2008 Worldwide Infrastructure Security Report

A propósito de ataques da classe DDoS, encontrei um relatório da Arbor Networks, baseado num inquérito global, que identifica de forma clara a tendência de crescimento e o último grito nos ataques na Internet. O relatório foi produzido em Outubro do ano passado mas, parece-me, não perdeu actualidade. Um excerto:

Arbor Networks once again has completed a survey of the largest ISPs and content providers around the world. Some 70 lead security engineers responded to 90 questions covering a spectrum of Internet backbone security threats and engineering challenges. This fourth annual survey covered the 12-month period from August 2007 through July 2008.

The most significant findings:

  • ISPs Fight New Battles
    In the last four surveys, ISPs reportedly spent most of their available security resources combating distributed denial of service (DDoS) attacks. For the first time, this year ISPs describe a far more diversified range of threats, including concerns over domain name system (DNS) spoofing, border gateway protocol (BGP) hijacking and spam. Almost half of the surveyed ISPs now consider their DNS services vulnerable. Others expressed concern over related service delivery infrastructure, including voice over IP (VoIP) session border controllers (SBCs) and load balancers.
  • Attacks Now Exceed 40 Gigabits
    From relatively humble megabit beginnings in 2000, the largest DDoS attacks have now grown a hundredfold to break the 40 gigabit barrier this year. The growth in attack size continues to significantly outpace the corresponding increase in underlying transmission speed and ISP infrastructure investment. The below graph shows the yearly reported maximum attack size.
  • Services Under Threat
    Over half of the surveyed providers reported growth in sophisticated service-level attacks at moderate and low bandwidth levels attacks specifically designed to exploit knowledge of service weakness like vulnerable and expensive back-end queries and computational resource limitations. Several ISPs reported prolonged (multi-hour) outages of prominent Internet services during the last year due to application-level attacks.
  • Fighting Back
    The majority of ISPs now report that they can detect DDoS attacks using commercial or open source tools. This year also shows significant adoption of inline mitigation infrastructure and a migration away from less discriminate techniques like blocking all customer traffic (including legitimate traffic) via routing announcements. Many ISPs also report deploying walled-garden and quarantine infrastructure to combat botnets.

Overall, ISP optimism about security issues reported in previous surveys has been replaced by growing concern over the new threats and budget pressures. ISPs say they are increasingly deploying more complex distributed VoIP, video and IP services that often poorly prepared to deal with the new Internet security threats. More than half of the surveyed ISPs believe serious security threats will increase in the next year while their security groups make do with “fewer resources, less management support and increased workload.”

ISPs were also unhappy with their vendors and the security community. Most believe that the DNS cache poisoning flaw disclosed earlier this year was poorly handled and increased the danger of the threat.

Finally, the surveyed ISPs also said their vendor infrastructure equipment continues to lack key security features (like capacity for large ACL lists) and suffers from poor configuration management and a near complete absence of IPv6 security features. While most ISPs now have the infrastructure to detect bandwidth flood attacks, many still lack the ability to rapidly mitigate these attacks. Only a fraction of surveyed ISPs said they have the capability to mitigate DDoS attacks in 10 minutes or less. Even fewer providers have the infrastructure to defend against service-level attacks or this year’s reported peak of a 40 gigabit flood attack.

Não posso deixar de vincar um aspecto: as empresas que participaram no inquérito incluem ISPs Tier 1 e Tier 2. E nesse contexto, considerando que only a fraction of surveyed ISPs said they have the capability to mitigate DDoS attacks in 10 minutes or less, penso que podemos concluir, com uma margem de erro pequena, que esta questão ainda constitui, claramente, um problema em aberto.

O relatório está disponível na integra no site da Arbor. Intitula-se "2008 Worldwide Infrastructure Security Report".