 20% 30% 40% 50% 60%
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT
TABLE OF
CONTENTS
INTRODUCTION
73% HTTP 69% DNS 68% HTTPS 37% EMAIL 19% SIP/VOIP 12% OTHER
KEY FINDINGS Figure 70 Targets of Application-Layer Attacks
SERVICE PROVIDER
EGE organizations also saw more DDoS attacks
ATLAS SPECIAL targeting their email and VoIP services, suggesting
REPORT
the focus of DDoS attackers has shifted to exploiting
60%
more vulnerable services.
ASERT SPECIAL
REPORT: PART 1
54%
50% 53%
HTTP remained the most targeted DDoS attacks targeting encrypted web
ENTERPRISE, application-layer service for DDoS attacks, services have become increasingly
GOVERNMENT +
40% but there was a decrease in the percentage common in recent years (Figure 71). While
EDUCATION (EGE) 42% of respondents seeing these attacks, there was a small decrease in the number
from 85 to 73 (Figure 70). In contrast, DNS of detected attacks targeting the encrypted
ASERT SPECIAL jumped from the third spot last year to service at the application layer (from
30%
REPORT: PART 2 second place, with 69 percent seeing this 57 percent last year to 53 currently), the
service targeted, up from 59 percent. HTTPS overall results remained mostly unchanged.
was also targeted more, at 68 percent up A higher proportion of EGE respondents
DNS OPERATORS 20% from 63 in the previous year. witnessed attacks targeting the SSL/TLS
protocol than service providers (42 percent
CONCLUSION The above application services were compared to 29 percent). The variation in
15%
10% also the top three targeted as reported by results between EGE and service provider
service providers. However, DNS was the respondents is, as noted above, likely
ABOUT THE top target at 82 percent, followed by HTTP due to the higher granularity of visibility
AUTHORS at 80 percent and HTTPS at 61 percent.
0% available when the monitoring solution
is closer to the services being attacked.
SSL/TLS protocol
Targeting the
Targeting the
TCP/UDP port
Not applicable
WORLDWIDE EGE respondents reported a clear increase in multi-vector DDoS O B S E RV E D MULTI -V ECTO R D D oS ATTAC KS ?
INFRASTRUCTURE attacks, up from 40 percent in the previous year to 48 percent
SECURITY REPORT (Figure 72). These incidents utilize multiple, simultaneous vectors
to maximize the attackers’ ability to disrupt service availability. YES NO DO NOT
TABLE OF
This was expected given the increased sophistication of weaponized KNOW
DDoS services seen in our research. The positive news is that
INTRODUCTION
KEY FINDINGS
Figure 72 Multi-Vector Attacks
SERVICE PROVIDER
ATLAS SPECIAL
REPORT
49%
compromise/data exfiltration
The motives behind the DDoS attacks were
Misconfguration/accidental
50%
extremely varied again in 2017 (Figure 73).
Diversion to cover
Inter-personal/
capabilities to potential customers
business organizations
40%
victims, with 49 percent seeing this as a common
Nihilism/vandalism
PREVIOUS 63 NEXT
NETSCOUT Arbor Special Report
70%
WORLDWIDE
INFRASTRUCTURE 62%
SECURITY REPORT Unfortunately, some of the most popular DDoS 60%
mitigation tools (firewalls, IPS and load-balancers)
TABLE OF are also the least effective.
CONTENTS Firewall
Access control lists (ACLs) 50%
50%
IPS/WAF
INTRODUCTION
Intelligent DDoS mitigation
43%
systems (IDMS) at network 42%
KEY FINDINGS perimeter (Arbor APS)
40%
Load-balancer
Cloud-based DDoS mitigation
SERVICE PROVIDER service 33%
Layered/hybrid DDoS 30%
protection system (integrated 30%
ATLAS SPECIAL
network perimeter and cloud)
REPORT 25%
Source-based remote
triggered blackhole (S/RTBH) 22%
ASERT SPECIAL Destination-based remote 20%
20%
REPORT: PART 1 triggered blackhole (D/RTBH) 18%
Content delivery network (CDN) 15% 15%
FlowSpec
ENTERPRISE,
GOVERNMENT + Quarantine system
10%
EDUCATION (EGE) Other 7%
5% 5%
3% 3% 3%
ASERT SPECIAL 2% 2% 2%
REPORT: PART 2 0%
Figure 74 DDoS Mitigation Techniques vs. DDoS MITIGATION TECHNIQUES MOST EFFECTIVE DDoS MITIGATION TECHNIQUES
Most Effective DDoS Mitigation Techniques
DNS OPERATORS
As in previous years, firewalls, IPS, WAF and access As in previous years, we also asked our EGE respondents
CONCLUSION control lists (ACLS) remained the most common DDoS to rank the effectiveness of the mitigation techniques
mitigation mechanisms for more than half of the they are currently using. Intelligent, cloud-based and
ABOUT THE respondents (Figure 74). The use of firewalls, IPS and layered/hybrid DDoS mitigation systems were reported
AUTHORS WAF remains a concern as those devices are susceptible as the most effective techniques by nearly three quarters
to state-exhaustion attacks, which were experienced of respondents (Figure 74). Layered/hybrid systems took
by over a half of respondents. the first spot at 30 percent, followed closely by IDMS
GLOSSARY at 25 percent. Not surprisingly, while the majority used
Of equal concern was the sharp increase in the use of firewalls, IPS and WAF for DDoS mitigation, very few
firewalls for mitigating DDoS attacks, at 62 percent up from found them to be the most effective solution.
49 percent previously. There were only slight changes in the
deployment of Intelligent DDoS Mitigation Systems (IDMS)
at 43 percent, and the utilization of both hybrid and pure
cloud-based DDoS mitigation services, each at 33 percent.
PREVIOUS 64 NEXT
NETSCOUT Arbor Special Report
WORLDWIDE The faster DDoS attacks are successfully mitigated, the Business impacts due to DDoS attacks continued to vary greatly (Figure 76). Reputation/
INFRASTRUCTURE more the operational, financial and customer impact is brand damage and operational expense were still the two main business impacts, the
SECURITY REPORT limited. Seventy-five percent of organizations indicated former cited by 57 percent, an increase from 48 percent last year. There was also a big
that they could mitigate a DDoS attack in less than one jump in respondents reporting revenue loss as a business impact, up to 32 percent
hour (Figure 75), a very similar and encouraging result from just 17 percent previously.
TABLE OF
CONTENTS to last year.
ASERT SPECIAL
REPORT: PART 1 32%
30%
30%
ENTERPRISE, 25%
GOVERNMENT +
EDUCATION (EGE)
30% 21% 11% 20%
Immediate mitigation Less then Less then
ASERT SPECIAL
via on-premise device or 15 minutes 30 minutes
REPORT: PART 2 “always-on” cloud service
11%
9%
DNS OPERATORS 10%
CONCLUSION
0%
ABOUT THE
Increased
operational expense
Specialized IT security
investigation services
Loss of customers
senior management
Extortion payments
Increase in cybersecurity
insurance premium
Regulatory penalties
and/or fines
remediation and
Loss of executive or
Revenue loss
AUTHORS
GLOSSARY
13% 21% 3%
Less than 1 hour 1–3 hours We do not
mitigate attacks Figure 76 Business Impacts of DDoS Attacks
PREVIOUS 65 NEXT
NETSCOUT Arbor Special Report
WORLDWIDE We asked respondents to estimate the average total To provide greater insight into the above, we asked whether DDoS was part of their
INFRASTRUCTURE cost of a major DDoS attack on their business (Figure 77). recurring risk analysis (Figure 78). Seventy-seven percent reported that it was either
SECURITY REPORT Like last year, the vast majority reported a total cost below a part of their business or IT risk assessments, up from 70 percent last year. This is
$10,000. However, over ten percent estimated a cost greater an encouraging trend that we expect to become more prevalent.
than $100,000, five times greater than previously seen.
TABLE OF
This indicates either that the cost of a DDoS attack has As in previous years, we also asked a more general question about the cost of internet
CONTENTS
increased significantly, or that more organizations are downtime. The majority of our respondents could not quantify this, even though more
now aware of the true impact to their business. than half of them had experienced a DDoS attack that exceeded the total bandwidth
INTRODUCTION available to their organization, which would have resulted in downtime.
For those that could quantify their downtime, 38 percent reported the cost at $501
KEY FINDINGS 60%
55% to $1,000 per minute, up significantly from 23 percent in the previous year (Figure 79).
Respondent’s Role in the Organization
This again highlights the need for proactive defenses, as organizations become more
SERVICE PROVIDER dependent on the internet for their daily business needs.
50%
ATLAS SPECIAL
REPORT
ENTERPRISE, No
GOVERNMENT + 16%
EDUCATION (EGE) 30% Figure 78 DDoS Risk Analysis
$25,000
$50,000
$100,000
$100,000,000
$100,000,000
$10,000 to
$25,000 to
$50,000 to
$100,000 to
More than
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT SDN/NFV 59% NO
TABLE OF
CONTENTS
23% WE ARE INVESTIGATING/TRAILING NOW
Again in 2017, enterprise, government
and education (EGE) respondents had
INTRODUCTION fewer plans to utilize SDN/NFV than their 6% WE ARE IMPLEMENTING NOW
service provider counterparts. Nineteen
KEY FINDINGS percent had plans to deploy SDN/NFV
technologies, while just under a quarter 5% PLAN TO IMPLEMENT IN NEXT YEAR
were investigating or testing solutions,
SERVICE PROVIDER
a slight increase from last year (Figure 80).
Interoperability
REPORT: PART 2
36%
Cost
Performance Concerns
DNS OPERATORS 40%
Vendor Support
29%
Stability
Scalability
Security Concerns
CONCLUSION 30%
Telemetry Acquisition
Business Support System
(BSS) Integration
ABOUT THE
27%
AUTHORS 20%
25%
22%
GLOSSARY 10%
0%
7%
Figure 81 EGE SDN/NFV Key Barriers
PREVIOUS 67 NEXT
NETSCOUT Arbor Special Report
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT
TABLE OF
CONTENTS
73% 47% 46% 41%
INTRODUCTION
KEY FINDINGS
DATA CENTER DATA CENTER WIDE AREA NETWORKS LOCAL AREA
INFRASTRUCTURE SECURIT Y ( WAN, INCLUDING SD-WAN) NETWORKS (L AN)
SERVICE PROVIDER
DNS OPERATORS NFV use within the EGE infrastructure seems to be 10%
moving forward. Firewalls were the most common
NFV application, with 25 percent using this virtual
CONCLUSION functionality (Figure 83). Nineteen percent indicated 5%
they were using NFV for router and CPE functions, 5%
ABOUT THE which correlates with service providers’ intent.
2% 2%
AUTHORS
0%
GLOSSARY
Routers/CPE
Firewall
Access/VPN
DDoS
Sandbox
WAF
IPS/IDS
Not Applicable
Other
Load Balancing
Figure 83 EGE NFV Network Domains
PREVIOUS 68 NEXT
NETSCOUT Arbor Special Report
IPv6 Service Availability
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT IPv6 Sixty percent of the EGE respondents provide internet-facing
services with IPv6 support (Figure 85) and 65 percent have
deployed IPv6 on their private networks (Figure 86), both down
slightly from 2016. The percentage of organizations with no
60% plans to implement IPv6 also appears to have leveled off.
TABLE OF
CONTENTS
In 2017, just over a third of On a positive note, even though the rollout of IPv6 services
enterprise, government and appears to have stalled within EGE respondents, the already
30%
INTRODUCTION education (EGE) organizations high proportion with IPv6 deployed indicates that any new
were operating IPv6 in their apps requiring IPv6 will be supported. The tools and telemetry
environments or planning to to monitor and protect the apps are mostly in place.
KEY FINDINGS in the coming year (Figure 84).
10% In 2016, 27 percent of EGE networks fully supported IPv6
This is down a few points from
SERVICE PROVIDER 2016, but a higher percentage telemetry and we are happy to report that 45 percent of
than 2015. respondents indicated this was the case in 2017 (Figure 87).
Yes
This increase is encouraging and shows the need for IPv6
ATLAS SPECIAL No, no plans monitoring as it becomes more important to business functions.
REPORT IPv6 Flow Telemetry
OP E R AT I N G I P v 6 OR No, but we are planning for this
P L ANN I NG T O D E P LOY ?
ASERT SPECIAL
InternalFigure
IPv685Deployment
IPv6 Service Availability
45%
REPORT: PART 1
Source: Arbor Networks, Inc.
YES 27%
ENTERPRISE,
34%
GOVERNMENT +
12%
EDUCATION (EGE)
6%
ASERT SPECIAL
65%
REPORT: PART 2 6%
22%
DNS OPERATORS 4%
NO
0% 10% 20% 30% 40% 50%
66%
CONCLUSION
14%
Yes, fully supported today New hardware, supported
ABOUT THE but on new hardware only
Partial, some vendors support
AUTHORS IPv6 flow telemetry today, No, support is on a long-term
Figure 84 IPv6 Operation Yes some do not roadmap (greater than 1 year)
No, no plans Will soon, they will support No, will not support
GLOSSARY
flow telemetry for IPv6 in
No, but we are planning for this the next 12 months
PREVIOUS 69 NEXT
NETSCOUT Arbor Special Report
WORLDWIDE More than 60 percent of EGE respondents deployed visibility solutions for In 2017, the biggest security concern for EGE respondents remained
INFRASTRUCTURE IPv6 traffic, up from 57 percent last year (Figure 88). This increase is smaller DDoS, with an almost identical result to the previous year (Figure 90).
SECURITY REPORT than anticipated given the growth in the number of respondents who can Botnets, which were in second position in 2016, were pushed down to
now gather telemetry from their networks as mentioned previously. fourth place despite a similar proportion reporting that this still was a
TABLE OF concern. Misconfiguration and inadequate feature parity each increased
CONTENTS by more than 10 percent.
H AVE A VI SI B I L I T Y
SOL U T I ON I N P L ACE 61% 39% AmongIPv6allSecurity Concerns
of the EGE respondents, only eight percent observed IPv6
INTRODUCTION T O M ONI T OR I P v 6 DDoS attacks compared to 25 percent in 2016. We have been waiting
T R AF F I C? for a steady growth trend to emerge in this area for a number of years,
KEY FINDINGS
Yes No but the widespread use of IPv6 for mission critical applications is still
not an actuality, as most attacks are still directed toward IPv4 services.
SERVICE PROVIDER
Figure 88 IPv6 Operation
80%
ATLAS SPECIAL
70%
REPORT
70%
EGE organizations had very similar opinions as those of service providers 64%
when it came to the shared risk of IPv4 and IPv6 dual stack services
62%
ASERT SPECIAL
REPORT: PART 1 (Figure 89). EGE respondents were more likely to be concerned at some 60%
level than their service provider counterparts, but the results were 55%
broadly similar.
ENTERPRISE, 50% 45%
GOVERNMENT + 43% 43%
EDUCATION (EGE)
40%
ASERT SPECIAL 32%
REPORT: PART 2
30%
CONCLUSION
4% 47%
10%
ABOUT THE
AUTHORS
0%
Traffic floods/DDoS
Misconfiguration
to bypass application
Inadequate IPv4/
IPv6 feature parity
Botnets
Host scanning
Visibility, cannot
Stack implementation
flaws
rate limiting
GLOSSARY
37% 12%
Figure 89 IPv6 Impact on IPv4 Services (Dual-Stack Devices) Figure 90 IPv6 Security Concerns
PREVIOUS 70 NEXT
NETSCOUT Arbor Special Report
Organizational Security
WORLDWIDE EGE SOC Resources
INFRASTRUCTURE
SECURITY REPORT
TABLE OF
CONTENTS
Forty-eight percent of EGE respondents had an internal security operations center (SOC) team
in place in 2017, a slight increase from 46 percent the previous year (Figure 91). In contrast,
INTRODUCTION around 60 percent of the service providers indicated they had internal SOC teams, highlighting 48% Internal
SOC team
the ongoing struggle EGE organizations face in building and maintaining an internal security
team of skilled practitioners. 15%
KEY FINDINGS
Because of this, 37 percent relied on third-party and outsourced services, a jump from
No SOC
28 percent the previous year. Fully outsourced SOC teams accounted for 16 percent, resources
SERVICE PROVIDER
a significant increase from nine percent the previous year. This reliance on outsourcing in
EGE organizations exceeded service providers by a factor of two, a trend that we expect 16%
ATLAS SPECIAL to continue in the future. The use of external resources reduced the percentage with
REPORT 21% Internal SOC
no SOC capabilities from 26 percent in 2016 to 15 percent, a very positive result. with supplemental
third-party (hybrid)
Third-party SOC
ASERT SPECIAL (outsourced)
REPORT: PART 1
Ninety percent of EGE
ENTERPRISE,
organizations had some
dedicated security personnel
0 SECURITY
PERSONNEL 10% Figure 91 EGE Security Operations Center Resources
Source: Arbor Networks, Inc.
ABOUT THE
the reliance on outsourcing
for SOC capabilities.
16–20 SECURITY
PERSONNEL 6%
AUTHORS
21–30 SECURITY
PERSONNEL 6%
GLOSSARY
30+ SECURITY
PERSONNEL 14%
Figure 92 EGE Dedicated Security Personnel
PREVIOUS 71 NEXT
NETSCOUT Arbor Special Report
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT
Difficulty of hiring and
retaining skilled personnel 54%
TABLE OF
CONTENTS Lack of headcount
or resources 46%
INTRODUCTION
Operational expenditure
(OPEX) funding 44%
KEY FINDINGS
CONCLUSION
Looking at the challenges faced in building out operational All the other challenges observed showed
ABOUT THE security (OPSEC) teams, the EGE responses aligned with
AUTHORS increases in 2017, a fact that was most
those of the service providers. Lack of resources and
Source: Arbor Networks, Inc.
difficulty of hiring and retaining skilled personnel were likely compounded by the increasing
GLOSSARY again the two main concerns (Figure 93). worldwide shortage of security analysts
and incident response personnel.
PREVIOUS 72 NEXT
Security Best Practices
NETSCOUT Arbor Special Report
WORLDWIDE 60% The implementation of best-practice security measures was not only
57%
INFRASTRUCTURE lower across the board in 2017 when compared to service providers,
SECURITY REPORT 54%
but also vastly reduced in comparison to 2016 (Figure 94). Since EGE
networks are often smaller and less complex than those of service
50%
providers, the security best practices they follow differ, with more than
TABLE OF
CONTENTS half predictably blocking known botnets Command-and-Control and
malware drop servers. Surprisingly, the monitoring of route hijacking
41%
claimed the fourth position on the list, an increase to 37 percent from
40%
INTRODUCTION 37% 28 percent the previous year. And, equally surprising, the use of ACLs
35% at network edges was down from 37 to 32 percent.
33%
KEY FINDINGS 32%
All EGE respondents indicated that security training and incident
30%
28% response exercises greatly improved the effectiveness of dealing and
SERVICE PROVIDER mitigating DDoS attacks (Figure 95). There was a disappointing decrease
24%
22% from 55 to 50 percent running DDoS defense simulations in 2017.
20% Similarly, the number of respondents carrying out DDoS simulations
ATLAS SPECIAL at least every quarter fell from 40 to 32 percent, which was similar to
REPORT
what we observed with service providers. Though EGE organizations
tend to believe they are targeted less frequently, not being prepared
ASERT SPECIAL 10% to respond to a DDoS attack could result in substantial financial and
10%
REPORT: PART 1 DDoS Simulations
reputational loss in the (EGE
eventOrganizational Security)
of a successful incident. As in 2016,
there is obviously plenty of room for improvement.
2%
ENTERPRISE, 0%
GOVERNMENT +
EDUCATION (EGE)
Block known botnet command-and-control servers, malware drop servers, etc.
PREVIOUS 73 NEXT
NETSCOUT Arbor Special Report
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT
TABLE OF
CONTENTS
INTRODUCTION
The year 2017 was one in which
KEY FINDINGS IoT botnets became the preferred
weapon of choice for launching
SERVICE PROVIDER
DDoS attacks.
ATLAS SPECIAL
REPORT
The number of unsecured internet of
Things (IoT) devices connected to the internet
ASERT SPECIAL continues to increase dramatically. As the
REPORT: PART 1 number of IoT devices increases, so do
THE RISE
ENTERPRISE, invented new ways to detect, infect and
GOVERNMENT + compromise IoT devices, even those thought
EDUCATION (EGE) to be secure behind corporate firewalls.
ASERT SPECIAL
OF THE
REPORT: PART 2
27 billion
IoT BOTS
CONCLUSION CONNECTED
DEVICES IN 2017
ABOUT THE
AUTHORS
GLOSSARY
125 billion CONNECTED
DEVICES IN 2030
PREVIOUS 74 NEXT
NETSCOUT Arbor Special Report
The Attackers
WORLDWIDE
INFRASTRUCTURE The motivations for launching DDoS attacks are The skills and technical understanding required
SECURITY REPORT many and varied. As DDoS defenses become to do this are in most cases far beyond that of
Economy +
more effective, it is more difficult for the attackers a normal hacker, resulting in the need for the
to take down their targets using standard DDoS professional malware arms dealer.
TABLE OF
attack methods. Modern desktop computers
CONTENTS
Attack Cycles
are more secure, both from a technology The malware arms dealer researches new
point of view but also because of automated attack vectors that take advantage of either
INTRODUCTION patching mechanisms. Consequently, attackers existing security vulnerabilities or new zero-day
are seeing traditional DDoS attack vectors vulnerabilities. The arms dealer develops attack
KEY FINDINGS become less effective, and they are finding fewer tools kits, and as part of a quality assurance cycle
vulnerable computers to subsume into botnets. (Q&A), often does live field testing. The goal of
these dealers is to sell developed attack tools to
SERVICE PROVIDER This is forcing attackers to look at new ways the Booter/Stresser community, or in some cases,
of launching DDoS attacks. Taking advantage directly to the attackers themselves.
ATLAS SPECIAL of the masses of unsecured IoT devices
REPORT connected to the open internet has proved
popular, but using cross-platform infection
vectors to gain access to IoT devices behind
ASERT SPECIAL
REPORT: PART 1 corporate firewalls is also becoming a reality.
ENTERPRISE,
GOVERNMENT + 1. malware
1. malware
arms
1.arms
malware
dealers
dealers
arms
sellsell
to
dealers
ddos
to ddos
sell to ddos 2. ddos
2. ddos
mercenaries
mercenaries
2. ddos mercenaries
sellsell
to attackers
to attackers
sell to attackers
3. attackers
3. attackers
launch
3. launch
attackers
attacks
attacks
launch attacks
EDUCATION (EGE) mercenaries
mercenaries
mercenaries
ASERT SPECIAL
REPORT: PART 2
DNS OPERATORS
CONCLUSION
ABOUT THE
AUTHORS
Malware arms dealers are either The DDoS mercenaries offer DDoS The attackers mostly use
1 2 3
individuals or organizations which services (Booters/Stressers) for Booter/Stresser services to
GLOSSARY research and develop attack tools hire to the attackers. launch their attacks, though
that take advantage of security there are some exceptions.
vulnerabilities. As part of their
Q&A, often do live field testing.
PREVIOUS 75 NEXT
NETSCOUT Arbor Special Report
WORLDWIDE Looking at the number of DDoS Then, attackers started to take advantage of
INFRASTRUCTURE security vulnerabilities in IoT operating systems,
SECURITY REPORT incidents, and the appearance of
with known vulnerabilities like those targeted
In 2017, there were two highly visible new IoT malware in the 2016–2017 by IoT Reaper, and zero-day vulnerabilities like
cases of field testing taking place. time frame, it becomes apparent
TABLE OF on Huawei customer premise equipment (CPE)
CONTENTS that the attacker/incident economy devices by Zatori Mirai.
T HE WINDOWS
1 MIRAI TROJAN is cyclical in nature.
Interestingly enough, all of the above mentioned
INTRODUCTION
Only active for five days but attack tools weren’t used in anger, but as
In 2016, there was a visible spike of attacks
received multiple new updates mentioned before, they were most probably used
concluding with the unprecedented attacks
KEY FINDINGS in that time period. for field testing on the internet. The attacks were
against the websites of Brian Krebs, a journalist
active for short time periods, with quick multiple
and security researcher, and Dyn, a DNS company.
new releases and then the Command-and-Control
SERVICE PROVIDER T HE IoT These attacks led to a reduction in IoT attack
2 REAPER capability due to the alleged BrickerBot and
servers were taken offline. Based on the results,
they either continued internal development
because of service providers blocking IoT devices
ATLAS SPECIAL Had the potential to infect millions or sold the finalized attack tool to either the
REPORT from infection and remote control. DDoS defenses
of IoT devices but was deliberately Booter/Stresser community or to dedicated
also became more efficient in blocking some
blocked from doing so by its attackers with enough funding to pay for
of the new IoT attacks, reducing their
ASERT SPECIAL authors. In addition, it was released such advanced malware.
potential impact.
REPORT: PART 1 without any DDoS capabilities but
had all necessary hooks in place.
After the 2016 incidents, attackers responded by
ENTERPRISE, developing new attack tools. First, they created
GOVERNMENT + the Windows Mirai Trojan, which allowed them to
EDUCATION (EGE) infect and subsume vulnerable IoT devices behind
corporate firewalls into botnets.
ASERT SPECIAL
REPORT: PART 2
INCIDENTS
DNS OPERATORS
Lots of attacks New criminal revenue
opportunities
CONCLUSION
Miscreant R&D
ABOUT THE Survive
AUTHORS
Resolve the
problem
GLOSSARY
Post mortem
Prepare
TIME
PREVIOUS 76 NEXT
NETSCOUT Arbor Special Report
Malware Innovation
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT
TABLE OF
CONTENTS Almost all of the IoT devices targeted Windows machines infected by the Mirai Trojan
can actively scan for IoT devices whenever they
The Internally Facing
in the DDoS attacks in late 2016 were
INTRODUCTION directly connected to the internet,
establish a network connection. For example, DDoS Extortion Attack
if a laptop gets compromised by the Windows
which made it easy for the attackers Mirai Seeder on a public wireless network, it will A clever attacker could use the multi-stage
KEY FINDINGS to detect and subsequently infect start scanning for vulnerable IoT devices as soon Trojan mentioned above to get inside a network,
the devices with botnet code. as it makes a network connection. It could be subsuming vulnerable IoT devices into a botnet.
any network connection — one to an internal The attacker could then scan the internal network
SERVICE PROVIDER
corporate network via VPN, a wireless network to identify vulnerable network devices and
or a physical one. critical services.
ATLAS SPECIAL
REPORT 95% Almost all networks, from a small SoHo business The attacker could use this information to
O F A L L I o T D E V I C E S A R E L O C AT E D to the largest enterprise, have a large number direct the compromised IoT devices inside the
BEHIND SOME KIND OF INTERNET of IoT devices connected to them, from the
ASERT SPECIAL network to launch a devastating attack against
REPORT: PART 1 G AT E W AY O R F I R E W A L L smart TV in a home to intelligent network-enabled the network itself or critical services inside of the
Making them invisible to internet scans thermostats in a large company. These devices network. This kind of attack could be used either
and protected from IoT malware. are, in most cases, protected by network firewalls, to deny service for an extended period, or as a
ENTERPRISE,
making them unreachable by scans from proof-of-capability for an extortion demand.
GOVERNMENT +
EDUCATION (EGE) malicious devices on the internet.
If the network is not designed to withstand
Attackers realize the DDoS effectiveness The Windows Mirai Seeder is a game changer, these kinds of internal attacks, it could be a
ASERT SPECIAL of IoT devices. however, because compromised Windows time-consuming, costly and complex task to
REPORT: PART 2
T H E Y B E G I N T O L O O K AT H O W T O TA K E computers can now scan for vulnerable IoT redesign and secure the network. In the worst
A D VA N TA G E O F T H E R E M A I N I N G devices whenever they connect to an internal case, the network security posture would have
DNS OPERATORS network via VPN, wireless or physical connections.
5%
to be rethought from scratch, beginning by
shutting down all communication on all links,
Unless proper care is taken to segment internal including any internet connections.
CONCLUSION
networks, any device with an IP stack is a
potential target for compromise. Currently the A DDoS attack launched using IoT devices
In early February 2017, a multi-stage Windows Mirai bot infects devices like web cameras and
ABOUT THE located on the inside of an enterprise network
AUTHORS Trojan containing code to scan for vulnerable DVR recorders but it can easily be modified to can cause very high traffic levels, in terms of both
IoT devices and inject them with the Mirai bot attack other devices like printers, scanners and volume and packets-per-second. Even if the attack
code was detected in the wild. HVAC controllers. Any device, once compromised,
GLOSSARY is destined towards external targets, the attack
can start scanning for other vulnerable IoT traffic must first traverse the internal network.
This weaponization of a Windows Trojan to
devices and infect them if detected. This can result in network link congestion on
deliver IoT bot code reveals an evolution in
the threat landscape that most organizations WAN and LAN segments and a high CPU load
are completely unprepared to deal with: on network devices, all potentially leading to
DDoS attacks from within. network outages.
PREVIOUS 77 NEXT
NETSCOUT Arbor Special Report
TABLE OF
CONTENTS
1
Flow telemetry (such as NetFlow or
5
Data plane protection to filter and
Conclusion
IPFIX) export, collection, and analysis, control what traffic should be allowed Typical IoT devices are less secure
INTRODUCTION along with the collection and analysis through the network.
of recursive DNS queries and responses. than any desktop computer, making
For instance, a DNS server farm should
KEY FINDINGS This provides comprehensive visibility only receive DNS traffic. And client them the attacker’s choice for
into network traffic and allows for the computers should only communicate compromise. Attackers are busy
rapid detection of any abnormalities with specific services on specific ports,
SERVICE PROVIDER inventing new attack methods and
and internally launched DDoS attacks. not each other. In addition, data plane
protection should be implemented using vectors, aiming to bypass current
ATLAS SPECIAL non-stateful controls like iACLs, as stateful
REPORT 2 countermeasures. They are also looking
controls have to tendency to crash and
burn during heavy attacks. to take advantage of IoT devices which
Control plane policing on all
ASERT SPECIAL network devices. were previously thought to be secure
REPORT: PART 1
This allows the network devices to 6 behind corporate firewalls.
withstand both direct attacks against
ENTERPRISE, the network elements and traversing A quarantine system to isolate
GOVERNMENT + traffic attacks. compromised devices. With the introduction of the Windows
EDUCATION (EGE)
This allows for the utilization of flow
Mirai Trojan, a new threat scenario has
telemetry collection and analysis,
ASERT SPECIAL
3 recursive DNS collection and analysis, emerged which has the potential to
REPORT: PART 2 and other forms of detection and cause a myriad of issues.
Secure routing protocols against
classification. These make use of recursive
attacks and overload.
DNS OPERATORS DNS poisoning to implement a universal
Without routing, no traffic can
traverse the network.
‘soft’ quarantine, as well as VLAN- and As stated earlier, a network designed
WiFi channel-based ‘hard’ quarantine
CONCLUSION and secured using best current
mechanisms, to isolate botted devices.
4 practices (BCPs) described herein
ABOUT THE 7 will be highly resistant to such
AUTHORS Management plane protection to secure
and protect management traffic. compromise and the ramifications
Do not trust any quality-of-service
GLOSSARY In addition, add reserve bandwidth tags made by clients. thereof. In addition, the network will be
and capacity on WAN and LAN links for more resistant to new attack vectors.
Downgrade those such that management
management plane traffic. If unable to
plane traffic has highest priority.
communicate with the network elements,
the attack cannot be mitigated.
PREVIOUS 78 NEXT
NETSCOUT Arbor Special Report
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT
TABLE OF
CONTENTS
INTRODUCTION
KEY FINDINGS
SERVICE PROVIDER
ATLAS SPECIAL
REPORT
ASERT SPECIAL
REPORT: PART 1
ENTERPRISE,
GOVERNMENT +
EDUCATION (EGE)
ASERT SPECIAL
REPORT: PART 2
DNS OPERATORS
DNS
CONCLUSION
ABOUT THE
AUTHORS
OPERATORS
GLOSSARY
PREVIOUS 79 NEXT
NETSCOUT Arbor Special Report
78%
DNS
80%
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT 64% 70%
Operators
60%
INTRODUCTION
Sixty-eight percent of all respondents indicated 40%
0%
ASERT SPECIAL NORTH AMERICA WESTERN, CENTRAL ASIA PACIFIC LATIN AMERICA MIDDLE EAST
ENTERPRISE,
GOVERNMENT +
EDUCATION (EGE)
68% 32% 73% 80%
69%
Figure 96 DNS Operators
64% 70%
ASERT SPECIAL 60% 63%
REPORT: PART 2
Most of the DNS operators are in United States, 60%
WORLDWIDE In 2017, we again asked all respondents if DNS security was managed by a
INFRASTRUCTURE special dedicated group, a primary security team or if there was no assigned
SECURITY REPORT responsibility (Figure 99). The results once again showed a small improvement
over the previous year, as the percentage with a dedicated DNS security team
increased from 22 to 25 percent, and those with no specific responsible group Same 60% 16% No security group
TABLE OF
CONTENTS fell from 20 to 16 percent. security is responsible for
group securing DNS
Looking at the breakout between EGE organizations and service providers, there infrastructure
and services
INTRODUCTION was a substantial increase of EGE organizations with a dedicated DNS security
team, at 24 percent in 2017 up from 16 in the previous year (Figure 100). As for
service providers, it is disappointing to see that those with a special security group 25% Special security
KEY FINDINGS group for DNS
for DNS have decreased slightly, from 27 percent to 25, considering the criticality
of DNS to these organizations. On a more positive note, in 2017, the percentage of
SERVICE PROVIDER both EGE organizations and service providers with no security group decreased,
from 18 percent to 15 for EGEs and from 23 percent to 16 for service providers. Figure 99 DNS Security Responsibility (All Respondents)
80%
ASERT SPECIAL
REPORT: PART 1
70%
61% 59%
ENTERPRISE,
GOVERNMENT + 60%
EDUCATION (EGE)
50%
ASERT SPECIAL
REPORT: PART 2
40%
DNS OPERATORS
30% 24% 25%
CONCLUSION
15% 16%
20%
PREVIOUS 81 NEXT
NETSCOUT Arbor Special Report
ATLAS SPECIAL
REPORT It is a positive sign that
more EGE organizations are
73% 74%
ASERT SPECIAL taking control of their DNS 80%
REPORT: PART 1 infrastructure and visibility
at Layer 7, as effective 70%
ENTERPRISE, mitigation of DDoS attacks
GOVERNMENT +
EDUCATION (EGE) targeting DNS requires 60%
40% 33%
DNS OPERATORS
30%
CONCLUSION
20%
15%
ABOUT THE 11%
AUTHORS
Yes, at Layers 3 and 4 10%
Yes, at Layer 7
GLOSSARY
No visibility
0%
PREVIOUS 82 NEXT
NETSCOUT Arbor Special Report
WORLDWIDE As stated in previous reports, DNS is critical to maintaining the R E S T R ICT R EC URS I V E
INFRASTRUCTURE
SECURITY REPORT
availability of services. Unfortunately, DNS servers are popular both D N S LO O K UP S TO YES NO
as direct targets of DDoS attacks, but also as unwilling amplification YO UR C US T O MERS
and reflection actors. As a result, it is disappointing again to note that A N D N E T WO R KS ?
TABLE OF
CONTENTS
19 percent of respondents still did not restrict access to their recursive
DNS servers in 2017 (Figure 103).
Figure 103 Recursive DNS Restrictions
81% 19%
INTRODUCTION
KEY FINDINGS
58%
SERVICE PROVIDER The percentage of DDoS attacks D D oS AT TAC KS AGA IN S T D N S 60% 56%
that target DNS infrastructures IN FR AS T R UCT UR E T H AT LE D
No
and affect service did not T O A V IS IB LE O UTAG E ?
ATLAS SPECIAL
No
change from 2016 for all our
REPORT
respondents (Figure 104). While 50%
we can see organizations are No
ASERT SPECIAL making progress in protecting
REPORT: PART 1 their DNS infrastructure, this
shows that DDoS attacks 57% 40%
targeting DNS servers remain
ENTERPRISE,
a constant threat.
GOVERNMENT +
EDUCATION (EGE) 31%
Among EGE organizations, the
percentage that experienced Yes 30%
ASERT SPECIAL publicly visible service outages
Yes
REPORT: PART 2 increased to 22 percent in
2017, up from 13 percent in
25% 22%
23%
Do Not Know
20%
Yes
Conversely, the proportion
of service providers suffering
CONCLUSION these attacks dropped to Do not know 11%
31 percent in 2017 from
ABOUT THE
39 the previous year.
18% 10%
Do Not Know
AUTHORS
Figure 105 DNS Service Affecting DDoS Attacks (Per Organization Type)
PREVIOUS 83 NEXT
NETSCOUT Arbor Special Report
WORLDWIDE E X P E RI E NCE D D D o S E X P E R IE N C E D D D oS DDoS attacks are still targeting Authoritative DNS servers (Figure 106) more frequently than Recursive
INFRASTRUCTURE AT TACKS AGAI N ST AT TAC KS AGA IN S T servers (Figure 107). However, there was an overall reduction in attacks for both EGE organizations and
SECURITY REPORT AU T H ORI TAT I VE REC UR S IV E D N S service providers. The percentage of respondents seeing attacks against Recursive servers went down
D N S SE RVE RS? SE RV E R S ? from 30 percent in 2016 to 24 in 2017, while the proportion of respondents seeing DDoS attacks
targeting Authoritative DNS servers decreased slightly to 32 percent.
TABLE OF
CONTENTS
YES YES As expected, service providers saw more attacks against both Recursive and Authoritative DNS servers
(Figure 108). Forty-four percent of providers reported attacks against their Authoritative DNS servers
INTRODUCTION compared to 23 percent for EGE organizations, an increase for EGE respondents from 16 percent in 2016.
KEY FINDINGS
32% 24% Thirty-four percent of providers saw attacks against their Recursive DNS servers (Figure 109), down from
44 percent in 2016, while 18 percent of EGEs experienced these attacks, down from 24 percent in 2016.
SERVICE PROVIDER
60% 60% 57%
NO NO 54%
ATLAS SPECIAL
No
REPORT
50% 52%
No
50% 50%
ASERT SPECIAL 44% 44% 44%
REPORT: PART 1
No
Yes
No
ENTERPRISE, 40% 40%
GOVERNMENT + 34%
EDUCATION (EGE) DO NOT DO NOT
KNOW KNOW
Yes
18% 24%
30% 30%
ASERT SPECIAL 25%
REPORT: PART 2 23% 23%
22%
Do Not Know
Yes 18%
Do Not Know
DNS OPERATORS 20% 20%
Do Not Know
Yes
Figure 106 DDoS Attacks Figure 107 DDoS Attacks 12%
CONCLUSION Against Authoritative Against Recursive
DNS Servers DNS Servers
Do Not Know
10% 10%
ABOUT THE
AUTHORS
0% 0%
GLOSSARY
ENTERPRISE, SERVICE ENTERPRISE, SERVICE
GOVERNMENT + EDUCATION PROVIDER GOVERNMENT + EDUCATION PROVIDER
Figure 108 DDoS Attacks Against Authoritative DNS Servers Figure 109 DDoS Attacks Against Recursive DNS Servers
(Per Organization Type) (Per Organization Type)
PREVIOUS 84 NEXT
NETSCOUT Arbor Special Report
WORLDWIDE 100%
INFRASTRUCTURE
SECURITY REPORT
90%
82%
TABLE OF
CONTENTS 80%
Intelligent DDoS mitigation
system (IDMS)
66%
INTRODUCTION Separate production 70%
and out-of-band (OOB)
61%
management networks
57%
KEY FINDINGS Interface ACLs on 60%
54%
network edge
Unicast reverse-path
46%
46%
SERVICE PROVIDER 50%
forwarding (uRPF) and/or other
42%
anti-spoofing mechanisms
39%
39%
ATLAS SPECIAL Source-based remote
triggered blackhole (S/RTBH) 40%
REPORT
Destination-based remote
28%
28%
28%
triggered blackhole (D/RTBH)
26%
ASERT SPECIAL 30%
23%
FlowSpec on gateway
22%
REPORT: PART 1 or access routers
18%
DNS response rate
20%
limiting (RRLs)
13%
12%
ENTERPRISE,
Firewalls
9%
GOVERNMENT +
EDUCATION (EGE) IPS/IDS 10%
DNS OPERATORS
The security measures put in place to protect DNS infrastructures vary greatly once again between service
CONCLUSION providers and EGE organizations. For service providers, Intelligent DDoS Mitigation Systems (IDMS) were again
the most popular defense mechanism, with 66 percent of respondents having them deployed, up slightly from 64
in 2016 (Figure 110). Following in second and third place are firewalls and ACLs, respectively at 61 and 54 percent.
ABOUT THE Seeing firewalls as the second most reported option is disappointing, as these devices do not protect adequately
AUTHORS against DDoS attacks due to their nature and the ease with which a state-based attack can overwhelm them.
In EGE organizations, firewalls were the most popular choice, at 82 percent up from 79 percent in 2016, which
GLOSSARY
again is disappointing. In second place were IPS/IDS at 57 percent, another piece of bad news considering that
they are similarly vulnerable to DDoS attacks.
PREVIOUS 85 NEXT
NETSCOUT Arbor Special Report
CONCLUSION
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT
TABLE OF
CONTENTS
INTRODUCTION
KEY FINDINGS
SERVICE PROVIDER
ATLAS SPECIAL
REPORT
ASERT SPECIAL
REPORT: PART 1
—
Following the introduction of electronic
computers in the 1950s, early concepts of wide
ENTERPRISE,
area networking originated in the United States,
GOVERNMENT +
EDUCATION (EGE) United Kingdom and France. The U.S. Department
of Defense awarded contracts in the 1960s, which
ASERT SPECIAL
eventually lead to the ARPANET project. The first
REPORT: PART 2 message was sent over the ARPANET in 1969.
“
in a paper in 1974 by authors Vinton Cerf and
CONCLUSION Robert Kahn, who also came up with the term
internet, which was short for “inter-networking of
ABOUT THE networks.” Commercial internet service providers
AUTHORS
We had no idea that this would turn (ISPs) began to emerge in the late 1980s.
GLOSSARY
into a global and public infrastructure.
VINT CERF
” PREVIOUS 86 NEXT
NETSCOUT Arbor Special Report
WORLDWIDE
INFRASTRUCTURE Since the mid-1990s, the internet has had a revolutionary
SECURITY REPORT
impact on culture, commerce and technology, including
TABLE OF the rise of near-instant communication.
CONTENTS
INTRODUCTION While it transported only one percent of the information This year, we’ve seen increasing sophistication of
flowing through two-way telecommunications networks IoT-based botnet attack capabilities. These modern
Proportion of global two-way
KEY FINDINGS in 1993, the internet grew rapidly. It carried 51 percent botnets are capable of delivering attacks that include
telecommunications
of two-way traffic by 2000 and more than 97 percent application-layer, volumetric and complex multi-vector
traversing the internet.
by 2007. The internet continues to grow today, driven DDoS attacks. Further, easy-to-use DDoS for hire services
SERVICE PROVIDER
by ever greater amounts of information, commerce, have helped make more sophisticated multi-vector DDoS
ATLAS SPECIAL
1993
1% entertainment and social networking. attacks increasingly common.
REPORT Now, more than ever, business and commerce simply On a positive note, both service providers and
ASERT SPECIAL
2000
51% cannot exist without robust internet infrastructure
that is continuously available. Even recreation and
enterprises share an increased appreciation of the
impact a successful DDoS attack can have. This is
REPORT: PART 1 socialization depend on the internet to deliver leading to the adoption of more effective defenses.
97%
information, goods and services. It is this environment In service provider networks, it is now widely accepted
2007 that simultaneously enables our modern lifestyle and that purpose-built Intelligent DDoS Mitigation Systems
ENTERPRISE, work routines while also putting them at risk from serving as part of a layered defense are the only
GOVERNMENT +
those who would exploit this ubiquitous availability effective option for mitigating DDoS attacks. Enterprise,
EDUCATION (EGE)
for nefarious purposes. government and education organizations also indicated
that they have an increasing understanding of this
ASERT SPECIAL As we have seen in this year’s report, attackers reality. While many still deployed traditional security
REPORT: PART 2 continue to build and weaponize massive IoT botnets technologies for DDoS defense, there is increased
of unprecedented size and capability. Volumetric acceptance of the shortcomings of these solutions.
DNS OPERATORS DDoS attacks have scaled back a bit in sheer size, but
continue to increase in frequency. In last year’s report, While online gaming is seen as the top motivation
we highlighted the use of reflection/amplification DDoS behind DDoS attacks this year, criminal activity and
CONCLUSION
attacks as equally effective to IoT botnets for generation especially extortion remain major drivers of malicious
of very large scale volumetric DDoS attacks. activity. The motivations behind attacks are many and
ABOUT THE varied, but the ease with which anyone can launch
AUTHORS attacks is a growing problem. DNS continues to be one
“
of the most targeted internet services. DNS servers are
popular both as direct targets of DDoS attacks, but also
GLOSSARY
”
The internet is becoming the town square as unwilling amplification and reflection actors. It is a
positive sign that more organizations are taking control
for the global village of tomorrow. of their DNS infrastructure and ensuring visibility of DNS
traffic at Layer 7, as effective mitigation of DDoS attacks
B I L L G AT E S
targeting DNS requires application-layer visibility.
PREVIOUS 87 NEXT
NETSCOUT Arbor Special Report
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT
“
It is the obvious which is so difficult to see most of the time. People say
‘It’s as plain as the nose on your face.’ But how much of the nose on your
”
TABLE OF
CONTENTS face can you see, unless someone holds a mirror up to you?
INTRODUCTION ISAAC ASIMOV
KEY FINDINGS
SERVICE PROVIDER The global shortage of security professionals, NETSCOUT Arbor is proud to release the
continues to worsen with no end in sight. 13th annual Worldwide Infrastructure Security
ATLAS SPECIAL While many organizations pursue outsourcing, Report. This report is designed to help network
REPORT machine learning or automation strategies operators understand the breadth of the
to help fill the gap, increased efficiency and threats that they face, gain insight into what
organic growth of internal teams are still vital their peers are doing to address these threats,
ASERT SPECIAL
strategies. This is the second consecutive year and comprehend both new and continuing
REPORT: PART 1
the survey shows an overall decline in service trends. This year’s report features responses
providers implementing security infrastructure from service provider, enterprise, government
ENTERPRISE, best practices. Surprisingly, given the and education organizations.
GOVERNMENT + popularity of reflection attacks over the
EDUCATION (EGE)
last five years, the adoption of anti-spoofing
filters decreased.
A good global distribution of
ASERT SPECIAL respondents rounds out what has
REPORT: PART 2 Reputation/brand damage and operational been our broadest representation of
expense are still the top business impacts
of DDoS attacks. There was also a big jump
the internet community ever. We hope
DNS OPERATORS
in revenue loss. Survey responses broadly that you find the information useful
indicate that the cost of a major DDoS attack in protecting your business for
CONCLUSION is increasingly significant. Over three quarters
the coming year.
of enterprise, government and education
ABOUT THE network operators reported that DDoS
AUTHORS mitigation was a part of either their business
or IT risk assessments. And, more service
providers are now offering DDoS protection
GLOSSARY
services, given the continued increasing
interest in these services among customers
across a broad range of verticals.
PREVIOUS 88 NEXT
NETSCOUT Arbor Special Report
ABOUT THE
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT
AUTHORS
TABLE OF
CONTENTS
Paul Bowen
PRINCIPAL SECURITY TECHNOLOGIST, NETSCOUT ARBOR
INTRODUCTION
pbowen@arbor.net
WORLDWIDE
INFRASTRUCTURE Kirill Kasavchenko
SECURITY REPORT PRINCIPAL SECURITY TECHNOLOGIST, NETSCOUT ARBOR
kkasavchenko@arbor.net
TABLE OF
CONTENTS Kirill has more than 14 years of experience in various
post- and pre-sales roles dealing with telecom and large
enterprises in more than 30 countries in Europe, Middle
INTRODUCTION
East, Russia and CIS. His areas of interest are network
design and network security at a large scale. On the
KEY FINDINGS CTO team at NETSCOUT Arbor, Kirill focuses on emerging
ABOUT
technologies and global research projects, applying his
expertise in routing and protocol analysis to find new
SERVICE PROVIDER ways to protect customers’ networks.
ATLAS SPECIAL
REPORT
Kirill holds B.S. and M.S. with honors in Computer Sciences
from the Saint Petersburg University of IT, Mechanics
and Optics as well as a number of industry certifications
THE EDITOR
including Cisco CCIE. Prior to joining Arbor in 2011 he spent
ASERT SPECIAL
REPORT: PART 1
seven years on different positions ranging from network Darren Anstee
technician to chief engineer at systems integrators and
CHIEF TECHNICAL OFFICER, NETSCOUT ARBOR
network infrastructure vendors.
ENTERPRISE, danstee@arbor.net
GOVERNMENT +
EDUCATION (EGE) Gary Sockrider Darren serves as the Chief Technical Officer for
NETSCOUT Arbor, developing the technology strategy
PRINCIPAL SECURITY TECHNOLOGIST, NETSCOUT ARBOR
of NETSCOUT Arbor products and services. His efforts
ASERT SPECIAL gsockrider@arbor.net help customers see and understand network traffic in
REPORT: PART 2 order to tackle their most complex security challenges.
Gary Sockrider is an industry veteran bringing over
25 years of broad technology experience including routing He works closely with NETSCOUT Arbor’s Security
DNS OPERATORS
and switching, mobility, collaboration and cloud but always Engineering & Response Team (ASERT), product
with an eye on security. His previous roles include security management, sales and engineering organizations
CONCLUSION SME, consultancy, customer support, IT and product to drive alignment on the next generation capabilities
management. He seeks to understand and convey the that will help NETSCOUT Arbor’s customers across
constantly evolving threat landscape, as well as the enterprise and service provider markets. Darren has
ABOUT THE
techniques and solutions that address the challenges over twenty years of experience in networking and
AUTHORS
they present. Prior to joining NETSCOUT Arbor in 2012, security, the last 14 years spent with NETSCOUT Arbor.
he spent 12 years at Cisco Systems and held previous
GLOSSARY positions with Avaya and Cable & Wireless.
PREVIOUS 90 NEXT
NETSCOUT Arbor Special Report
GLOSSARY
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT
TABLE OF
CONTENTS
INTRODUCTION
KEY FINDINGS
CONCLUSION L
LTE Long Term Evolution
DCN Data Communication Network
ABOUT THE D
DNS Domain Name System
AUTHORS
DDoS Distributed Denial of Service M
Mbps Megabits-per-second
D-RTBH Destination-Based Remotely
GLOSSARY MDM Mobile Device Management
Triggered Blackholing
MITM Man in the Middle
S-RTBH Source-Based Remotely Triggered
Blackholing MNO Mobile Network Operator
MPC Mobile Packet Core
MSSP Managed Security Service Provider
PREVIOUS 91 NEXT
NETSCOUT Arbor Special Report
WORLDWIDE
INFRASTRUCTURE N S U
NAT Network Address Translation SDN Software-defined networking UDP User Datagram Protocol
SECURITY REPORT
NFV Network Functions Virtualization SEG Security Gateways uRPF Unicast Reverse Path Forwarding
NGFW Next Generation Firewall SIEM Security Information Event UTM Unified Threat Management
TABLE OF
NMS Network Management System Management
CONTENTS
NTP Network Time Protocol SIP Session Initiation Protocol
SMTP Simple Mail Transfer Protocol
V
INTRODUCTION VoIP Voice Over Internet Protocol
SNMP Simple Network Management
O Protocol
KEY FINDINGS OOB Out of band
SOC Security Operations Center W
OPSEC Operational Security WAF Web Application Firewall
S/RTBH Source-based Remotely Triggered
SERVICE PROVIDER OTT Over the Top WiMAX Worldwide Interoperability
Blackholing
for Microwave Access
SSDP Simple Service Discovery Protocol
ATLAS SPECIAL
REPORT
P SSL Secure Socket Layer
PAT Port Address Translation
SYN Synchronize
PCAP Packet Capture
ASERT SPECIAL
REPORT: PART 1 T
Q TLD Top Level Domain
QoE Quality of Experience
ENTERPRISE, TLS Transport Layer Security
GOVERNMENT + Tbps Terabits per second
EDUCATION (EGE)
R
RAN Radio Access Network
ASERT SPECIAL
REPORT: PART 2
DNS OPERATORS
GLOSSARY
CONCLUSION
ABOUT THE
AUTHORS
GLOSSARY
PREVIOUS 92 NEXT
CORPORATE HEADQUARTERS
76 Blanchard Road
Burlington, MA 01803 USA
Toll Free +1 866 212 7267
T +1 781 362 4300
EUROPE
T +44 207 127 8147
ASIA-PACIFIC
T +65 6664 3140
© 2018 NETSCOUT SYSTEMS, INC. All rights reserved. NETSCOUT, the NETSCOUT logo, Guardians of the Connected World, Adaptive Service Intelligence, Arbor Networks,
the Arbor Networks logo, ATLAS, InfiniStream, InfiniStreamNG, nGenius, and nGeniusONE are registered trademarks or trademarks of NETSCOUT SYSTEMS, INC., and/or
its subsidiaries and/or affiliates in the USA and/or other countries. Third-party trademarks mentioned are the property of their respective owners.