2009 Worldwide Infrastructure Security Report
2009 Worldwide Infrastructure Security Report
Key Findings
DDoS Bandwidth Growth Slows: Over the last six years, service providers reported a near doubling in peak distributed denial of service (DDoS) attack rates year-to-year. Figure 1 illustrates that peak attack rates grew from 400 Mbps in 2001 to more than 40 Gbps in 2007. This year, providers reported a peak rate of only 49 Gbps (a more modest 22 percent growth over the previous year). As we discuss later in the survey, the slowing in DDoS flood growth likely reflects attacks reaching underlying Internet physical constraints and a migration to other more effective denial of service attack vectors.
Attacks Shift to the Cloud: Again this year, more than half of the surveyed providers reported growth in service-level attacks at gigabit or less bandwidth levels. Such attacks are specifically designed to exploit service weaknesses, like vulnerable and expensive back-end queries and computational resource limitations. Several ISPs reported prolonged (multi-hour) outages of rominent Internet services during the last year due to application-level attacks. These service-level attack targets included distributed domain name system (DNS) infrastructure, load balancers and large-scale SQL server back-end infrastructure.The Internet Is Not IPv6-Ready: A majority of this year’s surveyed providers reported concerns over the security implications of IPv6 adoption and the slow rate of IPv4 to IPv6 migration. As in previous years, providers complained of missing IPv6 security features in routers, firewalls and other critical network infrastructure. Other providers worried the lack of IPv6 testing and deployment experience may lead to significant Internet-wide security vulnerabilities.
IPv4 Address Exhaustion, IPv6 Migration, DNSSEC Migration, 4-Byte ASN Migration: The ‘perfect storm’ of looming IPv4 address exhaustion, concerns surrounding migration to IPv6, concerns surrounding migration to Domain Name System Security Extensions (DNSSEC), and concerns surrounding migration to 4-byte ASNs is a source of uncertainty for respondents with regards to their ability to operate, maintain, secure and defend their networks.
Lack of Skilled Resources: Non-technical factors such as lack of skilled resources, internal/external communications siloing, lack of clearly defined operational responsibilities, lack of clearly defined policies, and lack of management understanding and commitment are the most significant obstacles to reducing mitigation times and proactively strengthening operational security postures.
You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
