With our 8th edition of the Worldwide Infrastructure Security Report out last week, our report authors have had a chance to sit back and revisit the findings from this years’ report. Rather than simply focus on the key findings from the report – which are evident as you read through just the first few pages – they’ve chosen to reflect on some of the more interesting or surprising findings from the WISR this year.
From Darren Anstee, Solutions Architect, EMEA
- One area of the survey which especially concerned me this year was the growth in the proportion of respondents using firewalls within their data centers as protection from DDoS attacks. Firewalls can protect from some DDoS attacks, as everyone is aware, but they only provide a partial solution (they can’t deal with application layer attacks, usually). Firewalls can also be targeted by some types of crafted state exhaustion attacks, and in fact 35% of our survey respondents who offered data center services saw their firewalls fail during the survey period due to DDoS attack. Saying that though, this was a lower percentage than we saw last year – so it may be that the increased use of IDMS platforms within data centers (up 10%) is providing some protection here.
- Another key concern is the fact that DNS services are still not getting the protection they deserve given their criticality. DNS servers can be used as a DDoS target, to prevent name resolution for a given domain, or as an attack mechanism via DNS reflection attacks. There has been no improvement in the proportion of respondents restricting recursive look-up on their servers (to their customers etc.,) leaving this infrastructure available to amplify attack traffic. Looking at DNS as a target, just over one quarter of our respondents saw a customer visible outage due to a DDoS attack in 2012, and when an attack occurs, the impact can be wide-spread.
From Gary Sockrider, Solutions Architect, Americas:
- There is a very clear trend we’re seeing in the increased use of complex multi-vector and application layer attacks. These methods are inherently more difficult to defend against and also more difficult to detect. In disguising the attacks as web traffic (HTTP) and even encrypting them (HTTPS), the malicious traffic attempts to hide by mixing in with legitimate traffic destined for the victim. This approach makes it incredibly difficult to both detect and defend against – an issue we heard loud and clear from respondents this year.
- The most surprising trend that I saw in sifting through the survey data was the reduction in dedicated security resources among respondent organizations. This is further explained by the next question we asked. The key challenges facing respondents when building and maintaining an effective operational security team were a “lack of headcount and resources” and “difficulty in finding and retaining skilled personnel.” However, lack of both operating expense budget and capital funding were cited as issues by more of our respondents than in previous years, potentially indicating that cost reductions within network operations have had an impact here. Regardless, as the complexity of attacks continues to rise, network operators need to arm themselves – both with the right technology but also the right people on staff to guard against and mitigate attacks. This is a critical need in 2013, in my view.
From Dick Bussiere, Solutions Architect, APAC
- To me, it’s very concerning that there was a dramatic increase in customer visible outages caused by security incidents transpiring on mobile networks, with more than one-third of operators reporting such an incident in 2012. As the power and connection speed of the attached devices continues to grow, and as the mobile malware ecosystem continues to expand, we can expect to see more security disruptions against these brittle mobile infrastructures.
- Also a bit surprising was the fact that the majority of mobile operators do not currently have plans to use IPv6 for subscriber devices or mobile infrastructure, indicating that they intend to continue to use IPv4 addresses and NAT. As we are well aware, NAT devices are a potential vector for DDoS attacks due to their stateful nature. This harkens back to one of the biggest takeaways we saw in reviewing the data from mobile network operators – mobile operators simply aren’t taking the proactive stance they should as attackers are increasingly focusing their efforts on attacks targeting mobile infrastructure.
- Finally, the vast majority of operators — a full 60% in fact — do not have visibility onto their mobile/evolved packet cores. This is troubling since you cannot fix or contain what you cannot see. This lack of visibility clearly would increase the MTTD and MTTR of any disturbance on these critical parts of the mobile infrastructure.