In-Depth

DDoS Unbound

DDoS attacks are bigger and more frequent than ever, and a lack of insight into IPv6 security is particularly worrisome.

There's almost never anything encouraging to report on the enterprise security front when it comes to cracking or attacking activity.

Take the latest installment of the Worldwide Infrastructure Security Report from Arbor Networks, which focuses on "operational" security issues -- i.e., "the day-to-day aspects of security in commercial networks."

The new report, which collected information from 111 global network operators from October of 2009 to September of 2010, depicts a ceaselessly crackling IT security threat environment in which crackers have the ability to perpetrate distributed denial of service (DDoS) attacks that smash the once-unapproachable 100 Gbps barrier.

Factor in a surge in the number and variety of application-layer DDoS attacks, the shortcomings of conventional firewall and intrusion prevention system (IPS) technologies -- along with a stubborn dependence on technologies or mechanisms that no longer work -- and a shocking lack of visibility into next-generation (IPV6) traffic, and you have the makings of a truly daunting security cocktail.

The most immediately disturbing development is a super-scale DDoS capability on the part of attackers. "[T]he highest-bandwidth attack observed by respondents during the survey period was a 100 Gbps DNS reflection/amplification attack," write Roland Dobbins and Carlos Morales of Arbor Networks Inc., the authors of the report.

Dobbins is an Arbor solutions architect with a quarter century of experience in the service provider and enterprise spaces; Morales is the company's vice president of Global Sales Engineering. (He, too, has a technology background, serving as director of systems engineering with both Nortel Networks and Shiva.)

Both men are veterans of the IT security wars, and they describe recent developments in DDoS threats as "the single largest increase in attack bandwidth year over year since the first [installment of the] report in 2005 and a 1,000 percent increase in attack bandwidth since" then. They point out that 2009's attack bandwidth tally was fully double that of the year before. This explosion might be a response to the security safeguards that service providers and large enterprises have taken to counter more traditional attack vectors, the pair suggests.

"Based upon our experiences working with operators … we believe this large increase in attack-traffic bandwidth may be partially due to operators focusing their defenses against lower-bandwidth and application-layer DDoS attacks," write Dobbins and Morales.

"Attackers may have had to 'up the ante' to overwhelm the defenses and bandwidth capacity of defenders. Additionally, the increased availability of botted hosts, combined with the growing popularity of DNS amplification/reflection attacks, has also played a role in this escalation."

Security remains stuck in a reflexively reactive posture, according to Arbor researchers. Access control lists (ACLs) remain popular, in spite of "their functional and operational limitations." In fact, Dobbins and Morales note, "ACLs continue to be the single most widely used tool to mitigate DDoS attacks."

Meanwhile, exactly half of participants in the Arbor survey still use designation-based remotely triggered blackholing (D/RTBH) -- "despite the fact that D/RTBH blocks all traffic to the target and essentially completes the DDoS for the attacker," the researchers note.

"Other techniques utilized by respondents include custom-coded application-layer classification tools and GeoIP-based blocking of attack traffic purportedly emanating from specific geopolitical localities." On the other hand, no one seems to be using quality of service (QoS) to combat attack efforts.

On the plus side, service providers are responding more effectively to DDoS activity. More than half (51 percent) of survey respondents said they're able to mitigate a DDoS attack inside of 20 minutes.

That's "a marked improvement over previous years," Dobbins and Morales note, adding that one-seventh of respondents reported DDoS mitigation times of more than 30 minutes, while another one-seventh "reported that they mitigate attacks automatically, presumably in near-real time."

IPv6 Armageddon?

On the other hand, providers seem shockingly unrealistic about the inevitable transition from IPv4 to IPv6. "[Fifty-six] percent of respondents indicated that they believe IPv4 address allocations will not prove to be a serious problem during the next 12 months," note Dobbins and Morales, who say that providers are seriously behind the curve when it comes to implementing and securing IPv6 traffic. Just over one-third (36 percent) of providers have successfully implemented IPv6 across their network infrastructures; fewer still (23 percent) have deployed -- or expect to deploy -- IPv6 over the next 12 months.

Just over 40 percent say they have technology in place to fully monitor IPv6 traffic, however; another one-third say they're to do so on a "partial" basis.

"[Fifty-five] percent indicated that they have little or no visibility into their IPv6 traffic today, and thus have no ready way to detect, classify, and traceback IPv6 attack traffic on their networks," the researchers concluded. "[Forty-seven] percent expressed concern regarding IPv6 DDoS attacks, with a similar proportion expressing concern regarding IPv6 stack implementation flaws that may lead to security vulnerabilities in their network infrastructure elements."

Must Read Articles