Sei sulla pagina 1di 93

INSIGHT INTO THE 

Global Threat Landscape


NETSCOUT Arbor’s 13th Annual Worldwide 
Infrastructure Security Report
NETSCOUT Arbor Special Report

CONTENTS
WORLDWIDE
INFRASTRUCTURE
3 INTRODUCTION
SECURITY REPORT 4 Survey Methodology
5 Demographics of
TABLE OF Survey Respondents
CONTENTS

INTRODUCTION 7 KEY FINDINGS


8 Service Providers
KEY FINDINGS OP ER AT ION A L T HR E AT S 42 ATLAS SPECIAL REPORT 74 ASERT SPECIAL REPORT:
DDoS
43 Attack Size PART 2
SDN/ NF V
SERVICE PROVIDER
IP V 6 48 Target Countries 75 The Attackers Economy
ORG A NIZ AT ION A L SECUR I T Y 49 Reflections + Attack Cycles
ATLAS SPECIAL 53 Reflection/Amplification Attacks 7 7 Malware Innovation
REPORT 1 0 Enterprise, Government
Source Countries 78 Conclusion
+ Education (EGE)
ASERT SPECIAL DDoS
REPORT: PART 1 NE T WOR K SECUR I T Y
54 ASERT SPECIAL REPORT: 79 DNS OPERATORS
IP V 6
ORG A NIZ AT ION A L SECUR I T Y PART 1
ENTERPRISE, SDN/ NF V 55 The Anatomy of Application-Layer 86 CONCLUSION
GOVERNMENT +
EDUCATION (EGE) Attacks
1 2 DNS Operators
AT TACKS AG A INS T DNS INF R AS T RUC T UR ES

ASERT SPECIAL
AT TACKS AG A INS T A P P LICAT ION SERV ERS
89  ABOUT THE AUTHORS
REPORT: PART 2 13 SERVICE PROVIDER AT TACKS AG A INS T SQL SERV ERS
90 About the Editor
14 Threats + Concerns 56 Mitigating Application-Layer Attacks
DNS OPERATORS 56 Summary
16 Scale + Targeting of DDoS Attacks
91 GLOSSARY
18 Type, Frequency + Motivation
CONCLUSION of DDoS Attacks
57 ENTERPRISE,
22 DDoS Threat Motivations
ABOUT THE
GOVERNMENT +
AUTHORS
25 SDN/NFV EDUCATION (EGE)
27 IPv6
58 Network Security
GLOSSARY 31 Organizational Security
60 DDoS Attacks
34 Data Center Operators
67 SDN/NFV
39 Mobile Network Operators
69 IPv6
7 1 Organizational Security

PREVIOUS 2 NEXT
NETSCOUT Arbor Special Report

INTRODUCTION
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT

TABLE OF
CONTENTS

INTRODUCTION

KEY FINDINGS

SERVICE PROVIDER W E L C O M E T O O U R 1 3 TH A N N U A L
WORLDWIDE INFRASTRUCTURE
ATLAS SPECIAL SECURITY REPORT (WISR).
REPORT

ASERT SPECIAL
REPORT: PART 1

The data within this document is based on the
collective experiences, observations and concerns
ENTERPRISE, of the global operational security community.
GOVERNMENT + NETSCOUT Arbor collected this data through a
EDUCATION (EGE) survey conducted in October 2017.

ASERT SPECIAL Since its inception, the WISR has been based upon
REPORT: PART 2 survey data collected from those who are directly
involved in day-to-day operational security, and
DNS OPERATORS this is our continued approach. The WISR has
changed immeasurably in terms of its scope and
CONCLUSION scale over the years, but the core goal is still to
provide real insight into infrastructure security
from an operational perspective.
ABOUT THE
AUTHORS
This document highlights key industry trends and
threats facing network operators, along with the
GLOSSARY
strategies used to mitigate them.

PREVIOUS 3 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT

TABLE OF
CONTENTS

INTRODUCTION

KEY FINDINGS
Survey Methodology
SERVICE PROVIDER The 13th annual Worldwide Infrastructure Security Report (WISR) is based
on a survey comprised of 128 free-form and multiple-choice questions.
ATLAS SPECIAL In our ongoing attempt to streamline and improve the survey, this is
REPORT
down from 135 in 2016.

ASERT SPECIAL
REPORT: PART 1
2017 Beyond the reduction in the number of questions, the 2017 survey has more
1 2 8 F R E E F O R M + M U LT I P L E specific logic flows that enable service providers and enterprise, government
CHOICE QUESTIONS
and education (EGE) respondents to see a different set of questions depending
ENTERPRISE,
GOVERNMENT + upon their self-classification and earlier answers. The questions we ask
390 RESPONSES
EDUCATION (EGE)
diverge depending upon the nature of the respondent.

ASERT SPECIAL As in previous years, we have modified the survey questions to reflect
REPORT: PART 2
changes in the threat landscape and to address responses from last year’s

DNS OPERATORS 2016 survey. The current survey is divided into sections that address specific
topics such as DDoS attacks, NFV, IPv6, data centers, mobile and networking.
1 3 5 F R E E F O R M + M U LT I P L E
CONCLUSION CHOICE QUESTIONS Each section establishes the observations and concerns of respondents and,
where appropriate, the mechanisms put in place to manage their concerns.
356 RESPONSES
ABOUT THE
AUTHORS NETSCOUT Arbor distributes the WISR survey by specifically targeting
individuals within the operational security community to get the most
GLOSSARY accurate picture possible. Survey participation continues to grow despite
additional efforts to encourage recusal of respondents without direct
network or security operational experience.

PREVIOUS 4 NEXT
NETSCOUT Arbor Special Report

SERVICE PROVIDER SERVICES OFFERED


WORLDWIDE
INFRASTRUCTURE DEMOGRAPHICS 65% Tier 2/3 provider or regional ISP
SECURITY REPORT
OF SURVEY RES
63% Hosting/data center/co-location services
DER
RESPONDENTS I PO
R OV N 47% Cloud service (virtualization, storage)
TABLE OF

DE
P
CONTENTS

NT
E
45% Wireline broadband (MSO, DSL)

S E RV IC

S
INTRODUCTION
Service providers represent
the majority of respondents at
55% 45% Managed service provider/MSSP

55 percent (Figure 1), continuing the 39% Mobile service provider


trend toward a more balanced mix
KEY FINDINGS 32% Tier 1 service provider
of service providers and enterprise,
government and education (EGE) 30% CDN/content delivery (caching, distribution, streaming)
SERVICE PROVIDER organizations. Breaking down the EGE
29% DNS registrar/DNS service provider
segment, 67 percent are enterprise
respondents, with 19 and 14 percent
ATLAS SPECIAL
representing education and
REPORT
government respectively.
ENTERPRISE VERTICALS

ASERT SPECIAL SERVICE PROVIDERS 19% Education + Research


REPORT: PART 1
In a change from previous years,
17% Banking + Finance
we asked service providers to tell us
ENTERPRISE, which services they offer, rather than 14% Government
GOVERNMENT + asking them to identify with their
EDUCATION (EGE) primary service offering (Figure 1). 13% Technology
N RES
Nearly one third considers themselves A TIO PO 7% Healthcare
UC N
to be Tier 1 network operators, an

DE
ASERT SPECIAL
D
+E

increase from a quarter last year. 6% Automotive + Transportation

NT
REPORT: PART 2
NMENT

S
Significant numbers of providers
also offer hosting (63 percent), cloud 45% 4% Energy + Utilities

DNS OPERATORS (47 percent) and managed services


VER

4% Manufacturing
(45 percent). The rise in hosting, cloud,
O
,G

and managed services reinforces the E 4% eCommerce + Retail


CONCLUSION
IS
ENTERPR
focus of providers on value-added
2% Insurance
revenue streams and the further
ABOUT THE erosion of traditional services. 2% Media
AUTHORS
2% Military + Law Enforcement
EGE
GLOSSARY Looking more closely at the EGE 1% Gaming + Gambling
respondents, a broad array of verticals
4% Other
are represented (Figure 1). The largest
proportions are from education and
Figure 1 Respondent Classification 0% 20% 40% 60% 80% 100%
research organizations at 19%,
followed by banking and finance.

PREVIOUS 5 NEXT
Respondent’s Role in the Organization

NETSCOUT Arbor Special Report

WORLDWIDE
32%
INFRASTRUCTURE Security Professional
SECURITY REPORT
7% Network Professional
Nearly two thirds of all respondents
3% Manager or Director
TABLE OF identify as security, network or operations
CONTENTS professionals (Figure 2), a similar result to 4% President or Officer
last year. Security professionals have the Operations Professional
highestRespondent’s
representation with 32 percent. 7% 24%
INTRODUCTION Geographic Information
Vice President
The survey garnered wide participation Other
KEY FINDINGS from all around the world (Figure 3). 23%
Figure 2 Respondent’s Role in the Organization

SERVICE PROVIDER

Source: Arbor Networks, Inc.


ATLAS SPECIAL
REPORT
57%
60%
ASERT SPECIAL
REPORT: PART 1
55%
49%
ENTERPRISE, 50%
GOVERNMENT + Where is your
43%
EDUCATION (EGE) organization
45%
headquarters? 40%

ASERT SPECIAL In what region(s) of 40%


REPORT: PART 2 the world does your
network operate?
35%

DNS OPERATORS
26% 30%
24%
CONCLUSION US + CANADA
21% 25%
18%
20%
ABOUT THE
AUTHORS MIDDLE EAST + AFRICA
15%
WESTERN, CENTRAL
GLOSSARY 6% + EASTERN EUROPE 2
1
Including Central +  ASIA PACIFIC 10%
South America
4% + OCEANIA
2
Including Russia + Iceland
5%
LATIN AMERICA 1

0%
Figure 3 Respondent’s Geographic Information

PREVIOUS 6 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT

TABLE OF
CONTENTS

INTRODUCTION

KEY FINDINGS

SERVICE PROVIDER

ATLAS SPECIAL
REPORT

ASERT SPECIAL
REPORT: PART 1

ENTERPRISE,
GOVERNMENT +
EDUCATION (EGE)

ASERT SPECIAL
REPORT: PART 2

DNS OPERATORS

KEY
CONCLUSION

ABOUT THE
AUTHORS

FINDINGS
GLOSSARY

PREVIOUS 7 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT Service
TABLE OF
CONTENTS
Providers Attacks targeting cloud-based Online gaming was still viewed as the
services rebounded, back up leading impetus for DDoS attacks. Criminals
INTRODUCTION to over one third from only one demonstrating attack capabilities took second
quarter the previous year. place, with extortion rounding out the top
KEY FINDINGS OPERATIONAL THREATS three motivations.

SERVICE PROVIDER
DDoS ATTACKS
DDoS attacks represent the dominant
ATLAS SPECIAL threat observed by the vast majority of DDoS
REPORT service providers. Infrastructure outages
also continue to be a threat with over half
ASERT SPECIAL of operators experiencing this issue. LARGEST ATTACK SIZE MULTI-VECTOR ATTACKS
REPORT: PART 1 The largest attack reported by a service provider Complex, multi-vector attacks are experienced
2018 CONCERNS was 600 Gbps, down from 800 Gbps last year. by 59 percent of service providers.

ENTERPRISE, As expected, concerns for the coming year


GOVERNMENT + roughly mirror threats faced in the past. VOLUMETRIC ATTACKS OUTBOUND + CROSS-BOUND ATTACKS
EDUCATION (EGE) While the size of the largest reported attack Outbound and cross-bound attacks are not
PREFERRED THREAT DETECTION has decreased, the proportion of volumetric monitored by 46 percent of service providers.
NetFlow-based analysis tools remained attacks was up. In general, peak attack sizes and
ASERT SPECIAL
the preferred method of threat detection for the frequency of very large attacks decreased, AUTOMATIC DDoS MITIGATION
REPORT: PART 2
service providers. The use of SNMP-based tools a trend also observed in 2017 ATLAS data.
The use of automatic DDoS mitigation
also grew again this year, overtaking firewall continues to gain traction with over one third
DNS OPERATORS logs, which continue to decline in popularity. DNS + NTP of service providers now taking advantage
DNS and NTP remain the most commonly used of this technology.
CONCLUSION INLINE DDoS DETECTION/ vectors for reflection/amplification attacks.
MITIGATION SYSTEMS MANAGED DDoS MITIGATION SERVICES
Usage grew, an ongoing trend likely driven TOP TARGETED SERVICE Demand for managed DDoS mitigation
ABOUT THE
AUTHORS by the increased use of best-practice hybrid DNS is the most common service targeted services is strong across the board. The top
DDoS defense solutions. by application-layer attacks. five verticals requesting managed services
are financial, government, cloud/hosting,
GLOSSARY
EFFECTIVE THREAT DETECTION TOP TARGETED CUSTOMER e-commerce and education.
NetFlow-based analyzers and inline DDoS As expected, end-user subscribers took the
detection/mitigation systems are seen as top spot as the most common type of customer
the most effective ways to detect threats. targeted. Financial services rose above hosting
and government to reclaim the number two spot.

PREVIOUS 8 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE
INFRASTRUCTURE SDN/NF V IPv6

SECURITY REPORT This is the second consecutive
year the survey shows an
TABLE OF SDN/NFV IN PRODUCTION IPv6 GROWTH
CONTENTS Compared to last year, the proportion It appears the surge in IPv6 growth overall decline in service
of service providers having SDN or NFV or adoption is leveling off this year. providers implementing security
in production has doubled.
INTRODUCTION
IPv6 FLOW TELEMETRY SUPPORT
infrastructure best practices.
OPERATIONAL CONCERNS The majority of service providers now
KEY FINDINGS Operational concerns are the number one indicate they have full IPv6 flow telemetry
barrier followed by cost. SDN and NFV, even support from their vendors. ORGANIZATIONAL SECURIT Y
SERVICE PROVIDER though they are being adopted, did not make
a breakthrough in overcoming the concerns IPv6 TRAFFIC VISIBILITY
of service providers this year.
IPv6 traffic visibility, which is the key to SECURITY ANALYST SHORTAGE
ATLAS SPECIAL
REPORT detection and protection, has increased The worldwide shortage of security analysts and
NETWORK DOMAIN again this year. incident responders is still a key issue. Lack of
The data center is the most common network resources, along with the difficulty of hiring and
ASERT SPECIAL domain for SDN technologies. Quite surprisingly, TOP SECURITY CONCERN retaining skilled personnel, are again the two main
REPORT: PART 1 in second place is IP backbone infrastructure,
DDoS and botnets are once again top concerns for building an effective operational
where service providers usually demonstrate security team.
security concerns for operators of
ENTERPRISE, a very conservative approach to technology.
IPv6-enabled networks.
GOVERNMENT + DDoS SIMULATIONS
EDUCATION (EGE) OVERLAY NETWORKS DDoS MITIGATION The proportion that do not practice DDoS
Overlay networks, including SD-WAN services, simulations and have no plans to do so increased.
Overall there is a very welcome trend
ASERT SPECIAL are also becoming an attractive spot for SDN. This is discouraging as dealing effectively with
of increased DDoS mitigation capabilities
REPORT: PART 2 for IPv6 traffic. DDoS attacks is not just about technology, but
about the people using the technology and the
processes supporting it.
DNS OPERATORS

INCIDENT RESPONSE
CONCLUSION
Only 30 percent make time for incident response
rehearsals at least quarterly.
ABOUT THE 25% 60%
AUTHORS ANTI-SPOOFING FILTERS
Less than a quarter of Three fifths of service
service providers participate providers have their Surprisingly, given the popularity of reflection
GLOSSARY in global operational security own internal security attacks over the last five years, the adoption
communities or share operations center of anti-spoofing filters decreased.
or distribute observed (SOC) team while nearly
cyber-security threats one fifth either fully ACCESS CONTROL LISTS
and gathered intelligence. or partially outsource The use of access control lists at the network
SOC capabilities. edge also declined sharply.

PREVIOUS 9 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT Enterprise, Government The most popular targets

+ Education (EGE)
of application-layer
TABLE OF attacks were once again:
CONTENTS

INTRODUCTION
1. HTTP 2. DNS 3. HTTPS
KEY FINDINGS DDoS

SERVICE PROVIDER
x2
INTERNET BANDWIDTH MULTI-VECTOR DDoS ATTACKS The percentage that
Fifty-seven percent of enterprise, government There was a clear increase in the proportion of observed more than
ATLAS SPECIAL and education (EGE) respondents saw their respondents experiencing multi-vector DDoS 100 DDoS attacks per
REPORT internet bandwidth saturated due to DDoS attacks, up from 40 percent in the previous year month more than doubled
attacks, up from 42 percent in the previous year. to 48 percent. over the previous year.
ASERT SPECIAL
REPORT: PART 1 ENCRYPTED ATTACKS BRAND DAMAGE
Looking at encrypted attacks, 53 percent targeted Reputation/brand damage and operational
ENTERPRISE, the encrypted service at the application layer and expense are still the top business impacts of
GOVERNMENT + 42 percent targeted the SSL/TLS protocol. DDoS attacks. There was also a big jump in
EDUCATION (EGE) respondents reporting revenue loss.
FIREWALLS NETWORK SECURIT Y
Over half of EGE organizations had firewalls ATTACK COST
ASERT SPECIAL
REPORT: PART 2 or IPS devices fail or contribute to an outage Survey responses broadly indicate that the cost
during a DDoS attack. of a major DDoS attack is increasingly significant. MOST COMMON ATTACK
Ransomware was the most commonly
DNS OPERATORS experienced attacks last year, with DDoS
EMAIL AND VoIP DDoS MITIGATION
in second place.
Email and VoIP services were more frequently DDoS mitigation was a part of business or IT risk
CONCLUSION targeted this year, suggesting the focus of assessments for 77 percent of respondents.
DDoS attackers shifted to exploiting more KEY THREATS
vulnerable services. Ransomware is also top of mind as a key threat
ABOUT THE
AUTHORS for the coming year, while advanced persistent


threat (APT) took second and DDoS dropped
to third place.
GLOSSARY
For the second consecutive year, there is a decrease DETECTION TOOLS
in volumetric attacks with a corresponding increase For the third consecutive year, firewall logs,
IDS and SIEM are were the top three most
in application-layer attacks. utilized tools to detect threats.

PREVIOUS 10 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE
INFRASTRUCTURE IPv6
SECURITY REPORT

TABLE OF
CONTENTS
60% OPERATING IPv6
This year just over a third of respondents are

Sixty percent have deployed operating IPv6 in their environments or planning
Operational concerns are the top
INTRODUCTION
visibility solutions for IPv6 to in the coming year. barrier to SDN/NFV deployment.
traffic, a slight increase
from last year.
Cost has become less of a
INTERNET-FACING SERVICES
KEY FINDINGS
Sixty percent provide internet-facing services concern as operational concerns
with IPv6 support. are coming to the forefront.
SERVICE PROVIDER
PRIVATE NETWORKS WITH IPv6
ATLAS SPECIAL Sixty-five percent have already deployed
REPORT IPv6 on their private networks. SDN/NFV

TOP THREAT
ASERT SPECIAL
DDoS was cited as the top threat to IPv6 SDN/NFV DEPLOYMENT PLAN
REPORT: PART 1
50% networks by over two thirds of respondents. Only around 40 percent of EGE organizations
Nearly half of respondents have have plans to deploy SDN/NFV technologies.
ENTERPRISE,
GOVERNMENT + an internal security operations
EDUCATION (EGE) center (SOC) team in place but COMMON DOMAINS
38 percent rely on third-party ORGANIZATIONAL SECURIT Y Data center infrastructure and security were the
and outsourced services. most common domains where EGE respondents
ASERT SPECIAL
want to utilize SDN.
REPORT: PART 2
SECURITY ANALYST SHORTAGE
Looking at the challenges EGE organizations
SDN/NFV DEPLOYMENT PLAN
DNS OPERATORS Both EGE and service providers want to
face in building out operational security teams,
lack of resources and difficulty of hiring and apply SDN to build global overlay networks,
CONCLUSION retaining skilled personnel were again the including SD-WAN.
two main concerns.

ABOUT THE
AUTHORS DDoS SIMULATIONS
50%+ There was a small decrease in those running
DDoS defense simulations.
GLOSSARY More than half are preemptively
blocking known botnet
Command-and-Control servers
and malware drop servers.

PREVIOUS 11 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE DNS SERVERS


INFRASTRUCTURE DNS servers are popular both as direct
SECURITY REPORT
targets of DDoS attacks, but also as unwilling

DNS
amplification and reflection actors. As a result,
TABLE OF it is disappointing again to note that 19 percent
CONTENTS of respondents still did not restrict access to
their recursive DNS servers.

INTRODUCTION

KEY FINDINGS
Operators VISIBILITY
Nearly three quarters of all respondents have
visibility at Layers 3 and 4, and 43 percent

SERVICE PROVIDER
— at Layer 7.

It is a positive sign that more EGE DNS SECURITY TEAM


There was a substantial increase of
ATLAS SPECIAL organizations are taking control EGE organizations with a dedicated DNS
REPORT
of their DNS infrastructure and security team.

ASERT SPECIAL gaining visibility at Layer 7, as


IDMS
REPORT: PART 1
effective mitigation of DDoS For service providers, Intelligent DDoS Mitigation
attacks targeting DNS requires Systems (IDMS) were again the most popular
ENTERPRISE, defense mechanism.
GOVERNMENT + application-layer visibility.
EDUCATION (EGE)

ASERT SPECIAL
REPORT: PART 2

DNS OPERATORS

CONCLUSION

ABOUT THE
AUTHORS #1 25%
Firewalls were the most popular Only one quarter of service providers
GLOSSARY choice for DNS defense in EGE have a special security group for DNS. It is
networks once again. disappointing considering the criticality of
DNS to the internet as a whole.

PREVIOUS 12 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT

TABLE OF
CONTENTS

INTRODUCTION

KEY FINDINGS

SERVICE PROVIDER

ATLAS SPECIAL
REPORT

ASERT SPECIAL
REPORT: PART 1

ENTERPRISE,
GOVERNMENT +
EDUCATION (EGE)

ASERT SPECIAL
REPORT: PART 2

DNS OPERATORS

SERVICE
CONCLUSION

ABOUT THE
AUTHORS

PROVIDER
GLOSSARY

PREVIOUS 13 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT Threats + DDoS attacks represented the top threat observed by service providers in 2017, with 87 percent
reporting attacks (Figure 4). Infrastructure outages also continued to be a threat with 52 percent
of operators experiencing this issue. This is up six percent from the previous year, halting a downward

Concerns
trend seen over the past few years. The percentage of service providers experiencing bandwidth
saturation has remained constant from 2016.
TABLE OF
CONTENTS
Invariably, for 2018, DDoS attacks remain the primary concern for 88 percent of the service providers
(Figure 4). This is not surprising, considering the continued concerns around weaponized IoT botnets
INTRODUCTION and the ease with which attackers can gain access to sophisticated attack techniques and capabilities.

KEY FINDINGS

SERVICE PROVIDER EXPERIENCED THREATS SERVICE PROVIDER CONCERNS


SERVICE PROVIDER

87%
ATLAS SPECIAL DDoS ATTACKS
REPORT 88%

ASERT SPECIAL INFRASTRUCTURE OUTAGES 52%


REPORT: PART 1 Partial or complete due to equipment
failures or misconfigurations 55% Infrastructure outages
reclaimed its second spot
ENTERPRISE,
GOVERNMENT +
BANDWIDTH SATURATION 38% in the list this year, with a
Streaming, over-the-top services,
EDUCATION (EGE) unique events, flash crowds 47% 14% jump in the proportion
of service providers
ASERT SPECIAL 15% reporting this concern.
REPORT: PART 2 ROUTE HIJACKING
25%
DNS OPERATORS
COMPROMISE OF 7%
MANAGEMENT NETWORK
CONCLUSION 37%

ABOUT THE 5%
AUTHORS PEER GAMING
8%
GLOSSARY
4%
OTHER
2%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Figure 4 Service Provider Experienced Threats and Concerns

PREVIOUS 14 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE 100% 10
INFRASTRUCTURE
SECURITY REPORT
90% 9

81%
TABLE OF
CONTENTS NetFlow-based analyzers 80% 8

7.36
(e.g., Arbor SP)

6.95
SNMP-based tools
INTRODUCTION

64%
Firewall logs 70% 7

60%
IDS/IPS
KEY FINDINGS Inline DDoS detection/mitigation 60% 6

5.39

5.25
system (e.g., Arbor APS)

5.21
51%
51%

4.96

4.90
48%
Customer call/help desk ticket

46%

4.59
SERVICE PROVIDER
In-house developed scripts/tools 50% 5

39%
Routing analysis and anomaly

38%

3.77
ATLAS SPECIAL detection tools

34%
40% 4
REPORT Security information and event
management (SIEM) platforms
Service assurance/monitoring 30% 3
ASERT SPECIAL solutions
REPORT: PART 1
Cloud-based third party services

15%
Other 20% 2
ENTERPRISE,
GOVERNMENT +
EDUCATION (EGE) 10% 1

1%
ASERT SPECIAL Figure 5 Threat Detection Tools 0% 0
and Threat Tool Effectiveness
REPORT: PART 2 THREAT DETECTION TOOLS THREAT TOOL EFFECTIVENESS

DNS OPERATORS
As in previous years, respondents still used a Inline DDoS detection/mitigation system usage grew
CONCLUSION wide variety of tools to detect threats against from 42 to 51 percent, an ongoing trend likely driven
their networks, customers and services (Figure 5). by the increased use of best-practice hybrid DDoS
The survey showed that NetFlow-based analysis tools defense solutions.
ABOUT THE remained the preferred option of service providers,
AUTHORS with a slight decrease from 86 to 81 percent in 2017. Overall, the results of the effectiveness of threat
detection tools remained similar to 2016, with
The use of SNMP-based tools also grew again to 64 NetFlow-based analyzers and inline DDoS detection/
GLOSSARY
percent, a significant increase over 53 percent in 2016, mitigation solutions ranked as the most effective
overtaking firewall logs, which continued to decline in ways to detect threats (Figure 5).
popularity but remain in the top four with IDS/IPS.

PREVIOUS 15 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT Scale + Targeting In 2017, attackers continued to use reflection/amplification techniques to
exploit vulnerabilities in DNS, NTP, SSDP, CLDAP, Chargen and other protocols
to maximize the scale of their attacks. In addition, there was a marked

of DDoS Attacks
increase in the exploitation of IoT devices to generate large packet floods and
application-layer attacks. The largest attack reported by a service provider was
TABLE OF
CONTENTS 600 Gbps, with others reporting attacks of 588 Gbps, 423 Gbps, 338 Gbps
and 316 Gbps (Figure 6).

INTRODUCTION
Peak Attack Size

KEY FINDINGS
800
Gbps
SERVICE PROVIDER This represents a decrease over 2016,
800
which to some degree is a surprise given
ATLAS SPECIAL the latent capability within some of the
REPORT 700
weaponized DDoS services and botnets
currently active across the internet.
ASERT SPECIAL
REPORT: PART 1 600

ENTERPRISE,
GOVERNMENT + 500
600 Gbps
EDUCATION (EGE)

400
ASERT SPECIAL
REPORT: PART 2
309
Gbps
300
DNS OPERATORS

CONCLUSION 200
100
Gbps
ABOUT THE
AUTHORS 100 40
Gbps

GLOSSARY
0
2008 2009 2010 2011 2012 2013 2014 2015 2016 2017

Figure 6 Peak Attack Size (Gbps)

Source: Arbor Networks, Inc.

PREVIOUS 16 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE In 2016, nearly one third of respondents reported Attack Target As expected, end-user subscribers took the
INFRASTRUCTURE peak attacks over 100 Gbps, emphasizing the breadth Customer Verticals top spot as the most common type of customer
SECURITY REPORT of the DDoS problem in relation to large attacks. targeted (Figure 8). Financial services rose above
In 2017, about one quarter witnessed peak attacks hosting and government to reclaim the number
70% two spot. Gaming, which garnered sixth place
TABLE OF over 100 Gbps, and only seven percent reported attacks End-User/Subscriber
CONTENTS in 2016, rose to fifth place, edging out education.
over 200 Gbps. In general, peak attack sizes and the
frequency of very large attacks decreased, a trend also 41% The growth of cloud services continued as more
INTRODUCTION observed in 2017 ATLAS data (see ATLAS Attack Sizes). Financial Services organizations adopt cloud-based applications
and services. These services can offer significant
While these numbers represent a decline in the
KEY FINDINGS
39% performance, flexibility and cost advantages
very largest attacks, volumetric attacks were still the Cloud/Hosting to business. However, their value is completely
leading type of attack monitored by service providers. dependent on their availability to customers.
SERVICE PROVIDER Attackers are using more metered attack volumes to 37% In 2017, the proportion of respondents
achieve their goals while minimizing collateral damage Government seeing attacks targeting cloud-based services
and unwanted attention. rebounded, back up to over one third from
ATLAS SPECIAL only one quarter the previous year (Figure 9).
REPORT 32%
Looking at the targets of DDoS attacks monitored by Gaming
Cloud services rely heavily on service providers
service providers, customers remained the number one
ASERT SPECIAL for protection from DDoS threats given their
target at 75 percent, nearly identical to 2016 (Figure 7). 29%
REPORT: PART 1 multi-tenant nature. Collateral damage, where
Attackers continue to target their victims directly, Education
attacks targeting one customer impact another
rather than relying on collateral damage from indirect unintended victim, represents a significant risk
Attack TargetThe
Mix proportion of attacks targeting service Attacks Targeting Cloud Services
ENTERPRISE, attacks. 26% to all customers of a cloud service provider.
GOVERNMENT + infrastructures increased slightly, likely due to continued eCommerce An attack on one customer can potentially
EDUCATION (EGE) exploitation of vulnerable services such as DNS. impact many others.
21%
ASERT SPECIAL Gambling
REPORT: PART 2
Customers 14%
DNS OPERATORS Service infrastructure (DNS, web portal)
Manufacturing
36% 25%
10%
Network infrastructure (routers, firewalls) 10%
CONCLUSION Healthcare Yes No

get Mix 75%


ABOUT THE 15% 10%
AUTHORS Utilities

9% 20% 19%
GLOSSARY Law Enforcement
Do not know Not applicable
Customers 6%
Service infrastructure (DNS, web portal)
Other
Figure 9 Attacks Targeting Cloud Services
Source: Arbor Networks, Inc.
0%
Network infrastructure (routers, firewalls)
Figure 8 Attack Target Customer Verticals Source: Arbor Networks, Inc.

75% Figure 7 Attack Target Mix


PREVIOUS 17 NEXT
%
NETSCOUT Arbor Special Report

WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT Type, Frequency + Motivation DDoS Attack Types

TABLE OF
CONTENTS of DDoS Attacks ME
T R I C AT TA

CK
U
VOL
INTRODUCTION

S
While DDoS attack Volumetric Attacks 75.7%
KEY FINDINGS
vectors vary significantly, 1 These attacks attempt to consume the bandwidth either within
cybercriminals are constantly the target network or service, or between the target network
SERVICE PROVIDER or service and the rest of the internet. These attacks are simply
evolving the methodologies
about causing congestion.
they use to evade defenses
ATLAS SPECIAL
and achieve their goals.
REPORT
Generally, attack vectors USTION
HA
fall into one of three TCP State-Exhaustion Attacks EX A
2

TT
ASERT SPECIAL

-
P S TAT E
broad categories: These attacks attempt to consume the connection state tables

ACKS
REPORT: PART 1
that are present in many infrastructure components, such as
load balancers, firewalls, IPS and the application servers
11.8%

TC
ENTERPRISE, themselves. They can take down even high-capacity devices
GOVERNMENT + capable of maintaining state on millions of connections.
EDUCATION (EGE)

ASERT SPECIAL
REPORT: PART 2 Application-Layer Attacks
3 E R AT
These target some aspect of an application or service at L AY TA
Layer 7. They are the most sophisticated and stealthy attacks N-
DNS OPERATORS

CK
O
P L I C AT I
because they can be very effective with as few as one attacking

S
CONCLUSION
machine generating traffic at a low rate. 12.4%

AP
ABOUT THE
AUTHORS Looking at the mix of attack types experienced by service
providers, volumetric attacks remain the most common, as in
all previous iterations of this report (Figure 10). Like the previous
GLOSSARY two years, 2017 saw a significant increase in the frequency of Figure 10 DDoS Attack Types
volumetric attacks around the world. The percentage of attacks
that were volumetric in nature increased to approximately
76 percent in 2017, up from 73. This is not surprising, given Source: Arbor Networks, Inc.
the widely reported prevalence of reflection/amplification
and IoT-based attacks.

PREVIOUS 18 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE Unsurprisingly, application-layer attacks DNS 82%


INFRASTRUCTURE continued to exploit many vulnerable
SECURITY REPORT services. This year, DNS was the most HTTP 80%
common service targeted by application-
layer attacks, reported by 82 percent
HTTPS 61%
TABLE OF
CONTENTS of service providers (Figure 11). HTTP SMTP 21%
remained at 80 percent, identical to 2016.
Additionally, the number seeing attacks SIP/VOIP 15%
INTRODUCTION targeting secure web services (HTTPS)
rose significantly from 52 to 61 percent.
IRC 5%
While decryption is not always necessary
KEY FINDINGS OTHER 13%
for successful mitigation, scalable
solutions for decrypting packets are
SERVICE PROVIDER needed more than ever. Fortunately, 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
there are some promising solutions
on the horizon. Figure 11 Targets of Application-Layer Attacks
ATLAS SPECIAL
REPORT

ASERT SPECIAL
REPORT: PART 1
In 2017, the results were 50%
broadly similar to previous
ENTERPRISE, Looking deeper into attacks 48%
year, with over 20 percent
GOVERNMENT + targeting encrypted services,
EDUCATION (EGE) experiencing attacks in each 40%
there are four different categories: category (Figure 12). Given the
criticality of many encrypted
ASERT SPECIAL Attacks that target the applications, especially those 30%
REPORT: PART 2 1 SSL/TLS negotiation provided by financial and 32%
e-commerce organizations, 27%
Protocol/connection attacks a successful attack can have
DNS OPERATORS 2 against SSL service port significant impact.
20% 23%
21%
CONCLUSION  olumetric attacks targeting
V
3 SSL/TLS service port 10%

ABOUT THE A pplication-layer attacks


AUTHORS 4 against underlying service Figure 12 Types of Attacks Targeting 0%
Encrypted Services
running over SSL/TLS

Application-layer attacks

Attacks targeting the


Volumetric attacks

attacks against SSL


targeting SSL/TLS
service port

Protocol/connection

service port

against service running


over SSL/TLS

SSL/TLS negotiation

Not applicable/
do not know
GLOSSARY

Source: Arbor Networks, Inc.


PREVIOUS 19 NEXT
Multi-Vector DDoS Attacks
NETSCOUT Arbor Special Report

WORLDWIDE We specifically asked respondents about the protocols used to generate volumetric reflection/
INFRASTRUCTURE amplification attacks (Figure 13). Nearly all protocols showed similar activity to 2016, with DNS
SECURITY REPORT and NTP remaining the most commonly used vectors. Attackers continued to leverage poorly 59% Yes
configured or protected infrastructures to magnify their capabilities. The ATLAS Reflections
section of this report drills down into details on reflection/amplification trends.
TABLE OF
CONTENTS
15% No
INTRODUCTION 100%

KEY FINDINGS 87%


26%
82% Do not know
SERVICE PROVIDER
80%
Figure 14 Multi-Vector DDoS Attacks
ATLAS SPECIAL
REPORT Source: Arbor Networks, Inc.

ASERT SPECIAL Multi-vector attacks are nothing new,


REPORT: PART 1 60% but their complexity can still make
49% them difficult for defenders to
ENTERPRISE, successfully mitigate.
GOVERNMENT +
EDUCATION (EGE)
The percentage of service providers
40% 35% seeing multi-vector attacks on their
ASERT SPECIAL
REPORT: PART 2 networks decreased, down to 59 percent
in 2017 from 67 in 2016, but still above
56 percent in 2015 (Figure 14). Because
DNS OPERATORS multi-vector attacks are more difficult
to mitigate, a layered defense is the best
20%
15% solution. Layered DDoS defense utilizes a
CONCLUSION 14% 13%
hybrid approach allowing organizations to
8% proactively block stealthy attacks closer to
ABOUT THE 5% 5% the target, while mitigating larger volumetric
AUTHORS attacks upstream where sufficient capacity
0%
is available.
QOTD
DNS

NTP

CharGEN

SSDP

SNMP

Portmap

MSSQL

Not applicable

Other
BitTorrent

GLOSSARY

Figure 13 Protocols Used for Reflection/Amplification Attacks

PREVIOUS 20 NEXT
NETSCOUT Arbor Special Report

ATTACK FREQUENCY PER MONTH


WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT
LESS 1–10 11–20 21–50 51–100 101–500 500+
THAN 1
TABLE OF
CONTENTS

INTRODUCTION 8% 33% 14% 13% 4% 11% 17%


KEY FINDINGS
Figure 15 Attack Frequency Per Month

SERVICE PROVIDER

The number of attacks experienced per


23% 13%
ATLAS SPECIAL
REPORT month by service providers increased somewhat
(Figure 15). While 53 percent experienced more
than 21 attacks per month in 2016, that dropped LESS THAN 1–3 DAYS
ASERT SPECIAL 1 HOUR
slightly to 45 percent in 2017. Conversely,
REPORT: PART 1
those experiencing over 500 attacks per month
increased to 17 percent from 15 percent in 2016.
ENTERPRISE,
GOVERNMENT +
EDUCATION (EGE)
Attack durations increased in 2017 (Figure 16).
Approximately 29 percent of service providers 38% 4%
indicated their longest monitored attack was 1–6 HOURS 4–7 DAYS
over 12 hours. This is up slightly from 2016,
ASERT SPECIAL
when one quarter reported that their longest
REPORT: PART 2
attack was over 12 hours but still below the
37 percent reported in 2015. This trend is
DNS OPERATORS corroborated by ATLAS data and anecdotal
feedback from NETSCOUT Arbor customers
indicating longer duration attacks in 2017.
10% 4%
CONCLUSION 7–12 HOURS 1–4 WEEKS

ABOUT THE
AUTHORS

GLOSSARY 4% 4%
13–24 HOURS MORE THAN
1 MONTH

Figure 16 Longest Attack Duration

PREVIOUS 21 NEXT
NETSCOUT Arbor Special Report

DDoS Threat Motivations


IoT Botnet Attack Source
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT

TABLE OF
CONTENTS
As in previous years, we asked service providers While nihilism/vandalism made a return to the
to indicate the most common motivations top five in 2017, ideological hacktivism followed 48% Offnet
INTRODUCTION behind the DDoS attacks they monitored on closely, nearly tied for fourth place. The rise (outside your
network)
their networks. In 2016, the top motivation of criminals demonstrating their capabilities
was online gaming. Ideological hacktivism was is indicative of the continuing weaponization
KEY FINDINGS in second place, with criminals demonstrating of DDoS attacks via easy-to-procure services.
attack capabilities following closely in third. The ubiquitous availability of Booter/Stresser 29%
SERVICE PROVIDER services remains a serious problem.
However, the top motivations shifted in 2017
(Figure 17). Online gaming was still viewed as For the first time, we asked survey respondents 6%
ATLAS SPECIAL the leading impetus but only 50 percent saw this where IoT-based botnet attacks originated 16%
Not
REPORT as a common motivation, down from 63 percent (Figure 18). Nearly half indicated the attacks applicable
in 2016. In a near tie with gaming, criminals come from compromised devices outside of
demonstrating attack capabilities returned to their networks, as one might expect. Surprisingly, Combination Onnet
ASERT SPECIAL (inside your
REPORT: PART 1 prominence as it took second place, with extortion 22 percent said the traffic originated either fully network)
rounding out the top three motivations. or partially from inside their own networks. Figure 18 IoT-Botnet Attack Source
Source: Arbor Networks, Inc.

ENTERPRISE,
GOVERNMENT +
EDUCATION (EGE) Online gaming-related 50.5%
Criminals demonstrating DDoS attack
capabilities to potential customers
49.1%
ASERT SPECIAL Criminal extortion attempt 44.4%
REPORT: PART 2
Nihilism/vandalism 35.1%
Political/ideological disputes 34.5%
DNS OPERATORS
Inter-personal/inter-group rivalries 34.2%
CONCLUSION
Online gambling-related 31.3%
Social networking-related 25.0%
Diversion to cover
ABOUT THE compromise/data exfiltration 24.4%
AUTHORS Misconfiguration/accidental 21.7%
Competitive rivalry between
business organizations 20.0%
GLOSSARY National/state sponsored 17.1%
Financial market manipulation 14.0%
Intra-criminal disputes 11.6%

0% 10% 20% 30% 40% 50% 60%

Figure 17 Service Provider DDoS Attack Motivation PREVIOUS 22 NEXT


NETSCOUT Arbor Special Report

WORLDWIDE Service providers continued to improve their 100%


INFRASTRUCTURE capability to mitigate DDoS attacks, and the
SECURITY REPORT
2017 results were very encouraging (Figure 19).
88%
IDMS usage increased again to reach a record
TABLE OF high of 88 percent, up from 83 percent in 2016.
CONTENTS The use of access control lists (ACLs) moved up 80% Intelligent DDoS mitigation
to second place from third last year. The use of systems (IDMS)
FlowSpec also increased dramatically, nearly Access control lists (ACLs)
INTRODUCTION
doubling from 15 percent in 2016 to 27 percent.
Destination-based remote
Collectively, these statistics indicate a very triggered blackhole (D/RTBH)
KEY FINDINGS positive trend in the application of surgical 60% 58%
Firewall
and stateless mitigation technologies.
52% FlowSpec
SERVICE PROVIDER Once again, the number of service providers Source-based remote triggered
that could mitigate attacks in less than blackhole (S/RTBH)
20 minutes increased, reaching 80 percent up Load-balancer
ATLAS SPECIAL 40%
REPORT from 77 percent in 2016 and 74 percent in 2015 IPS
(Figure 20). Furthermore, the use of automatic
29% Content delivery network (CDN)
mitigation rose dramatically to 36 percent, 27%
ASERT SPECIAL compared with only 27 percent last year. This MSSP cloud DDoS
REPORT: PART 1 mitigation service
demonstrates a continued increase in the use 18%
20%
of integrated tools and automation within the 17% None

ENTERPRISE, customer environment. Average attack duration 10% Other


GOVERNMENT + remained relatively short for DDoS attacks, so
EDUCATION (EGE) service providers have a brief time to act when Time to Mitigate
1%
protecting their customers. Overall, mitigation Figure 19 Attack Mitigation Techniques
0%
reaction times are continuing to improve.
ASERT SPECIAL
REPORT: PART 2

DNS OPERATORS
We do not 36% Automatically
mitigate attacks through script/tools
4%
CONCLUSION
More than 30 minutes 9%
ABOUT THE
AUTHORS More than 20 minutes 7%
but less than 30 minutes

GLOSSARY 13% 31%

More than 10 minutes Less than 10 minutes


but less than 20 minutes

Figure 20 Time to Mitigate


Source: Arbor Networks, Inc.

PREVIOUS 23 NEXT
NETSCOUT Arbor Special Report

INCREASED SAME

WORLDWIDE Among organizations that monitored 70%


INFRASTRUCTURE outbound and cross-bound attacks, Large Enterprise
29%
SECURITY REPORT the majority indicated these attacks
were less than 10 percent of all
54%
attacks they see (Figure 21). However, Medium Enterprise
TABLE OF
some operators identified as much 45%
CONTENTS
as 50 percent of all attacks as
outbound or cross-bound in nature. 41%
Small + Medium Business
INTRODUCTION 59%
Nearly identical to last year,
46 percent did not detect outbound 0% 10% 20% 30% 40% 50% 60% 70% 80%
KEY FINDINGS
or cross-bound attacks at all. This
continues to indicate a general lack Figure 22 Demand for DDoS Detection/Mitigation Services
SERVICE PROVIDER of visibility in this area. This is a
concern, as these attacks can
still impact customer aggregation Interest in DDoS detection and mitigation services remained strong across all business segments (Figure 22).
ATLAS SPECIAL routers and customer experience. Virtually no service providers indicated a reduced demand for their DDoS services. Instead, they indicated
REPORT
Ideally, organizations should the strongest growth in demand was by far from large enterprise customers at 70 percent.
detect and deal with outbound
ASERT SPECIAL and cross-bound attacks in the The survey drilled into the demand for managed DDoS services in more detail to establish which verticals
REPORT: PART 1 same way as inbound attacks. are driving the increase (Figure 23). Financial services dominated with 60 percent, while government
followed closely at 55 percent. Cloud/hosting companies rebounded from 44 percent in 2016 to round
out third place at 51 percent. Overall, we saw an increase in demand across virtually all verticals again
ENTERPRISE,
5% 3% in 2017. This indicates that organizations, regardless of their business focus, are now very aware of the
GOVERNMENT +
21–50% More than 50% DDoS threat and are looking to reduce the risk of becoming victims of a successful attack.
EDUCATION (EGE)
Not
monitored
ASERT SPECIAL
REPORT: PART 2
Business Verticals for DDoS Services
10–20% 12%
DNS OPERATORS 60% 24% 17%
48% Financial Gaming Retail

CONCLUSION 55% 22% 16%


Less 35% Government Small Business Gambling
than 10%
ABOUT THE
AUTHORS 51% 21% 15%
Cloud/Hosting Healthcare Law Enforcement

GLOSSARY
38% 19% 7%
eCommerce Utilities Social Networking

31% 17%
Figure 21 Proportion of Outbound/Cross-Bound Education Media
Attacks Observed

Figure 23 Business Verticals for DDoS Services PREVIOUS 24 NEXT


NETSCOUT Arbor Special Report

WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT SDN/NFV 21% WE ARE INVESTIGATING NOW
41% NO

TABLE OF
CONTENTS
NETSCOUT Arbor has been tracking
18% WE ARE IN PRODUCTION

SDN and NFV development in annual


INTRODUCTION 11% PLAN TO IMPLEMENT NEXT YEAR
reports over last three years. It is

KEY FINDINGS
helpful to analyze how service 9% PLAN TO IMPLEMENT IN 2+ YEARS
provider interest and adoption
rates have changed over time. 0% 10% 20% 30% 40% 50%
SERVICE PROVIDER
Figure 24 SDN/NFV Deployment

Compared to last year, the proportion


ATLAS SPECIAL
of service providers having SDN or NFV in
REPORT
production has doubled (Figure 24). In 2017,
18 percent of respondents confirmed they

56%
ASERT SPECIAL had NFV deployed. Twenty-one percent were
REPORT: PART 1 investigating these technologies or running

52%
60%
trials, compared to 27 percent in the previous

46%
year. The percentage of those not looking
ENTERPRISE,
into SDN and NFV was also similar to last 50%
GOVERNMENT +
year (41 percent versus 38 percent).

39%
EDUCATION (EGE)

36%

36%

36%

34%
We asked service providers to identify the
40%
barriers to deploying these technologies

30%
ASERT SPECIAL
REPORT: PART 2 (Figure 25). Operational concerns were the
number one barrier at 56 percent, followed
30%
by cost at 52 percent and interoperability at
DNS OPERATORS
46 percent. These results were similar to last
year, which leads us to conclude that SDN
20%
CONCLUSION and NFV, even though they are being adopted,
did not make a breakthrough in overcoming

7%
the concerns of service providers.

5%
ABOUT THE 10%
AUTHORS

0%
GLOSSARY

System (BSS)
Operational
Concerns

Cost

Interoperability

Security
Concerns

Performance
Concerns

Stability

Vendor Support

Scalability

Business Support

Integration

Telemetry
Acquisition

Other
Figure 25 SDN/NFV Key Barriers
PREVIOUS 25 NEXT
NETSCOUT Arbor Special Report
SDN Network Domains NFV Network Domains

WORLDWIDE 70% 63% 70%


INFRASTRUCTURE 58%
SECURITY REPORT
60%
54% 60%

TABLE OF 48%
CONTENTS
46%
50% 50%
39%
INTRODUCTION 36% 35%
40% 40%

KEY FINDINGS 28%


30% 30%
22%
SERVICE PROVIDER

20% 20%
ATLAS SPECIAL
REPORT
10% 10%

ASERT SPECIAL
REPORT: PART 1
0% 0%
Data center Fixed line Mobile IP backbone Overlay Data center Mobile core IP backbone CPE (routers) Customers
infrastructure access network infrastructure networks security infrastructure infrastructure premise
ENTERPRISE, network infrastructure spanning functions security and
GOVERNMENT + infrastructure multiple load-balancers
domains
EDUCATION (EGE)
Figure 26 SDN Network Domains Figure 27 NFV Network Domains

ASERT SPECIAL
REPORT: PART 2

DNS OPERATORS Regarding network locations where SDN technologies are seeing the most When it comes to a functional domain for NFV, data center security
Source: Arbor Networks, Inc. Source: Arbor Networks, Inc.
interest, the data center was the most common at 63 percent (Figure 26). functions were in first place at 58 percent (Figure 27). However, CPE
Quite surprisingly, in second place was IP backbone infrastructure, where routers and CPE value-added functions were close behind at 48 percent
CONCLUSION service providers usually demonstrate a very conservative approach to and 46 percent respectively. This clearly indicates that the (virtual)
technology. However, 54 percent of respondents indicated they planned customer premise domain is where the industry wants to apply NFV.
to implement SDN technologies here. Overlay networks, including SD-WAN
ABOUT THE
AUTHORS services, were also becoming an attractive spot for SDN, according
to 36 percent of the providers.

GLOSSARY

PREVIOUS 26 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT IPv6
TABLE OF
CONTENTS
Similar to last year, nearly
70 percent of service providers
INTRODUCTION have or will deploy IPv6 within
their networks in the coming
KEY FINDINGS year (Figure 28). It appears
the surge in IPv6 adoption
is leveling off this year.
27% 44% 13% 11% 4% Figure 29 Subscriber
SERVICE PROVIDER NONE We do not offer 1–25 26–50 51–75 76–100 IPv6 Usage
IPv6 service to end-users

ATLAS SPECIAL
P L ANN I NG T O OP E R AT E
REPORT
I P v 6 W I T H I N NE T WORK ?
Again, in-line with last year, 73 percent of providers indicated they offer IPv6 services to end-users
ASERT SPECIAL (Figure 29). However, looking more closely at the results we are now seeing higher adoption rates within
REPORT: PART 1 YES those organizations that do offer the service. Specifically, 15 percent now indicate more than half of
their end-users utilize IPv6 services compared to only eight percent last year.
ENTERPRISE,
GOVERNMENT +
EDUCATION (EGE)
68% Nearly identical to last year, 83 percent of service providers offer IPv6 services to business customers
(Figure 30). Adoption rates are also broadly similar to last year with one notable exception. Service providers
reporting adoption rates above 75 percent doubled to six percent from just three percent the previous year.

ASERT SPECIAL
REPORT: PART 2

DNS OPERATORS
NO

CONCLUSION
32%
ABOUT THE
AUTHORS Figure 28 IPv6 Operation

GLOSSARY

17% 65% 10% 2% 6% Figure 30 Business Customer


NONE We do not offer 1–25 26–50 51–75 76–100 IPv6 Service Usage
IPv6 service to business
customers

PREVIOUS 27 NEXT
NETSCOUT Arbor Special Report

IPv6 Flow Telemetry

WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT Yes, fully
supported today 58%
TABLE OF
CONTENTS Partial, some vendors support
IPv6 flow telemetry today,
some do not
22%
INTRODUCTION

Will soon, they will support flow


KEY FINDINGS telemetry for IPv6 in the
next 12 months
8%
SERVICE PROVIDER
No, support is on a long-term
ATLAS SPECIAL
roadmap (greater than 1 year) 5%
REPORT

No, will
ASERT SPECIAL not support 5%
REPORT: PART 1

ENTERPRISE, New hardware, supported


GOVERNMENT + but on new hardware only 3%
EDUCATION (EGE)

ASERT SPECIAL Figure 31 IPv6 Flow Telemetry 0% 10% 20% 30% 40% 50% 60% 70%
REPORT: PART 2

DNS OPERATORS
Source: Arbor Networks, Inc.
Nearly 60 percent of service providers now indicate full IPv6 flow telemetry HAV E A V I S I B I L I T Y S O L UTI O N I N
CONCLUSION
support from their vendors (Figure 31). An additional 22 percent cite at least PL AC E TO MO NI TO R I P v6 TR A F F I C ?
partial support for IPv6 flow telemetry showing further improvements in
ABOUT THE vendor support this year. This is good news for the customers leveraging
AUTHORS these networks and shows steady effort on the part of providers to satisfy
growth commitments to IPv6. YES NO
GLOSSARY IPv6 traffic visibility, which is the key to detection and protection, has
increased to 70 percent this year from just 60 percent last year (Figure 32).
This is a positive indication that service providers are keeping pace with
the growth of IPv6 and are focused on telemetry/visibility to help keep
70% 30%
the networks healthy and current.
Figure 32 IPv6 Traffic Visibility

PREVIOUS 28 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE Generally, service providers expressed Overall, 57 percent of service providers projected However, 37 percent were unable
INFRASTRUCTURE concern over IPv6 attacks against some level of IPv6 traffic growth in the coming
SECURITY REPORT
to predict future growth this year
dual-stack devices having an impact year (Figure 34). Further, only six percent project
on IPv4 services (Figure 33). While no IPv6 traffic growth compared to 14 percent compared to only 18 percent last year.
44 percent expressed minor concern, last year.
TABLE OF
CONTENTS nearly one third indicated moderate
concern and 11 percent indicated
major concern over this issue.
INTRODUCTION

40% 20% growth


expected Do not know
KEY FINDINGS
NO 35% 37% 37%
CONCERN
SERVICE PROVIDER
11% 30%

25%
ATLAS SPECIAL
REPORT
20%
40% growth
MINOR expected
ASERT SPECIAL CONCERN 15%
10%
REPORT: PART 1
44%
60% growth
expected 80% growth
10% expected
None, no growth
expected 4% 100% growth
ENTERPRISE, 5%
2% expected
GOVERNMENT + 6%
4%
EDUCATION (EGE) MODERATE 0%
CONCERN

ASERT SPECIAL
REPORT: PART 2
34%
DNS OPERATORS
MAJOR
CONCERN
CONCLUSION
11%
Figure 34 Anticipated IPv6 Traffic Growth

ABOUT THE
AUTHORS Figure 33 IPv6 Impact on IPv4 Services
(Dual-Stack Devices)

GLOSSARY

PREVIOUS 29 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE When asked about the security


INFRASTRUCTURE concerns of operating IPv6-enabled Traffic floods/DDoS 75%
SECURITY REPORT networks, DDoS and botnets are once
again top of mind among respondents Botnets 44%
(Figure 35). Seventy-five percent are
TABLE OF
CONTENTS concerned with IPv6 DDoS attacks Misconfiguration 42%
and 44 percent are concerned about
botnets, both up slightly from last year. Stack implementation flaws 39%
INTRODUCTION
At 81 percent, Intelligent DDoS Inadequate IPv4/IPv6
feature parity 36%
Mitigation Systems (IDMS) remain the
KEY FINDINGS
first choice in DDoS mitigation solutions Visibility, cannot
deployed by service providers against see the data today 35%
SERVICE PROVIDER IPv6 attacks (Figure 36). This percentage
has increased from 76 percent last
Host scanning 24%
year and 67 percent the year before. Subscribers using IPv6 to bypass
ATLAS SPECIAL Destination-based remote-triggered application rate limiting 21%
REPORT
blackhole (D/RTBH) has maintained at
56 percent. Access control lists (ACL) are Other 5%
ASERT SPECIAL a close third, rising from fifth place last
REPORT: PART 1 year. In addition, the use of FlowSpec as Figure 35 IPv6 Security Concerns 0% 10% 20% 30% 40% 50% 60% 70% 80%
a mitigation measure has also increased
to 44 percent from 37 percent last year.
ENTERPRISE,
GOVERNMENT +
EDUCATION (EGE)
Overall there is a very welcome 100%
Intelligent DDoS mitigation
ASERT SPECIAL trend of increased DDoS mitigation systems (IDMS)

REPORT: PART 2 capabilities for IPv6 traffic. 81% Destination-based remote


80% triggered blackhole (D/RTBH)
Source: Arbor Networks, Inc.
Access control lists (ACLs)
DNS OPERATORS
FlowSpec
60% 56%
51% Source-based remote triggered
CONCLUSION 44%
blackhole (S/RTBH)

40% No plans to mitigate IPv6

ABOUT THE Other


AUTHORS 24%
20%

GLOSSARY 8%
1%
0%

Figure 36 IPv6 Mitigation Capabilities

PREVIOUS 30 NEXT
NETSCOUT Arbor Special Report

Organizational Security
Security Operations Center Resources
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT

TABLE OF
CONTENTS
Sixty percent of service providers have their own internal
security operations center (SOC) team (Figure 37). However, the Internal SOC team

INTRODUCTION percentage of service providers without any SOC capabilities fell 6% No SOC resources
from 29 to 21 percent. This is positive news, and is likely due to
Internal SOC with supplemental third party
the increased use of third-party and third-party augmented SOC
KEY FINDINGS capabilities. Service providers are relying more on outsourcing 60%
12% Third party SOC
to enhance their internal security teams. This highlights the
SERVICE PROVIDER global challenges organizations face to build and maintain
Figure 37 Security Operations Center Resources
an internal security team of skilled practitioners.
21%
ATLAS SPECIAL
REPORT

13%
ASERT SPECIAL Eighty-seven percent 0 SECURITY
REPORT: PART 1 of service providers PERSONNEL
Source: Arbor Networks, Inc.
reported that they had
ENTERPRISE,
GOVERNMENT +
some dedicated security
personnel (Figure 38),
1–5 SECURITY
PERSONNEL 36%
EDUCATION (EGE) an identical result to
the previous year.

ASERT SPECIAL
Also, as in 2016, about
a quarter had security
6–10 SECURITY
PERSONNEL 12%
REPORT: PART 2
teams of 30 or more

DNS OPERATORS
people, compared
to only 14 percent for
11–15 SECURITY
PERSONNEL 8%
enterprise, government

CONCLUSION
and education
(EGE) respondents.
16–20 SECURITY
PERSONNEL 4%
ABOUT THE
AUTHORS
21–30 SECURITY
PERSONNEL 4%
GLOSSARY
30+ SECURITY
PERSONNEL 23%

Figure 38 Dedicated Security Personnel

PREVIOUS 31 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE 70% Looking at the challenges of building and maintaining


INFRASTRUCTURE operational security teams, the worldwide shortage of
SECURITY REPORT security analysts and incident responders was still a key
61% issue in 2017. Lack of resources, along with the difficulty
of hiring and retaining skilled personnel, were again the
TABLE OF 60%
CONTENTS two main concerns for building an effective operational
security (OPSEC) team (Figure 39).

INTRODUCTION The percentage of service providers carrying out DDoS


50% 48% 48% defense simulations was similar to last year (Figure 40).
However, the proportion of service providers that do
KEY FINDINGS
not practice simulations and have no plans to do so
42% increased from 29 to 34 percent. This is discouraging
SERVICE PROVIDER as dealing effectively with DDoS attacks is not just about
40% technology, but about the people using the technology
and the processes supporting it.
ATLAS SPECIAL
REPORT Thirty percent made time for incident response
30% 29% rehearsals at least quarterly, a decline from 38 percent
ASERT SPECIAL in the previous year. However, based on anecdotal
DDoS Simulations
information, this reduction could be due to some
REPORT: PART 1
service providers relying more on automation in
22%
their battle against DDoS attacks.
ENTERPRISE, 20%
GOVERNMENT +
EDUCATION (EGE)

34%
ASERT SPECIAL 3%
10%
REPORT: PART 2 5%

DNS OPERATORS 2%
11%
0% stakeholder
21%
Lack of
management
support

Lack of internal

support

Other
CONCLUSION
or resources

expenditure

expenditure
and retaining

Operational

Capital

(CAPEX) funding
skilled personnel

(OPEX) funding
Lack of
headcount

Difficulty of hiring

11%
ABOUT THE
15%
AUTHORS

GLOSSARY Source: Arbor Networks, Inc. Never Yearly Monthly


Figure 39 OPSEC Team Challenges

We do not do this Daily Weekly


today, but plan to
implement next year Quarterly

Figure 40 DDoS Simulations

PREVIOUS 32 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE For the second consecutive year the 80%


Authentication for BGP, IGPs
INFRASTRUCTURE survey showed an overall decline in
SECURITY REPORT Explicitly filter routes
service providers implementing security announced by customers
infrastructure best practices (Figure 41). 70% 68%
Separate out-of-band (OOB)
However, both of the top two methodologies, management network or data
TABLE OF
CONTENTS authentication for BGP and explicitly filtering communication network (DCN)
60% 59%
routes announced by customers, slightly Explicitly filter routes
increased from 62 to 68 percent and from 54% announced by BGP peers
INTRODUCTION 58 to 59 percent respectively. iACLs at network edge
50% 48% 47% 46% Maintain up-to-date contacts
Surprisingly, given the popularity of for your peer, transit, and/or
KEY FINDINGS 43%
reflection attacks over the last five years, 40%
customer OpSec teams
the adoption of anti-spoofing filters 40% BCP38/BCP84 anti-spoofing
36%
SERVICE PROVIDER decreased from 48 to 43 percent this year. at network edge and/or within
data center
The use of access control lists at the network
30% Monitor route for hijacking
edge also declined sharply this year from
ATLAS SPECIAL 54 to 47 percent.
25% 24% IRR route registration
REPORT of customer prefixes
On a more positive note, the adoption of 20% Block known botnet
the historically lesser-used methodologies command-and-control servers,
ASERT SPECIAL malware drop servers, etc.
REPORT: PART 1 increased. There was a greater use of
10% Generalized TTL
maintaining up-to-date peer contact
security mechanism
information, route hijacking monitoring, 4%
ENTERPRISE, Other
IRR route registration, blocking of known
GOVERNMENT + attack servers and generalized TTL security
0%
EDUCATION (EGE)
mechanism than in the previous year. Figure 41 Security Best Practices

ASERT SPECIAL
REPORT: PART 2
OPSEC Participation

DNS OPERATORS Another disappointing result in 2017 was the fact that less than a quarter PA RT I C I PATE I N G LO B A L O PS EC C O MMUNI T Y G RO UPS ?
of service providers participated in global operational security communities
(Figure 42), or share or distribute observed cyber-security threats and
CONCLUSION
gathered intelligence. The OPSEC communities have proven themselves very NO YES
useful during high profile attacks in the last five years. We can only suspect

76% 24%
ABOUT THE that this downward trend, which started two years ago, is due to the challenges
AUTHORS service providers face in building and maintaining an OPSEC team (Figure 42).
From 41 percent in 2015, to 26 percent last year, the service providers’
participation is down to 24 percent today.
GLOSSARY
Figure 42 OPSEC Participation

PREVIOUS 33 NEXT
Source: Arbor Networks, Inc.
NETSCOUT Arbor Special Report

WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT Data Center Operators
TABLE OF
CONTENTS
To better understand the resources that need protection Unexpectedly, a lower proportion of data
in data centers, we asked respondents to identify what center operators saw DDoS attacks targeting
INTRODUCTION services their organizations offer (Figure 43). It comes as their environments (Figure 44), yet the financial 1–10 ATTACKS
no surprise that managed hosting was the most common impact of attacks grew significantly (Figure 47). PER MONTH
service offered.
CenterHowever,
Services it was surprising to see public or Only 40 percent indicated they observed DDoS
64%
Data
KEY FINDINGS private cloud services ranked second, pushing co-location incidents in 2017, a significant decrease from
services into third. 60 percent the previous year.
SERVICE PROVIDER
The frequency of attacks also decreased
sharply, with only 36 percent seeing more
ATLAS SPECIAL 80%
Datathan
Center
10 DDoS Attack
attacks Overview
monthly as compared to
REPORT 57 percent in 2016 (Figure 45). 11–20 ATTACKS
PER MONTH
70% 76%
18%
ASERT SPECIAL
REPORT: PART 1
69%
60%
ENTERPRISE, 63%
GOVERNMENT +
EDUCATION (EGE) 50%

60% 21–50 ATTACKS


ASERT SPECIAL No PER MONTH
40%
REPORT: PART 2

30%
40%
Yes
5%
DNS OPERATORS

CONCLUSION 20%

Figure 44 Data Center Experienced DDoS Attacks 50+ ATTACKS


ABOUT THE
10% PER MONTH
AUTHORS Source: Arbor Networks, Inc.

GLOSSARY 0%
14%
Managed Co-Location Private/Public/
Hosting Hybrid Cloud

Figure 45 Data Center DDoS Attack Frequency

Figure 43 Data Center Services

Source: Arbor Networks, Inc.

PREVIOUS 34 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE Despite less frequent DDoS attacks, The average cost of a successful DDoS attack to a data center operator significantly changed
INFRASTRUCTURE the survey highlights the growing in 2017. In 2016, 45 percent of the operators reported an attack cost them less than $10,000 on
SECURITY REPORT impact of incidents. Of those who average. In comparison, 45 percent indicated the average total cost of major attacks was between
had DDoS attacks, 91 percent $10,000 and $50,000 per incident in 2017 (Figure 47). In fact, more than half of respondents
experienced a financial impact between $10,000 and $100,000, almost twice as many as in 2016.
TABLE OF observed at least one incident that
CONTENTS affected their ability to deliver service. Looking at the cost break-out, respondents continue to see operational expenses as having the
Seventy-eight percent experienced biggest impact on their business as a direct result of a DDoS attack (Figure 48). However, customer
INTRODUCTION between 1 and 20 service-affecting churn is now second at 48 percent. This demonstrates how sensitive customers are when it comes
attacks, a slight increase over to the availability of their services and the DDoS protection provided by a data center operator.
2016 (Figure 46). Putting this data into perspective, we believe that wide adoption of DDoS mitigation services made
KEY FINDINGS
Data Center Service Affecting Attacks it harder for attackers to affect business processes, making them more conscious about the size
and complexity of attacks they launched. Consequently, attacks were more advanced and once
SERVICE PROVIDER 51–100 they passed through defenses, there was a greater impact on data center operations.
21–50 0
11–20
ATLAS SPECIAL 45% 80%
REPORT 39%
9% 5% 71%
40%
5% 9% 70%
ASERT SPECIAL
REPORT: PART 1 33%
35%
60%
ENTERPRISE,
GOVERNMENT + 30%
EDUCATION (EGE) 50% 48%
25%
ASERT SPECIAL
REPORT: PART 2 73% 40% 38%
20%

DNS OPERATORS 30%


1–10 15%
11% 11%
CONCLUSION Figure 46 Data Center Service Affecting Attacks
20%
19%
10%
6%
ABOUT THE
AUTHORS 5%
10%

Source: Arbor Networks, Inc.


GLOSSARY
0% 0%

Increased

Employee
Customer
operational
expense

churn

loss

turnover
Revenue
Less than
$10,000

$25,000

$50,000

$100,000

$100,000,000
$10,000 to

$25,000 to

$50,000 to

$100,000 to

Figure 47 Data Center DDoS Cost Figure 48 Data Center DDoS Business Impact

PREVIOUS 35 NEXT
Source: Arbor Networks, Inc. Source: Arbor Networks, Inc.
NETSCOUT Arbor Special Report

WORLDWIDE
INFRASTRUCTURE
The targets of DDoS attacks within data centers are
similar to those in the previous year, with customers the
68%
SECURITY REPORT INBOUND ATTACK
W E A S K E D D A TA C E N T E R most likely target (Figure 49). However, the percentage of
Data center management
O P E R AT O R S I F T H E Y data centers reporting outbound attacks generated by
hosting, cloud or
E X P E R I E N C E D AT T A C K S servers grew from 28 to 36 percent. Anecdotally, we have co-location customer
TABLE OF
CONTENTS E X C E E D I N G T H E T O TA L been aware for many years that compromised or rented
B A N D W I D T H AVA I L A B L E data center servers are used as ‘packet cannons.’ It seems
T O T H E D ATA C E N T E R . that data center operators are increasingly aware of this
INTRODUCTION problem as well.
Historically we observed 50%
As in previous years, we asked data center operators INBOUND ATTACK
KEY FINDINGS a growing trend of attacks
what level and type of visibility they have in place. Data center service
saturating data centers:
When it comes to visibility levels, there was mixed news. infrastructure
SERVICE PROVIDER The percentage with Layer 3 and 4 visibility dropped from (portal, management)

2014 2016 77 percent in 2016 to 65 in 2017. However, there were


more data centers with Layer 7 visibility, up to 25 percent
ATLAS SPECIAL
REPORT 33% 61% from 21. It is also encouraging to see that one third of the
respondents now have service assurance monitoring,
and the proportion with no visibility has dropped from
36%
2015 2017 12 to 10 percent (Figure 50). INBOUND ATTACK
ASERT SPECIAL
Data center infrastructure
REPORT: PART 1
50% 45% (routers, firewalls,
load balancers)
ENTERPRISE, YES, AT LAYERS 3/4 ONLY
GOVERNMENT + 70%
EDUCATION (EGE)

This is a positive result 60% 65% 36%


ASERT SPECIAL which may be due to improved OUTBOUND ATTACK
REPORT: PART 2 upstream volumetric Generated from server(s)
DDoS protection. 50% within the data center
YES, WE MONITOR FOR to external host
DNS OPERATORS SERVICE ASSURANCE
40%
CONCLUSION YES, AT LAYER 7
30% 35% 9%
ABOUT THE CROSS-BOUND ATTACK
AUTHORS
20% 25% Customer to customer
NO

GLOSSARY Figure 49 Data Center


10% DDoS Targets
10%
0%
Figure 50 Data Center Internal Visibility

PREVIOUS 36 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE On a more positive note,


INFRASTRUCTURE approximately two thirds of
SECURITY REPORT data centers perform baselining 65% Baseline of normal operations
of normal operations for intra
data center traffic and the
TABLE OF
percentage of those actively
CONTENTS
looking for compromised devices 39% Detection of compromised devices
grew from seven to 39 percent
INTRODUCTION (Figure 51). Also, those with
no visibility decreased from
20 to 14 percent.
37% Service assurance
KEY FINDINGS

SERVICE PROVIDER
14% None

ATLAS SPECIAL
REPORT 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Figure 51 Data Center Outbound and Cross-Bound Visibility


ASERT SPECIAL
REPORT: PART 1

ENTERPRISE,
GOVERNMENT +
EDUCATION (EGE)
100% 96% When it comes to the technologies used to
protect data centers at their perimeter, the
ASERT SPECIAL increased frequency of DDoS attacks seen in
REPORT: PART 2 80% 2016 resulted in a wider adoption of Intelligent
73%
DDoS Mitigation Systems (IDMS) in 2017. About
DNS OPERATORS half of respondents indicated that an IDMS was
60% now a part of perimeter protection, a sharp
49% increase from the previous year’s 29 percent.
CONCLUSION While IDMS shared third place with application
40% firewalls, the most popular technologies
ABOUT THE
33% remained firewalls and IDS/IPS (Figure 52).
AUTHORS 25%
20% 18%
GLOSSARY

0%
Firewalls IDS/IPS Application Intelligent UTM iACL Sandboxing
firewalls DDoS system
mitigation
systems

Figure 52 Data Center Perimeter Security Technologies


PREVIOUS 37 NEXT
NETSCOUT Arbor Special Report
Data Center DDoS Protection Technologies

WORLDWIDE 70% Looking at perimeter security, it is also worth


INFRASTRUCTURE noting what technologies were utilized for
SECURITY REPORT DDoS protection in 2017 (Figure 53). It is good
62% to see that infrastructure ACLs (iACLs), perimeter
IDMS and layered IDMS were in the top five of
TABLE OF 60%
CONTENTS 57% technology choices. The less positive news is
that IDS/IPS was still considered a key element
of a DDoS protection strategy by more than
INTRODUCTION 52% 52% 52% half of the respondents. Finally, a significant
50% data point is that firewalls made a jump from
last to first place, with 62 percent using them
KEY FINDINGS
for DDoS defense.
43% 43%
SERVICE PROVIDER This is especially disappointing if we take another
40% data point into account. Forty-eight percent of
data center respondents experienced firewalls,
ATLAS SPECIAL IDS/IPS devices and load-balancers contributing
REPORT 33% to an outage during a DDoS attack — an
increase from 43 percent in 2016. We encourage
29%
ASERT SPECIAL 30% organizations to review their DDoS mitigation
REPORT: PART 1 architecture and move away, as much as
24% 24% possible, from stateful inspection methods to
predominantly stateless architectures optimized
ENTERPRISE,
for high packet load.
GOVERNMENT + 20%
EDUCATION (EGE)
As to the types of DDoS protection offered by
data center operators, it is encouraging that
ASERT SPECIAL one quarter now include some capability within
REPORT: PART 2 their base offering and 40 percent offer it as an
10%
add-on service. Further, an additional 15 percent
plan to offer DDoS protection in the coming year.
DNS OPERATORS
As data center customers demand availability and
look for tighter service-level agreements (SLAs),
CONCLUSION 0% a DDoS mitigation strategy becomes one of the
triggered blackhole (S/RTBH) most important factors in choosing a data
Separate production
backbone/perimeter intelligent

on network edge

Destination-based remote
triggered blackhole (D/RTBH)

and out-of-band (OOB)


mitigation systems (IDMS)

Data center
Firewalls

DDoS mitigation systems (IDMS)

Interface ACLs (iACLs)

IPS/IDS

Cloud-based DDoS mitigation


system or service

forwarding (uRPF) and/or


anti-spoofing mechanisms

FlowSpec on gateway
or access routers
Layered intelligent DDoS

management network

Source-based remote

Unicast reverse path


center service.
ABOUT THE
AUTHORS

GLOSSARY

Figure 53 Data Center DDoS Protection Technologies

PREVIOUS 38 NEXT
Source: Arbor Networks, Inc.
NETSCOUT Arbor Special Report

WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT Mobile Network Operators
TABLE OF
CONTENTS
In 2017, 60 percent of mobile operator In 2017, only 25 percent of mobile
respondents had more than one million operators had the capability to
INTRODUCTION subscribers, down from 70 percent the detect compromised devices from
previous year (Figure 54). their subscriber networks, down
KEY FINDINGS from 37 percent the previous
We asked mobile operators if they had
M OB I L E SU B SCRI B E R S year (Figure 56).
experienced any security incidents on
their networks that led to a customer-
SERVICE PROVIDER
visible outage, and only a fifth reported
D ETECT A
such an incident, down from a third in
ATLAS SPECIAL 40% 2016, a very positive trend (Figure 55).
NO C O MPRO MI S ED
REPORT S UB S C RI B ER?

75%
10%
S E C UR IT Y IN C ID E N T S T H AT LE D
ASERT SPECIAL
T O A C US T O M E R V IS IB LE O UTAG E ? YES
REPORT: PART 1
10% 40%

25%
Less than
ENTERPRISE, 5%
20%
No
10% 1 million subscribers
Figure 56
GOVERNMENT + 1–10 million subscribers

65%
Compromised
EDUCATION (EGE) 15% Subscribers
11–25 million subscribers
Detection
10% 26-50 million subscribers
ASERT SPECIAL 51–100 million subscribers
REPORT: PART 2 5%
Less than 1 million 20% More than
100 million subscribers
15%
DNS OPERATORS
1–10 million
11–25 million
Yes
This significant decrease
CONCLUSION
26-50 million
51–100 million
20% in the ability to detect
More than 100 million
compromised devices is
ABOUT THE worrisome, as gaining better
AUTHORS visibility of user devices is
Do not know key for proactive and effective
GLOSSARY
15% security incident handling.

Figure 54 Mobile Subscribers Figure 55 Customer-Visible Outage

Source: Arbor Networks, Inc.

PREVIOUS 39 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE Over half of mobile network operator


INFRASTRUCTURE respondents don’t have visibility into 100%
SECURITY REPORT their subscribers’ botnet participation,
which is not surprising considering they
TABLE OF
CONTENTS
reported being less capable of detecting
compromised devices (Figure 57).
80%
58% NO
60%
Among those having visibility, 42 percent
INTRODUCTION reported that five percent or less of their
subscribers were compromised. Similar
to last year, 16 percent reported that
40%
21% YES
21%
DO NOT KNOW
KEY FINDINGS 20%
none of their subscribers have been
compromised, which considering IoT
SERVICE PROVIDER botnet trends, is more likely due to 0% Figure 58 DDoS Attacks
a lack of visibility. from Mobile Users

ATLAS SPECIAL
REPORT
None
Fifty-eight percent of operators once again did not see DDoS attacks originating
from their mobile user base (Figure 58). Of the remaining, one half noticed DDoS
ASERT SPECIAL
REPORT: PART 1 attacks from their subscriber network, while the other didn’t know if attacks
16%
were generated by their mobile users.

ENTERPRISE, The percentage of mobile network operators mitigating outbound attacks


GOVERNMENT + again increased substantially, from over one quarter in 2016 to 37 percent
EDUCATION (EGE) in 2017 (Figure 59). With over a quarter planning to mitigate outbound DDoS
53% attacks in 2018, this is very positive news.
26%
ASERT SPECIAL
REPORT: PART 2

5%
DNS OPERATORS Do not
know
1–5% of
subscribers
No plans
Source: Arbor Networks, Inc.
Yes No, planning to in
37% 37% the next 12 months
6–10% of
CONCLUSION subscribers 26%
Figure 57 Compromised Subscribers
ABOUT THE Source: Arbor Networks, Inc.
AUTHORS
Figure 59 DDoS Attacks Mitigation from Mobile Users
It is very positive news that over a
GLOSSARY quarter are planning to start mitigating
outbound DDoS attacks in 2018.

PREVIOUS 40 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT This year a much lower proportion of network operators observed DDoS
attacks targeting their mobile infrastructure/users, from 74 percent in
NUMBER OF DDoS ATTACKS 2016 to 58 in 2017 (Figure 60). However, for those seeing attacks, there
TABLE OF was an increase in those noticing between one and 10 attacks per month,
CONTENTS at 32 percent up from 21 percent the previous year. The percentage of
0 1–10 11–20 21–50 51–100 mobile network operators experiencing over 10 attacks per month fell
INTRODUCTION to 26 percent from 55 percent last year.

The proportion of mobile network operators reporting DDoS attacks


KEY FINDINGS 42% 32% 16% 5% 5% targeting their Gi/SGi interface decreased sharply this year, from
72 percent previously to only 47 percent (Figure 61). Overall, there was
also a noticeable reduction in the number of attacks seen per month.
SERVICE PROVIDER
Only the number of respondents noticing between one and 10 attacks
per month increased slightly, from 22 percent to 26 percent.
ATLAS SPECIAL
REPORT We have stressed in the previous surveys how the Gi/SGi interface is
a critical part of any mobile operator’s network, and we were pleased
Figure 60 DDoS Attacks Per Month to see a large increase in operators with visibility at Layers 3 and 4, up
ASERT SPECIAL from 47 percent in 2016 to an impressive 68 percent in 2017 (Figure 62).
REPORT: PART 1 Even though visibility at Layer 7 decreased from 35 to 26 percent, the
overall improvement in visibility is a very positive sign.
ENTERPRISE,
GOVERNMENT +
EDUCATION (EGE)

ASERT SPECIAL NUMBER OF DDoS ATTACKS TARGETING YES Layers 3/4 68%
REPORT: PART 2 IP (Gi/SGi) INFRASTRUCTURE

DNS OPERATORS
0 1–10 11–20 21–50 51–100
YES Layers 7 26%
CONCLUSION
NO 21%
ABOUT THE
53% 26% 5% 11% 5%
0% 10% 20% 30% 40% 50% 60% 70% 80%
AUTHORS

Figure 62 Visibility at IP (Gi/SGi) Backbone


GLOSSARY

Figure 61 DDoS Attacks Per Month Targeting IP (Gi/SGi) Infrastructure

PREVIOUS 41 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT

TABLE OF
CONTENTS

INTRODUCTION

KEY FINDINGS

ATLAS
SERVICE PROVIDER

ATLAS SPECIAL
REPORT

ASERT SPECIAL
Special Report
REPORT: PART 1

ENTERPRISE,
NETSCOUT Arbor’s
GOVERNMENT + Active Threat Level Analysis
EDUCATION (EGE)
System (ATLAS®) gathers
ASERT SPECIAL statistics from NETSCOUT
REPORT: PART 2
Arbor SP deployments
DNS OPERATORS around the world.

CONCLUSION
ATLAS delivers insight into approximately
one third of global internet traffic. There
ABOUT THE are currently more than 400 networks
AUTHORS participating in the ATLAS initiative.
Statistics are shared hourly which include
GLOSSARY EDITOR’S NOTE DDoS attack details, along with other
In early 2017, the NETSCOUT Arbor ATLAS team introduced a new data processing engine traffic information. NETSCOUT Arbor’s
for the ATLAS system; this new approach has improved Arbor’s ability to more accurately team collates and analyzes this unique
identify DDoS events. As a result, some of the ATLAS DDoS attacks figures for 2016 are data set to determine key trends in
different from the values used in last year’s report. For the sake of consistency, we have
DDoS attack activity.
run the data collected in 2016 through the new engine and that resulted in new figures.

PREVIOUS 42 NEXT
ATLAS Peak Monitored Attack Size (Gbps), 2016 vs. 2017
NETSCOUT Arbor Special Report

Attack Size
2016 2017
WORLDWIDE 900 841
INFRASTRUCTURE Gbps
SECURITY REPORT
800

TABLE OF 700 641


CONTENTS Gbps
Without question, 2016 was a dramatic year
600
for DDoS attacks, with the emergence of IoT
INTRODUCTION botnets driving the peak attack size to 841 Gbps.
In 2017, the largest attack observed by ATLAS was 500

a 641 Gbps attack (Figure AT1) directed at a target


KEY FINDINGS in Brazil. The 641 Gbps number from ATLAS aligns 400
closely with the largest attack reported by the
WISR survey respondents this year. 300
SERVICE PROVIDER

One significant difference between 2017 and 200


ATLAS SPECIAL 2016 (Figure AT2) was a significant decrease
REPORT in the number of massive attacks over 100 Gbps 100
(444 versus 1087) and 200 Gbps (40 versus. 125).
ASERT SPECIAL 0
JAN FEB MAR APR MAY JUNE JULY AUG SEPT OCT NOV DEC
REPORT: PART 1
This year-over-year decline was due Figure AT1 ATLAS Peak Monitored Attack Size (Gbps), 2016 vs. 2017

ENTERPRISE, primarily to a major sporting event


GOVERNMENT + in Brazil over the summer of 2016 that GrowthNETSCOUT
Source: in LargeArbor
Attacks 2016 vs. 2017
EDUCATION (EGE)
experienced a high level of targeting.

ASERT SPECIAL 2016 2017


REPORT: PART 2

1,087
DNS OPERATORS 100+ Gbps
444
CONCLUSION

ABOUT THE 125


AUTHORS
200+ Gbps
40
GLOSSARY

0 200 400 600 800 1,000 1,200

Source:
Figure NETSCOUT
AT2 Growth inArbor
Large Attacks 2016 vs. 2017

PREVIOUS 43 NEXT
NETSCOUT Arbor Special Report
ATLAS Average Attack Size (Mbps) 2016–2017

2,000
WORLDWIDE Although the number of attacks over 1,800
INFRASTRUCTURE 100 Gbps in 2017 is down from last year,
SECURITY REPORT 1,600
the overall mix of attack sizes is still
shifting up. This year, the percentage 1,400
of attacks over 1 Gbps has increased to
TABLE OF 1,200
CONTENTS 22 percent, growing three years in a row.
The vast majority of attacks, 87 percent, 1,000
are still smaller than 2 Gbps (Figure AT3). 800
INTRODUCTION
600

Attack Size 400


KEY FINDINGS Attack SizeBreakout
Breakout
200

SERVICE PROVIDER Less than 500 Mbps 67.09040% 0


01/03/16 03/06/16 05/01/16 07/03/16 09/04/16 11/06/16 01/01/17 03/05/17 05/07/17 07/02/17 09/03/17 11/05/17 12/31/17

500 Mbps–1 Gbps 10.81670%


ATLAS SPECIAL Number
Figure of DDoS
AT4 ATLAS Attacks
Average
Source: NETSCOUT 2016–2017
Attack Size
Arbor
(Mbps) 2016–2017
REPORT
1 Gbps–2 Gbps 8.98951%

ASERT SPECIAL 2 Gbps–5 Gbps 8.97777% 2016 2017


REPORT: PART 1 200,000

5 Gbps–10 Gbps 3.02474%


175,000
ENTERPRISE,
GOVERNMENT + 10 Gbps–20 Gbps 0.80118% 150,000
EDUCATION (EGE)
20 Gbps–50 Gbps 0.26095% 125,000

ASERT SPECIAL 100,000


50 Gbps–100 Gbps 0.03330%
REPORT: PART 2
75,000
100 Gbps–200 Gbps 0.00497% This higher number of attacks in 2017
DNS OPERATORS 50,000
contributed to a lower average attack size.
200 Gbps–500 Gbps 0.00046%
25,000
CONCLUSION
500 Gbps–1 Tbps 0.00004% 0
JAN FEB MAR APR MAY JUNE JULY AUG SEPT OCT NOV DEC

ABOUT THE
AUTHORS Figure AT3 Attack Size Breakout Figure AT5 Number of DDoS Attacks 2016 vs. 2017
Source: NETSCOUT Arbor

GLOSSARY Source: NETSCOUT Arbor


Average attack size in 2017 was 990 Mbps, a slight decrease from last year’s 1,133 Mbps. Looking at the
monthly trend over 2017, we see that the average attack size was over 1 Gbps in the second half of the year
(Figure AT4). On the surface, this appears to be a simple linear reduction in average attack size. However, in
terms of attack frequency, we see an increase in the number of attacks in 2017 versus 2016 (Figure AT5).

PREVIOUS 44 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE
INFRASTRUCTURE While the number of very 20,000
2–10 GBPS
SECURITY REPORT large attacks decreased 2–5 Gbps

in 2017, the number of 15,000


TABLE OF attacks between 2 Gbps to Linear (2–5 Gbps)

CONTENTS 5 Gbps is growing steadily


(Figure AT6). 10,000 5–10 Gbps

INTRODUCTION
5,000 Linear (5–10 Gbps)
Again, this may be due
KEY FINDINGS to the fact that there 0
were major International 01/10/16 03/06/16 05/01/16 07/03/16 09/04/16 11/06/16 01/01/17 03/05/17 05/07/17 07/02/17 09/03/17 11/05/17 12/31/17

SERVICE PROVIDER events in 2016 which


led to a spike in large
ATLAS SPECIAL
REPORT
volume attacks
compared to 2017. 4,000
10–50 GBPS
10–20 Gbps
ASERT SPECIAL 3,000
REPORT: PART 1 Linear (10–20 Gbps)
We believe this is also
an indication of attacker 2,000
20–50 Gbps
ENTERPRISE, innovation as they develop
GOVERNMENT + new attack vectors and
EDUCATION (EGE) 1,000 Linear (20–50 Gbps)
utilize new tools such as
the Mirai botnet’s ability to
launch application-layer as 0
ASERT SPECIAL
01/10/16 03/06/16 05/01/16 07/03/16 09/04/16 11/06/16 01/01/17 03/05/17 05/07/17 07/02/17 09/03/17 11/05/17 12/31/17
REPORT: PART 2 well as volumetric attacks.

DNS OPERATORS

CONCLUSION 350
50–200 GBPS
50–100 Gbps
300
ABOUT THE 250 Linear (50–100 Gbps)
AUTHORS
200

150 100–200 Gbps


GLOSSARY
100
Linear (100–200 Gbps)
50

Figure AT6 Average Attack 0


Frequency 2016–2017 01/10/16 03/06/16 05/01/16 07/03/16 09/04/16 11/06/16 01/01/17 03/05/17 05/07/17 07/02/17 09/03/17 11/05/17 12/31/17

PREVIOUS 45 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT

THIS YEAR, WE HAVE 200,000


TABLE OF EXTENDED OUR ANALYSIS
CONTENTS TO INCLUDE DIFFERENT
GEOGRAPHICAL REGIONS:
INTRODUCTION 175,000
• North America
KEY FINDINGS • Latin America
• Europe 150,000
SERVICE PROVIDER
• Middle East GLOBAL

ATLAS SPECIAL
• Africa
REPORT 125,000
• Asia-Pacific

ASERT SPECIAL
Using the same metrics —
REPORT: PART 1
number of DDoS attacks, 100,000
peak attack sizes and average
ENTERPRISE, attack sizes — the regions
GOVERNMENT + were compared.
EDUCATION (EGE)
Looking at the number of 75,000
DDoS events observed in the
ASERT SPECIAL
different regions (Figure AT7),
REPORT: PART 2
Latin America has a lower
number of attacks compared 50,000 APAC
DNS OPERATORS to the other regions.
EMEA
We also noticed that starting
CONCLUSION in August 2017, there is a NA
trend of more attacks seen in 25,000

ABOUT THE Europe than North America


AUTHORS and Asia-Pacific.
LATAM
0
GLOSSARY 01/08/17 02/05/17 03/05/17 04/02/17 05/07/17 06/04/17 07/02/17 08/06/17 09/03/17 10/01/17 11/05/17 12/03/17 12/31/17

Figure AT7 Number of Attacks by Regions

PREVIOUS 46 NEXT
NETSCOUT Arbor Special Report

Attack Duration

WORLDWIDE Although the number of attacks is lower in the Latin America region, the largest attack monitored in 1.0%
INFRASTRUCTURE 2017 targeted Brazil. Overall, the difference in terms of peak attack size is not that significant between 1.0%
SECURITY REPORT the four regions. (Figure AT8). 1.3% 0.2%
4.5%
Comparison of average attack size between the regions reveals an interesting fact — the average in
TABLE OF
North America and Europe are actually higher than worldwide average (Figure AT9). In contrast, the Latin
CONTENTS Less t
America
Peak and
Attack Asia-Pacific
Sizes by Regionsregions
(Gbps)both show slightly lower attack sizes than the global number, this indicates 6.5%
a higher proportion of smaller attacks in Asia-Pacific and Latin America regions compared to the others. 30 mi
INTRODUCTION 1 hour

GLOBAL APAC EMEA LATAM NA 3 hou


KEY FINDINGS
800 6 hou

700 12 hou
SERVICE PROVIDER
More
600
85.4%
ATLAS SPECIAL 500
REPORT
400
Less than 30 minutes 6 hours –12 hours
ASERT SPECIAL 300
REPORT: PART 1 30 minutes – 1 hour 12 hours – 1 day
200 1 hour – 3 hours More than 1 day
3 hours –6 hours
ENTERPRISE, 100
GOVERNMENT +
EDUCATION (EGE) 0 Figure AT10 Attack Duration
01/08/16 02/05/16 03/05/16 04/02/16 05/07/16 06/04/16 07/02/17 08/06/17 09/03/17 10/01/17 11/05/17 12/03/17 12/31/17
Average Attack Sizes by Regions (Mbps)
ASERT SPECIAL Figure AT8 Peak Attack Sizes by Regions (Gbps)
Source: NETSCOUT Arbor
REPORT: PART 2 Similar to the previous two years,
92 percent of attacks last less than
GLOBAL APAC EMEA LATAM NA one hour (Figure AT10). The average
DNS OPERATORS 3,000
duration of an attack in 2017 was
around 46 minutes, down from
CONCLUSION 2,500 55 minutes last year.
Source: Arbor Networks, Inc.
2,000 As we stated last year, attackers usually
ABOUT THE start/stop an attack sporadically over an
AUTHORS extended period of time. As a result, the
1,500
average duration of an attack is less than
GLOSSARY an hour but a typical attack campaign
1,000
lasts much longer than that.

500

0
01/08/16 02/05/16 03/05/16 04/02/16 05/07/16 06/04/16 07/02/17 08/06/17 09/03/17 10/01/17 11/05/17 12/03/17 12/31/17

Figure AT9 Average Attack Sizes by Regions (Mbps) PREVIOUS 47 NEXT


Source: NETSCOUT Arbor
NETSCOUT Arbor Special Report

WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT Target Looking at the top 10 countries attacked in 2017, it is very interesting that the top four spots are
exactly the same as last year, with similar percentage as well (Figure AT11). The top targets for
attacks greater than 10 Gbps were the United States and Hong Kong. While the other countries

Countries
in the top ten are nearly identical to last year, the positions vary quite a bit (Figure AT12).
TABLE OF
It should be noted that mapping DDoS source/destination IP addresses to geographical locations
CONTENTS
is challenging due to various reasons including source address spoofing by attackers, widely
deployed CGNAT and CDN technologies.
INTRODUCTION

KEY FINDINGS

SERVICE PROVIDER

UNITED STATES UNITED STATES


ATLAS SPECIAL 24.0% 32.5%
REPORT
SOUTH KOREA HONG KONG

ASERT SPECIAL
10.3% 10.2%
REPORT: PART 1 CHINA SOUTH AFRICA
8.7% 8.8%
ENTERPRISE, FRANCE CANADA
GOVERNMENT +
EDUCATION (EGE)
4.6% 5.5%
BRAZIL UNITED KINGDOM

ASERT SPECIAL
3.7% 4.9%
REPORT: PART 2 UNITED KINGDOM SOUTH KOREA
2.9% 4.4%
DNS OPERATORS MALAYSIA POLAND
2.7% 3.8%
CONCLUSION SOUTH AFRICA BRAZIL
2.7% 3.4%
ABOUT THE TURKEY AUSTRALIA
AUTHORS
2.1% 2.8%
AUSTRALIA FRANCE
GLOSSARY
1.9% 2.2%
Figure AT11 Top Targeted Countries for DDoS Attacks by Percentage Figure AT12 Top Targeted Countries for DDoS Attacks Greater Than 10 Gbps by Percentage

PREVIOUS 48 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT Reflections
Reflection/Amplification Attacks, Count Per Week
TABLE OF
CONTENTS DNS NTP SSDP Chargen C-LDAP SNMP Portmap MSSQL

30,000 In 2016, we observed a resurgence of DNS


INTRODUCTION as the dominant protocol used for reflection/
25,000 amplification attacks. This year, DNS continued
to be the most common reflection/amplification
KEY FINDINGS
20,000
attack vector. In fact, the number of DNS
reflection/amplification attacks is greater
SERVICE PROVIDER than all the other attack vectors combined.
15,000
The number of DNS attacks is nearly double
the number of NTP reflection/amplification
ATLAS SPECIAL
10,000 attacks, which came in second (Figure AT13).
REPORT
Attackers always look for new exploits and this
5,000
ASERT SPECIAL year we observed massive growth in the use
REPORT: PART 1 of C-LDAP for reflection/amplification attacks
0 during the second half of the year (Figure AT14).
01/08/17 02/05/17 03/05/17 04/02/17 05/07/17 06/04/17 07/02/17 08/06/17 09/03/17 10/01/17 11/05/17 12/03/17 12/31/17

ENTERPRISE,
GOVERNMENT + Figure AT13
Source: Reflection/Amplification
NETSCOUT Arbor Attacks, Count Per Week
EDUCATION (EGE)
Number of Reflection/Amplication Attacks

ASERT SPECIAL Chargen C-LDAP SNMP Portmap MSSQL


REPORT: PART 2
6,000 5,464 C-LDAP reflection/amplification attacks
Attacks Per Week doubled in the last six months to a peak
DNS OPERATORS of 5,464 attacks per week.
5,000

CONCLUSION
4,000

ABOUT THE 3,000


AUTHORS

2,000
GLOSSARY
1,000

0
01/08/17 02/05/17 03/05/17 04/02/17 05/07/17 06/04/17 07/02/17 08/06/17 09/03/17 10/01/17 11/05/17 12/03/17 12/31/17

Figure AT14
Source: Number of
NETSCOUT Reflection/Amplication Attacks
Arbor
PREVIOUS 49 NEXT
Reflection/Amplification Attacks by Percentage

NETSCOUT Arbor Special Report

1.8% 1.0%
WORLDWIDE Looking at the whole of 2017, once again DNS, NTP, Chargen and SSDP 4.7% 0.2%
INFRASTRUCTURE represent the top reflection/amplification attack vectors (Figure AT15).
SECURITY REPORT While the percentage of DNS and NTP attacks remain almost the same DNS Amplification
as last year, the number of attacks from Chargen and SSDP reflection/ 7.1% NTP Amplification
amplification attack has dropped from a combined total of more than
TABLE OF
400,000 attacks in 2016 to around 330,000 attacks in 2017. On the Chargen Amplification
CONTENTS 8.0%
other hand, C-LDAP reflection/amplification is definitely on the rise. SSDP Amplification
47.9%
INTRODUCTION It also worth mentioning that a lot of the attacks observed are C-LDAP Amplification
multi-vectors attacks, which are attacks where more than one type SNMP Amplification
of vector is deployed simultaneously. For example, in 2017, 10 percent
KEY FINDINGS 29.4% Portmap Amplification
of all reflection/amplification attacks included more than one attack
vector (Figure AT16). MSSQL Amplification
SERVICE PROVIDER
Figure AT15 Reflection/Amplification
Attacks by Percentage

ATLAS SPECIAL
REPORT

ASERT SPECIAL Multi-Vector Reflection/Amplification Attacks


REPORT: PART 1
DNS Amplification Multi-Vector

ENTERPRISE, 30,000
GOVERNMENT +
EDUCATION (EGE)
25,000

ASERT SPECIAL
REPORT: PART 2
20,000
As many as 5,000 attacks each week
DNS OPERATORS
were comprised of more than one type
15,000 Source: Arbor Networks, Inc.
of reflection/amplification attack.
CONCLUSION

10,000
ABOUT THE
AUTHORS
5,095
Attacks Per Week
5,000

GLOSSARY

0
01/08/17 02/05/17 03/05/17 04/02/17 05/07/17 06/04/17 07/02/17 08/06/17 09/03/17 10/01/17 11/05/17 12/03/17 12/31/17

Source: NETSCOUT Arbor


Figure AT16 Multi-Vector Reflection/Amplification Attacks

PREVIOUS 50 NEXT
NETSCOUT Arbor Special Report
Reflection/Amplification Attacks, Average Size Trend

C-LDAP SNMP Portmap DNS

WORLDWIDE The average attack size for reflection/ 12,000


INFRASTRUCTURE amplification is typically higher, as these
SECURITY REPORT attacks are designed to be volumetric in nature 10,000
with the goal of saturating internet bandwidth.
Compared to last year, the average attack
TABLE OF 8,000
CONTENTS sizes of reflection/amplification attack vectors
decreased slightly (Figure AT17).
Reflection/Amplification Attacks, 6,000
INTRODUCTION Average Attack Sizes (Mbps)
4,000
3,500
KEY FINDINGS
2,000
C-LDAP

SERVICE PROVIDER
0
3,000
3,080 Mbps

01/01/17 02/05/17 03/05/17 04/02/17 05/07/17 06/04/17 07/02/17 08/06/17 09/03/17 10/01/17 11/05/17 12/03/17 12/31/17

ATLAS SPECIAL
REPORT
Portmap
SNMP

MSSQL NTP SSDP Chargen


DNS

ASERT SPECIAL
2,580 Mbps

2,500 5,000
2,519 Mbps

2,494 Mbps

REPORT: PART 1

4,000
NTP

ENTERPRISE,
GOVERNMENT + 2,000
Chargen
2,007 Mbps

EDUCATION (EGE)
3,000
SSDP
1,740 Mbps

ASERT SPECIAL
REPORT: PART 2 2,000
1,602 Mbps

1,500
MSSQL

DNS OPERATORS 1,000


1,246 Mbps

1,000
CONCLUSION 0
01/01/17 02/05/17 03/05/17 04/02/17 05/07/17 06/04/17 07/02/17 08/06/17 09/03/17 10/01/17 11/05/17 12/03/17 12/31/17

ABOUT THE Figure AT18 Reflection/Amplification Attacks, Average Size Trend


AUTHORS Source: NETSCOUT Arbor
500

GLOSSARY The average attack sizes of the reflection/amplification attacks are slightly lower than 2016. Looking at
the 2017 timeline graph (Figure AT18), the average attack sizes of most reflection/amplification attacks
increased slightly throughout the year, except for Chargen and SSDP attacks.
0

Figure AT17 Reflection/Amplification Attacks,


Source: NETSCOUT Arbor
Average Attack Sizes (Mbps)

PREVIOUS 51 NEXT
NETSCOUT Arbor Special Report
ATLAS Reflection/Amplification Attacks, Peak Size Trend (Gbps)

NTP SSDP DNS

WORLDWIDE The largest reflection/amplification attack 800


INFRASTRUCTURE monitored this year was a 641 Gbps DNS
SECURITY REPORT reflection/amplification attack. In the second 700
place was a 622 Gbps NTP attack, a 30 percent
increase from last year. In general, peak attack 600
TABLE OF
CONTENTS sizes of all reflection/amplification attacks
have decreased from last year, except for 400
NTP, CLDAP and SNMP (Figure AT19).
INTRODUCTION Reflection/Amplification Attacks, 300
Peak Attack Sizes (Gbps)
200
KEY FINDINGS
800
100
SERVICE PROVIDER
0
01/01/17 02/05/17 03/05/17 04/02/17 05/07/17 06/04/17 07/02/17 08/06/17 09/03/17 10/01/17 11/05/17 12/03/17 12/31/17
700
ATLAS SPECIAL
DNS

REPORT
NTP

MSSQL Portmap Chargen C-LDAP SNMP


641 Gbps

622 Gbps

ASERT SPECIAL 600


250
REPORT: PART 1

200
ENTERPRISE, 500
GOVERNMENT +
EDUCATION (EGE)
150

ASERT SPECIAL 400


REPORT: PART 2 100

DNS OPERATORS 50
SSDP

300
C-LDAP
271 Gbps

CONCLUSION
SNMP

Portmap

0
Chargen

01/01/17 02/05/17 03/05/17 04/02/17 05/07/17 06/04/17 07/02/17 08/06/17 09/03/17 10/01/17 11/05/17 12/03/17 12/31/17
200
203 Gbps

203 Gbps

ABOUT THE Figure AT20 Reflection/Amplification Attacks, Peak Size Trend (Gbps)
182 Gbps

AUTHORS
MSSQL

Source: NETSCOUT Arbor


157 Gbps

100
GLOSSARY As mentioned before, DNS and NTP reflection/amplification attacks are the dominant attack vectors.
104 Gbps

In fact, both DNS and NTP have seen peak attack sizes greater than 600 Gbps. Looking at the peak
attack size timeline graph (Figure AT20), attackers are varying the attack vectors, with different protocols
being chosen to be the ‘weapon’ used. C-LDAP reflection/amplification became a popular choice during
0
the second half of 2017, growing in size as well as frequency.
Figure AT19 Reflection/Amplification Attacks,
Source: NETSCOUT Arbor
Peak Attack Sizes (Gbps)

PREVIOUS 52 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT Reflection/Amplification
TABLE OF
CONTENTS
Attacks Source Countries
INTRODUCTION

The following diagram (Figure AT21) shows the


KEY FINDINGS source countries where the reflection/amplification
attacks originated. This provides us with a rough
idea, from the geographical perspective, where
SERVICE PROVIDER
DDoS amplifiers such as open DNS resolvers are
being exploited by the attackers.
ATLAS SPECIAL
REPORT
TOP FIVE SOURCE COUNTRIES

ASERT SPECIAL 100%


REPORT: PART 1
82.09%
ENTERPRISE,
80%
69.04% 66.18% 64.23% 63.16%
GOVERNMENT + 60%
EDUCATION (EGE)
UNITED STATES

40%
CHINA

UNITED
KINGDOM

GERMANY

ASERT SPECIAL

CANADA
REPORT: PART 2 20%

DNS OPERATORS 0%

CONCLUSION
REMAINING SOURCE COUNTRIES
Russia 61.68% Japan 56.60% Malaysia 47.30%
ABOUT THE Brazil Taiwan Ireland
60.90% 55.88% 46.38%
AUTHORS Netherlands 60.80% Vietnam 55.36% Austria 45.94%
France 60.66% Colombia 54.64% Switzerland 45.88%
Italy 60.03% Australia 53.53% Kazakhstan 45.74%
Poland 60.03% Indonesia 53.45% Latvia 45.20%
GLOSSARY Ukraine 58.86% Argentina 53.21% South Korea 45.14%
Romania 58.82% South Africa 53.11% Slovakia 45.03%
Spain 58.69% Thailand 52.37% Denmark 45.03%
Turkey 58.23% Hungary 52.37% Norway 43.93%
Czech Republic 57.80% Bulgaria 52.35% Portugal 43.89%
Mexico 57.33% Chile 51.69% Ecuador 43.87%
Hong Kong 57.30% Singapore 50.43% Bangladesh 43.73%
India 57.20% Philippines 48.60% Israel 43.44%
Sweden 57.18% Iran 48.15%

Figure AT21 Reflection/Amplification Attacks Source Countries PREVIOUS 53 NEXT


NETSCOUT Arbor Special Report

WORLDWIDE
ASERT Special Report

APPLICATION-LAYER
INFRASTRUCTURE
SECURITY REPORT

TABLE OF
CONTENTS

ATTACKS
INTRODUCTION

KEY FINDINGS

As DDoS defenses become more effective,


SERVICE PROVIDER
A SPECIAL REPORT FROM THE it is more difficult to take down well-protected
NETSCOUT ARBOR SECURITY
ATLAS SPECIAL ENGINEERING & RESPONSE targets. Attackers have responded by using
REPORT TEAM (ASERT)
large IoT botnets to launch more sophisticated
ASERT SPECIAL application-layer DDoS attacks.
REPORT: PART 1

In 2016, a sustained attack against security journalist Brian Krebs


ENTERPRISE,
GOVERNMENT + resulted in Akamai Technologies discontinuing its gratis protection
EDUCATION (EGE) of his website. The attacks had consumed a large part of Akamai’s
DDoS defenses, negatively impacting the company’s ability to fulfill
its contractual obligations to paying customers. Google’s Project Shield
ASERT SPECIAL
REPORT: PART 2 promptly took over and managed to mitigate the attacks until the
attacking botnet was taken down in a concerted worldwide effort
by major service providers and security organizations.
DNS OPERATORS
Building a large IoT botnet takes time and effort. When botnets are
CONCLUSION used to launch large, highly visible DDoS attacks, there is a risk for
the attacker that the compromised IoT devices will be identified and
blocked by service providers. This reduces the effectiveness of the
ABOUT THE
botnet. To avoid this, attackers have now started to focus more on
AUTHORS
application-layer attacks because they can achieve successes using
smaller botnets that produce lower levels of traffic. Application-layer
GLOSSARY attacks are also effective because they are small in size and will,
in most cases, not be picked up proactively by cloud-based managed
DDoS protection services. This leaves the task of defending against
the attack to the target itself.

PREVIOUS 54 NEXT
NETSCOUT Arbor Special Report

The Anatomy of
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT

TABLE OF
CONTENTS Application-Layer Attacks
INTRODUCTION

KEY FINDINGS

SERVICE PROVIDER
Delivery of internet content typically utilizes a number ATTACKS AGAINST
of services, applications and infrastructure components.
ATLAS SPECIAL
REPORT  OMAIN NAME
D A PPLICATION
DNS Infrastructures
1 SERVICES (DNS) 3 SERVERS
On October 21, 2016, a series of large DDoS attacks using IoT devices
ASERT SPECIAL Convert fully qualified Examine the URL and retrieve the
was launched against the managed DNS server provider Dyn, resulting
REPORT: PART 1 domain names (FQDNs) to content which the user is requesting
in the outage of major brand name services. In fact, these services were
IP addresses. The response from other services, including
perfectly okay and had no issues. However, Dyn’s DNS service was not
is often based on the user’s database servers. Modern service
ENTERPRISE, working, resulting in users being unable to resolve domain names to
GOVERNMENT + location and the state of the oriented architectures (SOAs) use a
IP addresses.
EDUCATION (EGE) services which the user is hierarchy of fine-grained, lightweight
attempting to reach. microservices, each optimized to
The attack used against Dyn was a Pseudo Random DNS Query
deliver its part of the response in
ASERT SPECIAL application-layer DDoS attack which attaches a pseudo random label,
the most efficient manner possible.
REPORT: PART 2 L OAD such as “4asg7vds6tsct.www.netflix.com,” to the DNS name of the victim.
2 BALANCERS
These queries are unlikely to be in cache for a recursive DNS service,
Use a combination of the DATABASE so they will be forwarded to the Authoritative DNS server for the domain.
DNS OPERATORS 4 SERVERS
URL contents and the state The Authoritative DNS server will respond with a NXDOMAIN message,
of the application servers Used by the application servers for which in turn will be returned by the Recursive DNS server back to the
CONCLUSION original client.
to redirect the user to an retrieving and storing content which
appropriate destination. is then presented to the user.
ABOUT THE If the client now sends another query with a different random label, the
AUTHORS same process will be repeated. If the attacker now instructs thousands
of clients to send these random queries as fast as they can, the Recursive
server and the Authoritative server will very quickly start to run out
GLOSSARY As IoT devices are now the preferred weapon of choice for launching of resources and be unable to answer queries from legitimate clients.
DDoS attacks, it has become easy to use those devices to launch When using shared DNS services, there is a risk that the attack will cause
advanced application-layer attacks. IoT devices are online 24x7 collateral damage, resulting in the outage of all customers using that
and have enough capabilities to launch complex attacks. service. This is what happened in the Dyn attack.

PREVIOUS 55 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE
ATTACKS AGAINST
INFRASTRUCTURE
SECURITY REPORT

TABLE OF
Application Servers
Mitigating
CONTENTS
Application-layer attacks have been around for many years but in 2017
there was a significant increase in attacks focused on application servers.

Application-Layer
INTRODUCTION
Traditionally attackers used attacks like Slowloris, which opens multiple
HTTP connections and then keeps them open. Attackers also used SSL-based
KEY FINDINGS

Attacks
attacks, which start the establishment of SSL sessions but never complete
them. The goal of both of these attacks is to fill up connection tables and
SERVICE PROVIDER block legitimate users from connecting. In 2017, a new type of application-layer
attack focused on attacking modern service oriented architectures (SOA) was
discovered by Netflix. All of the attacks mentioned previously do not require
ATLAS SPECIAL
REPORT high bandwidth and will, in most cases, not be picked up
Microservices are becoming popular and are often implemented using Docker by volumetric DDoS defenses offered by managed DDoS
and other lightweight application frameworks that are designed to be modular providers. To detect and mitigate these attacks, it is usually
ASERT SPECIAL to develop and deploy. An application based on such an architecture will often necessary to have an application-centric DDoS mitigation
REPORT: PART 1 consist of hundreds of microservices, all of which are heavily interconnected device monitoring traffic destined to these servers. This kind
and use API calls to interact with each other. Some of these microservices will of device can identify and then either mitigate the attack itself
ENTERPRISE, require more CPU resources than others. A clever attacker can map out which
or automatically invoke cloud-based DDoS mitigation solutions
GOVERNMENT + microservices are more CPU intensive than others and then focus an attack
to filter away the attack traffic.
EDUCATION (EGE) on those. This can result in high CPU load on the application server.

ASERT SPECIAL
REPORT: PART 2 ATTACKS AGAINST

DNS OPERATORS
SQL Servers Summary
CONCLUSION
SQL injection attacks have existed for many years but they have As volumetric DDoS defenses become more
primarily been used for infiltrating websites and for exfiltration
ABOUT THE of valuable data.
effective, attackers have increasingly turned
AUTHORS to application DDoS attacks which focus on
In 2017, there was a major increase in specially crafted SQL injection
attacks which use benchmarking tools within the database to cause the
specific implementation of protocol weaknesses.
GLOSSARY
database server to consume as much CPU as possible. This attack forces Applications like DNS, HTTP and HTTPS, the
the SQL server to consume a massive amount of CPU resources for each
latter often used for API access as well as user
query. This leaves no resources for the application server and results in
the website being unable to respond to legitimate queries. One example interaction, must be protected using layered
of such an attack tool is the #RefRef DDoS tool which uses the MySQL DDoS defenses.
Benchmark command to inject CPU-intensive SQL commands.
PREVIOUS 56 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT

TABLE OF
CONTENTS

INTRODUCTION

KEY FINDINGS

SERVICE PROVIDER

ATLAS SPECIAL
REPORT

ASERT SPECIAL
REPORT: PART 1

ENTERPRISE,
GOVERNMENT +
EDUCATION (EGE)

ASERT SPECIAL

ENTERPRISE,
REPORT: PART 2

DNS OPERATORS

GOVERNMENT +
CONCLUSION

ABOUT THE
AUTHORS

EDUCATION (EGE)
GLOSSARY

PREVIOUS 57 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT Network With three major attacks in 2017, WannaCry, Petya and Bad Rabbit, it is not surprising to see
“ransomware” appearing right at the top of the list of threats experienced by enterprise, government
and education (EGE) organizations at 35 percent (Figure 63). DDoS dropped to second place, with a slight

Security
decrease in the proportion of respondents experiencing attacks. However, with DDoS and ransomware
both being experienced by over 30 percent, a significant number of organizations experienced one or
TABLE OF
CONTENTS both of these threats within the last 12 months.

Looking to the future, ransomware is top of mind as a key threat, with nearly two thirds concerned about
INTRODUCTION this risk (Figure 63). Advanced persistent threats (APT) are also still an important concern for 57 percent,
slightly down from 61 percent last year. It is notable that for the last couple of years, APTs ranked as a high
concern, yet only a small segment (15 percent in 2017 and 28 percent in 2016) actually experienced these
KEY FINDINGS
threats. The percentage of EGE respondents concerned about DDoS has increased slightly to 54 percent.

SERVICE PROVIDER
EGE THREAT EGE CONCERN
ATLAS SPECIAL 35%
REPORT Ransomware
64%
32%
Internet connectivity congestion due to DDoS attack
54%
ASERT SPECIAL
REPORT: PART 1 30%
Internet connectivity congestion due to genuine traffic growth/spike
29%
27%
ENTERPRISE, Accidental major service outage
38%
GOVERNMENT +
26%
EDUCATION (EGE) Accidental data loss
49%
17%
Extortion for DDoS threat/attack
ASERT SPECIAL 41%
REPORT: PART 2 17%
Botted or otherwise compromised hosts on your corporate network
36%
15%
DNS OPERATORS Advanced persistent threat (APT) on corporate network
57%
13%
Malicious insider
46%
CONCLUSION
12%
Exposure of sensitive, but non-regulated data
37%
ABOUT THE 6%
AUTHORS Exposure of regulated data
38%
5%
Industrial espionage or data exfiltration
31%
GLOSSARY
None of the above 14%
2%

Other 4%
4%

Figure 63 EGE Threats vs. Concerns 0% 10% 20% 30% 40% 50% 60% 70%

PREVIOUS 58 NEXT
NETSCOUT Arbor Special Report
100%

WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT
83%

TABLE OF 80%
CONTENTS For the third consecutive year, firewalls, IPS/IDS
72% and SIEM were the top three most utilized tools
INTRODUCTION to detect threats on EGE networks (Figure 64),
all of which saw an increase in their use.

KEY FINDINGS The use of inline DDoS detection/mitigation


systems dropped by nine percent this year to
60% 57% 40 percent, even though DDoS attacks were
SERVICE PROVIDER
still a top threat and hybrid/layered DDoS
defense is an established best practice.
ATLAS SPECIAL 48%
REPORT
44%
43% This year, respondents chose
40% 39%
ASERT SPECIAL SNMP-based tools and customer
40% 37%
REPORT: PART 1 36% calls/helpdesk tickets more often
than NetFlow-based analyzers
ENTERPRISE,
27% for threat detection, indicating
GOVERNMENT +
EDUCATION (EGE) a concerning reduction in
threat visibility.
ASERT SPECIAL 20%
REPORT: PART 2

DNS OPERATORS

CONCLUSION
3%

0%
ABOUT THE
Customer call/

scripts/tools
NetFlow based analyzers

Inline DDoS detection/

Service assurance/
monitoring solutions
Security information and event

In-house developed
Firewall logs

IDS/IPS

management (SIEM) platforms

SNMP-based tools

help desk ticket

(Arbor SP)

Routing analysis and


anomaly detection tools

MSSP/cloud-based
third-party services

Other
mitigation system (Arbor APS)

AUTHORS

GLOSSARY

Figure 64 Threat Detection


PREVIOUS 59 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT DDoS Forty-one percent of enterprise, government and education (EGE) organizations experienced DDoS attacks in
the past year. DDoS continues to be used as a diversion within advanced threat campaigns and other malicious
activity. The percentage of respondents that observed more than 100 DDoS attacks during 2017 (Figure 65)

Attacks
more than doubled over the previous year. This sharp increase was expected because of the proliferation
of IoT-based DDoS-for-hire services and anecdotal feedback from customers.
TABLE OF
CONTENTS

INTRODUCTION

KEY FINDINGS

SERVICE PROVIDER 60% 10% 12% 4% 13%


ATLAS SPECIAL
REPORT

ASERT SPECIAL
1–10 ATTACKS 11 –20 ATTACKS 21–50 ATTACKS 51–100 ATTACKS 100+ ATTACKS
REPORT: PART 1
IN L AST 12 MONTHS IN L AST 12 MONTHS IN L AST 12 MONTHS IN L AST 12 MONTHS IN L AST 12 MONTHS

ENTERPRISE, Figure 65 DDoS Attack Frequency


GOVERNMENT +
EDUCATION (EGE)

80%
ASERT SPECIAL Source: Arbor Networks, Inc.
REPORT: PART 2 Nearly half of all respondents that were Up slightly from last year, 68 percent 70% 68%
attacked reported seeing 1 to 10 DDoS reported that customer-facing services 61%
attacks over the past year: 44 percent and applications were the most common 60%
DNS OPERATORS
in Europe, 50 percent in APAC and targets of DDoS attacks on EGE networks
68 percent in North America. (Figure 66). Networking infrastructure, 50%
CONCLUSION which was first last year, came in second
Of those that experienced DDoS attacks, at 61 percent. DDoS attacks increasingly 40%
57 percent saw their internet bandwidth targeted the application layer, a trend that
ABOUT THE saturated due to an attack, up from 30%
we have been observing in recent years.
AUTHORS
42 percent in the previous year. This This once again highlights the need for
20%
is unfortunate but clearly illustrates a layered-defense strategy.
the need for upstream or cloud-based
13% 11%
GLOSSARY
10%
mitigation services that can handle
large volumetric attacks.
0%
Customer Infrastructure Third-party data SAAS
facing services center or cloud services
+ applications service

Figure 66 Targets of DDoS Attacks PREVIOUS 60 NEXT


NETSCOUT Arbor Special Report

WORLDWIDE Over half of EGE respondents had firewalls or IPS devices that experienced DDOS ATTACKS ARE TRADITIONALLY BROKEN
INFRASTRUCTURE a failure or contributed to an outage during a DDoS attack (Figure 67). While DOWN INTO THREE MAIN CATEGORIES:
SECURITY REPORT stateful security devices can play a useful role, they are especially vulnerable
to state-exhaustion attacks. Even the latest firewalls are susceptible to DDoS 1. Volumetric
attacks, so these issues remain consistent year-on-year.
TABLE OF 2. State-Exhaustion
CONTENTS
3. Application-Layer
51.6% 46.8% 1.6%
INTRODUCTION Yes No These devices are not
deployed in our infrastructure For the second consecutive year, there was a decrease
KEY FINDINGS in volumetric attacks, from 60 percent last year to
52 percent in 2017 (Figure 69). This was mirrored by an
SERVICE PROVIDER increase in application-layer attacks from 25 percent
to 32 percent. This is not surprising as large volumetric
attacks are typically mitigated upstream and EGE
ATLAS SPECIAL
REPORT network operators have better visibility of their
Figure 67 Firewall + IPS Failure own applications than service providers.

ASERT SPECIAL
These percentages are starkly different than those
REPORT: PART 1
reported by our service provider respondents, who
Looking at the longest DDoS attack duration (Figure 68), 84 percent experienced saw a far lower number of application-layer attacks
ENTERPRISE, DDoS attacks lasting less than one day, a decrease from 89 percent in the
GOVERNMENT + (12 percent) and more volumetric attacks (76 percent).
previous year. Further, there was a significant decline in attacks of less than
EDUCATION (EGE) seven hours, falling from 72 percent down to 59. This is surprising given the This further illustrates why a layered-defense strategy
general trend of shorter duration attacks we’ve observed in the wild. is key in the fight against DDoS attacks; a more focused
ASERT SPECIAL view of traffic at the enterprise or data center level is
Source: Arbor Networks, Inc.
REPORT: PART 2 needed to identify and block stealthy attacks.

DNS OPERATORS

CONCLUSION 59% Less than 7 hours

8% 7–12 hours
Volumetric 52%
ABOUT THE
17% 13–24 hours
AUTHORS
11% 1–3 days Application-Layer 32%
GLOSSARY 3% 4–7 days

2% 1–4 weeks
State-Exhaustion 16%
Figure 68 DDoS Attack Duration
0% 10% 20% 30% 40% 50% 60%

Figure 69 DDoS Attack Types PREVIOUS 61 NEXT


Source: Arbor Networks, Inc.
NETSCOUT Arbor Special Report

WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT

TABLE OF
CONTENTS

INTRODUCTION
73% HTTP 69% DNS 68% HTTPS 37% EMAIL 19% SIP/VOIP 12% OTHER
KEY FINDINGS Figure 70 Targets of Application-Layer Attacks

SERVICE PROVIDER
EGE organizations also saw more DDoS attacks
ATLAS SPECIAL targeting their email and VoIP services, suggesting
REPORT
the focus of DDoS attackers has shifted to exploiting
60%
more vulnerable services.
ASERT SPECIAL
REPORT: PART 1
54%
50% 53%
HTTP remained the most targeted DDoS attacks targeting encrypted web
ENTERPRISE, application-layer service for DDoS attacks, services have become increasingly
GOVERNMENT +
40% but there was a decrease in the percentage common in recent years (Figure 71). While
EDUCATION (EGE) 42% of respondents seeing these attacks, there was a small decrease in the number
from 85 to 73 (Figure 70). In contrast, DNS of detected attacks targeting the encrypted
ASERT SPECIAL jumped from the third spot last year to service at the application layer (from
30%
REPORT: PART 2 second place, with 69 percent seeing this 57 percent last year to 53 currently), the
service targeted, up from 59 percent. HTTPS overall results remained mostly unchanged.
was also targeted more, at 68 percent up A higher proportion of EGE respondents
DNS OPERATORS 20% from 63 in the previous year. witnessed attacks targeting the SSL/TLS
protocol than service providers (42 percent
CONCLUSION The above application services were compared to 29 percent). The variation in
15%
10% also the top three targeted as reported by results between EGE and service provider
service providers. However, DNS was the respondents is, as noted above, likely
ABOUT THE top target at 82 percent, followed by HTTP due to the higher granularity of visibility
AUTHORS at 80 percent and HTTPS at 61 percent.
0% available when the monitoring solution
is closer to the services being attacked.
SSL/TLS protocol
Targeting the

the application layer

Targeting the
TCP/UDP port

Targeting the service at

Not applicable

GLOSSARY The ability to look inside encrypted traffic


may also be a factor.

Figure 71 Encrypted Application-Layer Attacks PREVIOUS 62 NEXT


NETSCOUT Arbor Special Report

WORLDWIDE EGE respondents reported a clear increase in multi-vector DDoS O B S E RV E D MULTI -V ECTO R D D oS ATTAC KS ?
INFRASTRUCTURE attacks, up from 40 percent in the previous year to 48 percent
SECURITY REPORT (Figure 72). These incidents utilize multiple, simultaneous vectors
to maximize the attackers’ ability to disrupt service availability. YES NO DO NOT
TABLE OF
This was expected given the increased sophistication of weaponized KNOW
DDoS services seen in our research. The positive news is that

48% 32% 20%


CONTENTS
EGE respondents now have better visibility to mitigate such threats.

INTRODUCTION

KEY FINDINGS
Figure 72 Multi-Vector Attacks

SERVICE PROVIDER

ATLAS SPECIAL
REPORT
49%

compromise/data exfiltration
The motives behind the DDoS attacks were

Misconfguration/accidental
50%
extremely varied again in 2017 (Figure 73).

Financial market manipulation


inter-group rivalries

Competitive rivalry between


Criminals demonstrating DDoS attack

ASERT SPECIAL 37% There was a substantial increase in criminals

Diversion to cover
Inter-personal/
capabilities to potential customers

REPORT: PART 1 34% 33% showcasing their capabilities to potential

business organizations
40%
victims, with 49 percent seeing this as a common
Nihilism/vandalism

motivation compared to 27 percent the previous


ENTERPRISE,
Political/ideological disputes

30% Criminal extortion attempt


GOVERNMENT + year. This, combined with a slight increase in
EDUCATION (EGE) respondents seeing criminal extortion as a
20% 27% motivation, can possibly be attributed to
24% 22% high-profile ransomware campaigns such
ASERT SPECIAL as WannaCry, Petya, and Bad Rabbit.
REPORT: PART 2 10% 16% 15%
One other interesting statistic is the increase
0% in nihilism/vandalism as a common motivation,
DNS OPERATORS
which was up from 26 to 37 percent. Based on
anecdotal evidence, this is likely the result of
CONCLUSION collateral damage due to the rise of DDoS for
hire services and attacks casting a wider,
more random net of targets.
ABOUT THE
AUTHORS

GLOSSARY Figure 73 DDoS Attack Motivations

PREVIOUS 63 NEXT
NETSCOUT Arbor Special Report

70%

WORLDWIDE
INFRASTRUCTURE 62%
SECURITY REPORT Unfortunately, some of the most popular DDoS 60%
mitigation tools (firewalls, IPS and load-balancers)
TABLE OF are also the least effective.
CONTENTS Firewall
Access control lists (ACLs) 50%
50%
IPS/WAF
INTRODUCTION
Intelligent DDoS mitigation
43%
systems (IDMS) at network 42%
KEY FINDINGS perimeter (Arbor APS)
40%
Load-balancer
Cloud-based DDoS mitigation
SERVICE PROVIDER service 33%
Layered/hybrid DDoS 30%
protection system (integrated 30%
ATLAS SPECIAL
network perimeter and cloud)
REPORT 25%
Source-based remote
triggered blackhole (S/RTBH) 22%
ASERT SPECIAL Destination-based remote 20%
20%
REPORT: PART 1 triggered blackhole (D/RTBH) 18%
Content delivery network (CDN) 15% 15%
FlowSpec
ENTERPRISE,
GOVERNMENT + Quarantine system
10%
EDUCATION (EGE) Other 7%
5% 5%
3% 3% 3%
ASERT SPECIAL 2% 2% 2%
REPORT: PART 2 0%
Figure 74 DDoS Mitigation Techniques vs. DDoS MITIGATION TECHNIQUES MOST EFFECTIVE DDoS MITIGATION TECHNIQUES
Most Effective DDoS Mitigation Techniques
DNS OPERATORS

As in previous years, firewalls, IPS, WAF and access As in previous years, we also asked our EGE respondents
CONCLUSION control lists (ACLS) remained the most common DDoS to rank the effectiveness of the mitigation techniques
mitigation mechanisms for more than half of the they are currently using. Intelligent, cloud-based and
ABOUT THE respondents (Figure 74). The use of firewalls, IPS and layered/hybrid DDoS mitigation systems were reported
AUTHORS WAF remains a concern as those devices are susceptible as the most effective techniques by nearly three quarters
to state-exhaustion attacks, which were experienced of respondents (Figure 74). Layered/hybrid systems took
by over a half of respondents. the first spot at 30 percent, followed closely by IDMS
GLOSSARY at 25 percent. Not surprisingly, while the majority used
Of equal concern was the sharp increase in the use of firewalls, IPS and WAF for DDoS mitigation, very few
firewalls for mitigating DDoS attacks, at 62 percent up from found them to be the most effective solution.
49 percent previously. There were only slight changes in the
deployment of Intelligent DDoS Mitigation Systems (IDMS)
at 43 percent, and the utilization of both hybrid and pure
cloud-based DDoS mitigation services, each at 33 percent.
PREVIOUS 64 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE The faster DDoS attacks are successfully mitigated, the Business impacts due to DDoS attacks continued to vary greatly (Figure 76). Reputation/
INFRASTRUCTURE more the operational, financial and customer impact is brand damage and operational expense were still the two main business impacts, the
SECURITY REPORT limited. Seventy-five percent of organizations indicated former cited by 57 percent, an increase from 48 percent last year. There was also a big
that they could mitigate a DDoS attack in less than one jump in respondents reporting revenue loss as a business impact, up to 32 percent
hour (Figure 75), a very similar and encouraging result from just 17 percent previously.
TABLE OF
CONTENTS to last year.

Approximately a quarter of the respondents reported


INTRODUCTION immediate mitigation capabilities via on-premise 60%
devices or “always-on” cloud services last year. In 2017,
57%
the number increased to nearly a third, which is also
KEY FINDINGS
a good sign.
50%
SERVICE PROVIDER

ATLAS SPECIAL 42%


REPORT 40%

ASERT SPECIAL
REPORT: PART 1 32%
30%
30%
ENTERPRISE, 25%
GOVERNMENT +
EDUCATION (EGE)
30% 21% 11% 20%
Immediate mitigation Less then Less then
ASERT SPECIAL
via on-premise device or 15 minutes 30 minutes
REPORT: PART 2 “always-on” cloud service
11%
9%
DNS OPERATORS 10%

CONCLUSION

0%
ABOUT THE

Increased

Stock price fluctuation


Reputation/
brand damage

operational expense

Specialized IT security

investigation services

Loss of customers

senior management

Extortion payments

Increase in cybersecurity
insurance premium

Regulatory penalties
and/or fines
remediation and

Loss of executive or
Revenue loss
AUTHORS

GLOSSARY

13% 21% 3%
Less than 1 hour 1–3 hours We do not
mitigate attacks Figure 76 Business Impacts of DDoS Attacks

Figure 75 DDoS Attack Mitigation Time

PREVIOUS 65 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE We asked respondents to estimate the average total To provide greater insight into the above, we asked whether DDoS was part of their
INFRASTRUCTURE cost of a major DDoS attack on their business (Figure 77). recurring risk analysis (Figure 78). Seventy-seven percent reported that it was either
SECURITY REPORT Like last year, the vast majority reported a total cost below a part of their business or IT risk assessments, up from 70 percent last year. This is
$10,000. However, over ten percent estimated a cost greater an encouraging trend that we expect to become more prevalent.
than $100,000, five times greater than previously seen.
TABLE OF
This indicates either that the cost of a DDoS attack has As in previous years, we also asked a more general question about the cost of internet
CONTENTS
increased significantly, or that more organizations are downtime. The majority of our respondents could not quantify this, even though more
now aware of the true impact to their business. than half of them had experienced a DDoS attack that exceeded the total bandwidth
INTRODUCTION available to their organization, which would have resulted in downtime.

For those that could quantify their downtime, 38 percent reported the cost at $501
KEY FINDINGS 60%
55% to $1,000 per minute, up significantly from 23 percent in the previous year (Figure 79).
Respondent’s Role in the Organization
This again highlights the need for proactive defenses, as organizations become more
SERVICE PROVIDER dependent on the internet for their daily business needs.

50%
ATLAS SPECIAL
REPORT

39% Yes, part of business risk assessment


ASERT SPECIAL
40% 7% Yes, part of IT risk assessment
REPORT: PART 1
Do not know

ENTERPRISE, No
GOVERNMENT + 16%
EDUCATION (EGE) 30% Figure 78 DDoS Risk Analysis

ASERT SPECIAL Respondent’s Role in the Organization


REPORT: PART 2
38%
20%

DNS OPERATORS 14%

10% Source: Arbor Networks, Inc.


9% 9%
CONCLUSION
10% 35% Under $500 per minute

ABOUT THE 3% $501 to $1,000 per minute


AUTHORS 12%
$1,001 to $5,000 per minute

0% $5,001 to $10,000 per minute


GLOSSARY
Less than
$10,000

$25,000

$50,000

$100,000

$100,000,000

$100,000,000
$10,000 to

$25,000 to

$50,000 to

$100,000 to

More than

8% $10,001 to $20,000 per minute

Over $20,001 per minute


4%
38%
4% Figure 79 Cost of Internet Downtime
Figure 77 Cost of DDoS Attacks

Source: Arbor Networks, Inc.


PREVIOUS 66 NEXT

Source: Arbor Networks, Inc.


NETSCOUT Arbor Special Report

WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT SDN/NFV 59% NO

TABLE OF
CONTENTS
23% WE ARE INVESTIGATING/TRAILING NOW
Again in 2017, enterprise, government
and education (EGE) respondents had
INTRODUCTION fewer plans to utilize SDN/NFV than their 6% WE ARE IMPLEMENTING NOW
service provider counterparts. Nineteen
KEY FINDINGS percent had plans to deploy SDN/NFV
technologies, while just under a quarter 5% PLAN TO IMPLEMENT IN NEXT YEAR
were investigating or testing solutions,
SERVICE PROVIDER
a slight increase from last year (Figure 80).

ATLAS SPECIAL As with service providers, the number


8% PLAN TO IMPLEMENT IN NEXT 2+ YEARS

REPORT one barrier to SDN/NFV deployment


within EGE network infrastructures 0% 10% 20% 30% 40% 50% 60%

was operational concerns at 56 percent,


ASERT SPECIAL Figure 80 EGE SDN/NFV Deployment
REPORT: PART 1 followed by interoperability and cost
(Figure 81). This highlights a shift in the
perception, as last year, cost was the
ENTERPRISE,
main barrier. However, as the industry
GOVERNMENT +
EDUCATION (EGE) and market evolves, cost has become 56%
60% 53%
less of a concern and operational
concerns are coming to the forefront. 46% 46%
Operational Concerns
ASERT SPECIAL
50%

Interoperability
REPORT: PART 2

36%

Cost

Performance Concerns
DNS OPERATORS 40%

Vendor Support
29%

Stability

Scalability
Security Concerns
CONCLUSION 30%

Telemetry Acquisition
Business Support System
(BSS) Integration
ABOUT THE
27%
AUTHORS 20%
25%
22%
GLOSSARY 10%

0%
7%
Figure 81 EGE SDN/NFV Key Barriers

PREVIOUS 67 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT

TABLE OF
CONTENTS
73% 47% 46% 41%
INTRODUCTION

KEY FINDINGS
DATA CENTER DATA CENTER WIDE AREA NETWORKS LOCAL AREA
INFRASTRUCTURE SECURIT Y ( WAN, INCLUDING SD-WAN) NETWORKS (L AN)
SERVICE PROVIDER

Figure 82 EGE SDN Network Domains


ATLAS SPECIAL
REPORT
25%
The data center is the domain where most EGE 25%
ASERT SPECIAL Source: Arbor Networks, Inc.
respondents would like to utilize SDN (Figure 82).
REPORT: PART 1
Here, infrastructure and security were the most
common areas with 73 percent and 47 percent
respectively. This aligns with service providers, 20% 19% 19%
ENTERPRISE,
GOVERNMENT + where data center infrastructure was also an area
EDUCATION (EGE) of focus. Both EGE and service provider customers
are looking at applying SDN to build global overlay
networks, including SD-WAN. As the domain 15%
14%
ASERT SPECIAL
for SDN, WAN was in third place for EGE, with
REPORT: PART 2
46 percent looking at this technology area.

DNS OPERATORS NFV use within the EGE infrastructure seems to be 10%
moving forward. Firewalls were the most common
NFV application, with 25 percent using this virtual
CONCLUSION functionality (Figure 83). Nineteen percent indicated 5%
they were using NFV for router and CPE functions, 5%
ABOUT THE which correlates with service providers’ intent.
2% 2%
AUTHORS

0%
GLOSSARY
Routers/CPE
Firewall

Access/VPN

DDoS

Sandbox

WAF

IPS/IDS

Not Applicable

Other
Load Balancing
Figure 83 EGE NFV Network Domains

PREVIOUS 68 NEXT
NETSCOUT Arbor Special Report
IPv6 Service Availability

WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT IPv6 Sixty percent of the EGE respondents provide internet-facing
services with IPv6 support (Figure 85) and 65 percent have
deployed IPv6 on their private networks (Figure 86), both down
slightly from 2016. The percentage of organizations with no
60% plans to implement IPv6 also appears to have leveled off.
TABLE OF
CONTENTS
In 2017, just over a third of On a positive note, even though the rollout of IPv6 services
enterprise, government and appears to have stalled within EGE respondents, the already
30%
INTRODUCTION education (EGE) organizations high proportion with IPv6 deployed indicates that any new
were operating IPv6 in their apps requiring IPv6 will be supported. The tools and telemetry
environments or planning to to monitor and protect the apps are mostly in place.
KEY FINDINGS in the coming year (Figure 84).
10% In 2016, 27 percent of EGE networks fully supported IPv6
This is down a few points from
SERVICE PROVIDER 2016, but a higher percentage telemetry and we are happy to report that 45 percent of
than 2015. respondents indicated this was the case in 2017 (Figure 87).
Yes
This increase is encouraging and shows the need for IPv6
ATLAS SPECIAL No, no plans monitoring as it becomes more important to business functions.
REPORT IPv6 Flow Telemetry
OP E R AT I N G I P v 6 OR No, but we are planning for this
P L ANN I NG T O D E P LOY ?
ASERT SPECIAL
InternalFigure
IPv685Deployment
IPv6 Service Availability
45%
REPORT: PART 1
Source: Arbor Networks, Inc.
YES 27%
ENTERPRISE,

34%
GOVERNMENT +
12%
EDUCATION (EGE)

6%
ASERT SPECIAL
65%
REPORT: PART 2 6%
22%
DNS OPERATORS 4%
NO
0% 10% 20% 30% 40% 50%

66%
CONCLUSION
14%
Yes, fully supported today New hardware, supported
ABOUT THE but on new hardware only
Partial, some vendors support
AUTHORS IPv6 flow telemetry today, No, support is on a long-term
Figure 84 IPv6 Operation Yes some do not roadmap (greater than 1 year)

No, no plans Will soon, they will support No, will not support
GLOSSARY
flow telemetry for IPv6 in
No, but we are planning for this the next 12 months

Figure 86 Internal IPv6 Deployment Figure 87 IPv6 Flow Telemetry

Source: Arbor Networks, Inc.

PREVIOUS 69 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE More than 60 percent of EGE respondents deployed visibility solutions for In 2017, the biggest security concern for EGE respondents remained
INFRASTRUCTURE IPv6 traffic, up from 57 percent last year (Figure 88). This increase is smaller DDoS, with an almost identical result to the previous year (Figure 90).
SECURITY REPORT than anticipated given the growth in the number of respondents who can Botnets, which were in second position in 2016, were pushed down to
now gather telemetry from their networks as mentioned previously. fourth place despite a similar proportion reporting that this still was a
TABLE OF concern. Misconfiguration and inadequate feature parity each increased
CONTENTS by more than 10 percent.
H AVE A VI SI B I L I T Y
SOL U T I ON I N P L ACE 61% 39% AmongIPv6allSecurity Concerns
of the EGE respondents, only eight percent observed IPv6
INTRODUCTION T O M ONI T OR I P v 6 DDoS attacks compared to 25 percent in 2016. We have been waiting
T R AF F I C? for a steady growth trend to emerge in this area for a number of years,

KEY FINDINGS
Yes No but the widespread use of IPv6 for mission critical applications is still
not an actuality, as most attacks are still directed toward IPv4 services.

SERVICE PROVIDER
Figure 88 IPv6 Operation
80%
ATLAS SPECIAL
70%
REPORT
70%
EGE organizations had very similar opinions as those of service providers 64%
when it came to the shared risk of IPv4 and IPv6 dual stack services
62%
ASERT SPECIAL
REPORT: PART 1 (Figure 89). EGE respondents were more likely to be concerned at some 60%
level than their service provider counterparts, but the results were 55%
broadly similar.
ENTERPRISE, 50% 45%
GOVERNMENT + 43% 43%
EDUCATION (EGE)
40%
ASERT SPECIAL 32%
REPORT: PART 2
30%

DNS OPERATORS NO CONCERN MINOR CONCERN


20%

CONCLUSION
4% 47%
10%

ABOUT THE
AUTHORS
0%

Traffic floods/DDoS

Misconfiguration

see the data today

to bypass application
Inadequate IPv4/
IPv6 feature parity

Botnets

Host scanning

Visibility, cannot

Stack implementation
flaws

Subscribers using IPv6

rate limiting
GLOSSARY

MODERATE CONCERN MAJOR CONCERN

37% 12%
Figure 89 IPv6 Impact on IPv4 Services (Dual-Stack Devices) Figure 90 IPv6 Security Concerns

PREVIOUS 70 NEXT
NETSCOUT Arbor Special Report

Organizational Security
WORLDWIDE EGE SOC Resources
INFRASTRUCTURE
SECURITY REPORT

TABLE OF
CONTENTS
Forty-eight percent of EGE respondents had an internal security operations center (SOC) team
in place in 2017, a slight increase from 46 percent the previous year (Figure 91). In contrast,
INTRODUCTION around 60 percent of the service providers indicated they had internal SOC teams, highlighting 48% Internal
SOC team
the ongoing struggle EGE organizations face in building and maintaining an internal security
team of skilled practitioners. 15%
KEY FINDINGS
Because of this, 37 percent relied on third-party and outsourced services, a jump from
No SOC
28 percent the previous year. Fully outsourced SOC teams accounted for 16 percent, resources
SERVICE PROVIDER
a significant increase from nine percent the previous year. This reliance on outsourcing in
EGE organizations exceeded service providers by a factor of two, a trend that we expect 16%
ATLAS SPECIAL to continue in the future. The use of external resources reduced the percentage with
REPORT 21% Internal SOC
no SOC capabilities from 26 percent in 2016 to 15 percent, a very positive result. with supplemental
third-party (hybrid)
Third-party SOC
ASERT SPECIAL (outsourced)
REPORT: PART 1
Ninety percent of EGE

ENTERPRISE,
organizations had some
dedicated security personnel
0 SECURITY
PERSONNEL 10% Figure 91 EGE Security Operations Center Resources
Source: Arbor Networks, Inc.

GOVERNMENT + in 2017 (Figure 92), a slight


EDUCATION (EGE) decrease from 93 percent
in 2016, but still a higher
1–5 SECURITY
PERSONNEL 41%
percentage than service
ASERT SPECIAL
REPORT: PART 2 providers. Only 14 percent of
EGE respondents, compared
6–10 SECURITY
PERSONNEL 15%
with about a quarter of the
DNS OPERATORS service providers, had 30 or
more dedicated security staff
internally. The smaller security
11–15 SECURITY
PERSONNEL 9%
CONCLUSION
teams may be as a result of

ABOUT THE
the reliance on outsourcing
for SOC capabilities.
16–20 SECURITY
PERSONNEL 6%
AUTHORS
21–30 SECURITY
PERSONNEL 6%
GLOSSARY
30+ SECURITY
PERSONNEL 14%
Figure 92 EGE Dedicated Security Personnel

PREVIOUS 71 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT
Difficulty of hiring and
retaining skilled personnel 54%

TABLE OF
CONTENTS Lack of headcount
or resources 46%
INTRODUCTION
Operational expenditure
(OPEX) funding 44%
KEY FINDINGS

SERVICE PROVIDER Capital expenditure


(CAPEX) funding 34%
ATLAS SPECIAL
REPORT Lack of management
support 27%
ASERT SPECIAL
REPORT: PART 1
25%
Lack of internal
stakeholder support
ENTERPRISE,
GOVERNMENT +
EDUCATION (EGE)
Other 6%
ASERT SPECIAL
REPORT: PART 2
Figure 93 EGE OPSEC 0% 10% 20% 30% 40% 50% 60%
Team Challenges
DNS OPERATORS

CONCLUSION

Looking at the challenges faced in building out operational All the other challenges observed showed
ABOUT THE security (OPSEC) teams, the EGE responses aligned with
AUTHORS increases in 2017, a fact that was most
those of the service providers. Lack of resources and
Source: Arbor Networks, Inc.
difficulty of hiring and retaining skilled personnel were likely compounded by the increasing
GLOSSARY again the two main concerns (Figure 93). worldwide shortage of security analysts
and incident response personnel.

PREVIOUS 72 NEXT
Security Best Practices
NETSCOUT Arbor Special Report

WORLDWIDE 60% The implementation of best-practice security measures was not only
57%
INFRASTRUCTURE lower across the board in 2017 when compared to service providers,
SECURITY REPORT 54%
but also vastly reduced in comparison to 2016 (Figure 94). Since EGE
networks are often smaller and less complex than those of service
50%
providers, the security best practices they follow differ, with more than
TABLE OF
CONTENTS half predictably blocking known botnets Command-and-Control and
malware drop servers. Surprisingly, the monitoring of route hijacking
41%
claimed the fourth position on the list, an increase to 37 percent from
40%
INTRODUCTION 37% 28 percent the previous year. And, equally surprising, the use of ACLs
35% at network edges was down from 37 to 32 percent.
33%
KEY FINDINGS 32%
All EGE respondents indicated that security training and incident
30%
28% response exercises greatly improved the effectiveness of dealing and
SERVICE PROVIDER mitigating DDoS attacks (Figure 95). There was a disappointing decrease
24%
22% from 55 to 50 percent running DDoS defense simulations in 2017.
20% Similarly, the number of respondents carrying out DDoS simulations
ATLAS SPECIAL at least every quarter fell from 40 to 32 percent, which was similar to
REPORT
what we observed with service providers. Though EGE organizations
tend to believe they are targeted less frequently, not being prepared
ASERT SPECIAL 10% to respond to a DDoS attack could result in substantial financial and
10%
REPORT: PART 1 DDoS Simulations
reputational loss in the (EGE
eventOrganizational Security)
of a successful incident. As in 2016,
there is obviously plenty of room for improvement.
2%
ENTERPRISE, 0%
GOVERNMENT +
EDUCATION (EGE)
Block known botnet command-and-control servers, malware drop servers, etc.

Authentication for BGP, IGP (MD5, SHA-1)


ASERT SPECIAL
REPORT: PART 2 Maintain up-to-date contacts for your peer, transit, and/or customer OPSEC teams 50% We do not do this today,
Daily 6% but plan to implement
Monitor for route hijacking
within the next year
DNS OPERATORS Separate out-of-band (OOB) management network or data communication network (DCN) Weekly 6%
Explicitly filter routes announced by BGP peers

iACLs at network edges


Monthly 8%
CONCLUSION
BCP38/BCP84 anti-spoofing at network edge and/or within data center

Explicitly filter routes announced by customers 12%


ABOUT THE
AUTHORS 17%
Generalized TTL security mechanism (GTSM) for eBGP peers

IRR route registration of customer prefixes


GLOSSARY Not applicable/Do not know Quarterly Yearly

Figure 94 Security Best Practices Figure 95 DDoS Simulations

Source: Arbor Networks, Inc.

PREVIOUS 73 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT

TABLE OF
CONTENTS

INTRODUCTION
The year 2017 was one in which
KEY FINDINGS IoT botnets became the preferred
weapon of choice for launching
SERVICE PROVIDER
DDoS attacks.
ATLAS SPECIAL
REPORT
The number of unsecured internet of
Things (IoT) devices connected to the internet
ASERT SPECIAL continues to increase dramatically. As the
REPORT: PART 1 number of IoT devices increases, so do

ASERT Special Report the security vulnerabilities. Attackers have

THE RISE
ENTERPRISE, invented new ways to detect, infect and
GOVERNMENT + compromise IoT devices, even those thought
EDUCATION (EGE) to be secure behind corporate firewalls.

ASERT SPECIAL

OF THE
REPORT: PART 2

IHS MARKIT PREDICTS THE NUMBER


DNS OPERATORS OF IoT DEVICES WILL RISE

27 billion

IoT BOTS
CONCLUSION CONNECTED
DEVICES IN 2017

ABOUT THE
AUTHORS

GLOSSARY
125 billion CONNECTED
DEVICES IN 2030

IHS press release 10/24/17


A SPECIAL REPORT FROM THE NETSCOUT
ARBOR SECURITY ENGINEERING &
RESPONSE TEAM (ASERT)

PREVIOUS 74 NEXT
NETSCOUT Arbor Special Report

The Attackers
WORLDWIDE
INFRASTRUCTURE The motivations for launching DDoS attacks are The skills and technical understanding required
SECURITY REPORT many and varied. As DDoS defenses become to do this are in most cases far beyond that of

Economy +
more effective, it is more difficult for the attackers a normal hacker, resulting in the need for the
to take down their targets using standard DDoS professional malware arms dealer.
TABLE OF
attack methods. Modern desktop computers
CONTENTS

Attack Cycles
are more secure, both from a technology The malware arms dealer researches new
point of view but also because of automated attack vectors that take advantage of either
INTRODUCTION patching mechanisms. Consequently, attackers existing security vulnerabilities or new zero-day
are seeing traditional DDoS attack vectors vulnerabilities. The arms dealer develops attack
KEY FINDINGS become less effective, and they are finding fewer tools kits, and as part of a quality assurance cycle
vulnerable computers to subsume into botnets. (Q&A), often does live field testing. The goal of
these dealers is to sell developed attack tools to
SERVICE PROVIDER This is forcing attackers to look at new ways the Booter/Stresser community, or in some cases,
of launching DDoS attacks. Taking advantage directly to the attackers themselves.
ATLAS SPECIAL of the masses of unsecured IoT devices
REPORT connected to the open internet has proved
popular, but using cross-platform infection
vectors to gain access to IoT devices behind
ASERT SPECIAL
REPORT: PART 1 corporate firewalls is also becoming a reality.

ENTERPRISE,
GOVERNMENT + 1. malware
1. malware
arms
1.arms
malware
dealers
dealers
arms
sellsell
to
dealers
ddos
to ddos
sell to ddos 2. ddos
2. ddos
mercenaries
mercenaries
2. ddos mercenaries
sellsell
to attackers
to attackers
sell to attackers
3. attackers
3. attackers
launch
3. launch
attackers
attacks
attacks
launch attacks
EDUCATION (EGE) mercenaries
mercenaries
mercenaries

ASERT SPECIAL
REPORT: PART 2

DNS OPERATORS

CONCLUSION

ABOUT THE
AUTHORS
Malware arms dealers are either The DDoS mercenaries offer DDoS The attackers mostly use
1 2 3
individuals or organizations which services (Booters/Stressers) for Booter/Stresser services to
GLOSSARY research and develop attack tools hire to the attackers. launch their attacks, though
that take advantage of security there are some exceptions.
vulnerabilities. As part of their
Q&A, often do live field testing.

PREVIOUS 75 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE Looking at the number of DDoS Then, attackers started to take advantage of
INFRASTRUCTURE security vulnerabilities in IoT operating systems,
SECURITY REPORT incidents, and the appearance of
with known vulnerabilities like those targeted
In 2017, there were two highly visible new IoT malware in the 2016–2017 by IoT Reaper, and zero-day vulnerabilities like
cases of field testing taking place. time frame, it becomes apparent
TABLE OF on Huawei customer premise equipment (CPE)
CONTENTS that the attacker/incident economy devices by Zatori Mirai.
T HE WINDOWS
1 MIRAI TROJAN is cyclical in nature.
Interestingly enough, all of the above mentioned
INTRODUCTION
Only active for five days but attack tools weren’t used in anger, but as
In 2016, there was a visible spike of attacks
received multiple new updates mentioned before, they were most probably used
concluding with the unprecedented attacks
KEY FINDINGS in that time period. for field testing on the internet. The attacks were
against the websites of Brian Krebs, a journalist
active for short time periods, with quick multiple
and security researcher, and Dyn, a DNS company.
new releases and then the Command-and-Control
SERVICE PROVIDER T HE IoT These attacks led to a reduction in IoT attack
2 REAPER capability due to the alleged BrickerBot and
servers were taken offline. Based on the results,
they either continued internal development
because of service providers blocking IoT devices
ATLAS SPECIAL Had the potential to infect millions or sold the finalized attack tool to either the
REPORT from infection and remote control. DDoS defenses
of IoT devices but was deliberately Booter/Stresser community or to dedicated
also became more efficient in blocking some
blocked from doing so by its attackers with enough funding to pay for
of the new IoT attacks, reducing their
ASERT SPECIAL authors. In addition, it was released such advanced malware.
potential impact.
REPORT: PART 1 without any DDoS capabilities but
had all necessary hooks in place.
After the 2016 incidents, attackers responded by
ENTERPRISE, developing new attack tools. First, they created
GOVERNMENT + the Windows Mirai Trojan, which allowed them to
EDUCATION (EGE) infect and subsume vulnerable IoT devices behind
corporate firewalls into botnets.
ASERT SPECIAL
REPORT: PART 2
INCIDENTS

DNS OPERATORS
Lots of attacks New criminal revenue
opportunities
CONCLUSION

Miscreant R&D
ABOUT THE Survive
AUTHORS
Resolve the
problem
GLOSSARY
Post mortem
Prepare

TIME

PREVIOUS 76 NEXT
NETSCOUT Arbor Special Report

Malware Innovation
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT

TABLE OF
CONTENTS Almost all of the IoT devices targeted Windows machines infected by the Mirai Trojan
can actively scan for IoT devices whenever they
The Internally Facing
in the DDoS attacks in late 2016 were
INTRODUCTION directly connected to the internet,
establish a network connection. For example, DDoS Extortion Attack
if a laptop gets compromised by the Windows
which made it easy for the attackers Mirai Seeder on a public wireless network, it will A clever attacker could use the multi-stage
KEY FINDINGS to detect and subsequently infect start scanning for vulnerable IoT devices as soon Trojan mentioned above to get inside a network,
the devices with botnet code. as it makes a network connection. It could be subsuming vulnerable IoT devices into a botnet.
any network connection — one to an internal The attacker could then scan the internal network
SERVICE PROVIDER
corporate network via VPN, a wireless network to identify vulnerable network devices and
or a physical one. critical services.
ATLAS SPECIAL
REPORT 95% Almost all networks, from a small SoHo business The attacker could use this information to
O F A L L I o T D E V I C E S A R E L O C AT E D to the largest enterprise, have a large number direct the compromised IoT devices inside the
BEHIND SOME KIND OF INTERNET of IoT devices connected to them, from the
ASERT SPECIAL network to launch a devastating attack against
REPORT: PART 1 G AT E W AY O R F I R E W A L L smart TV in a home to intelligent network-enabled the network itself or critical services inside of the
Making them invisible to internet scans thermostats in a large company. These devices network. This kind of attack could be used either
and protected from IoT malware. are, in most cases, protected by network firewalls, to deny service for an extended period, or as a
ENTERPRISE,
making them unreachable by scans from proof-of-capability for an extortion demand.
GOVERNMENT +
EDUCATION (EGE) malicious devices on the internet.
If the network is not designed to withstand
Attackers realize the DDoS effectiveness The Windows Mirai Seeder is a game changer, these kinds of internal attacks, it could be a
ASERT SPECIAL of IoT devices. however, because compromised Windows time-consuming, costly and complex task to
REPORT: PART 2
T H E Y B E G I N T O L O O K AT H O W T O TA K E computers can now scan for vulnerable IoT redesign and secure the network. In the worst
A D VA N TA G E O F T H E R E M A I N I N G devices whenever they connect to an internal case, the network security posture would have
DNS OPERATORS network via VPN, wireless or physical connections.
5%
to be rethought from scratch, beginning by
shutting down all communication on all links,
Unless proper care is taken to segment internal including any internet connections.
CONCLUSION
networks, any device with an IP stack is a
potential target for compromise. Currently the A DDoS attack launched using IoT devices
In early February 2017, a multi-stage Windows Mirai bot infects devices like web cameras and
ABOUT THE located on the inside of an enterprise network
AUTHORS Trojan containing code to scan for vulnerable DVR recorders but it can easily be modified to can cause very high traffic levels, in terms of both
IoT devices and inject them with the Mirai bot attack other devices like printers, scanners and volume and packets-per-second. Even if the attack
code was detected in the wild. HVAC controllers. Any device, once compromised,
GLOSSARY is destined towards external targets, the attack
can start scanning for other vulnerable IoT traffic must first traverse the internal network.
This weaponization of a Windows Trojan to
devices and infect them if detected. This can result in network link congestion on
deliver IoT bot code reveals an evolution in
the threat landscape that most organizations WAN and LAN segments and a high CPU load
are completely unprepared to deal with: on network devices, all potentially leading to
DDoS attacks from within. network outages.

PREVIOUS 77 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE TO MITIGATE THE IMPACT OF SUCH ATTACKS, THE FOLLOWING


INFRASTRUCTURE SHOULD BE IMPLEMENTED:
SECURITY REPORT

TABLE OF
CONTENTS
1
Flow telemetry (such as NetFlow or
5
Data plane protection to filter and
Conclusion
IPFIX) export, collection, and analysis, control what traffic should be allowed Typical IoT devices are less secure
INTRODUCTION along with the collection and analysis through the network.
of recursive DNS queries and responses. than any desktop computer, making
For instance, a DNS server farm should
KEY FINDINGS This provides comprehensive visibility only receive DNS traffic. And client them the attacker’s choice for
into network traffic and allows for the computers should only communicate compromise. Attackers are busy
rapid detection of any abnormalities with specific services on specific ports,
SERVICE PROVIDER inventing new attack methods and
and internally launched DDoS attacks. not each other. In addition, data plane
protection should be implemented using vectors, aiming to bypass current
ATLAS SPECIAL non-stateful controls like iACLs, as stateful
REPORT 2 countermeasures. They are also looking
controls have to tendency to crash and
burn during heavy attacks. to take advantage of IoT devices which
Control plane policing on all
ASERT SPECIAL network devices. were previously thought to be secure
REPORT: PART 1
This allows the network devices to 6 behind corporate firewalls.
withstand both direct attacks against
ENTERPRISE, the network elements and traversing A quarantine system to isolate
GOVERNMENT + traffic attacks. compromised devices. With the introduction of the Windows
EDUCATION (EGE)
This allows for the utilization of flow
Mirai Trojan, a new threat scenario has
telemetry collection and analysis,
ASERT SPECIAL
3 recursive DNS collection and analysis, emerged which has the potential to
REPORT: PART 2 and other forms of detection and cause a myriad of issues.
Secure routing protocols against
classification. These make use of recursive
attacks and overload.
DNS OPERATORS DNS poisoning to implement a universal
Without routing, no traffic can
traverse the network.
‘soft’ quarantine, as well as VLAN- and As stated earlier, a network designed
WiFi channel-based ‘hard’ quarantine
CONCLUSION and secured using best current
mechanisms, to isolate botted devices.
4 practices (BCPs) described herein
ABOUT THE 7 will be highly resistant to such
AUTHORS Management plane protection to secure
and protect management traffic. compromise and the ramifications
Do not trust any quality-of-service
GLOSSARY In addition, add reserve bandwidth tags made by clients. thereof. In addition, the network will be
and capacity on WAN and LAN links for more resistant to new attack vectors.
Downgrade those such that management
management plane traffic. If unable to
plane traffic has highest priority.
communicate with the network elements,
the attack cannot be mitigated.

PREVIOUS 78 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT

TABLE OF
CONTENTS

INTRODUCTION

KEY FINDINGS

SERVICE PROVIDER

ATLAS SPECIAL
REPORT

ASERT SPECIAL
REPORT: PART 1

ENTERPRISE,
GOVERNMENT +
EDUCATION (EGE)

ASERT SPECIAL
REPORT: PART 2

DNS OPERATORS

DNS
CONCLUSION

ABOUT THE
AUTHORS

OPERATORS
GLOSSARY

PREVIOUS 79 NEXT
NETSCOUT Arbor Special Report

78%

DNS
80%
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT 64% 70%

Operators
60%

TABLE OF 52% 53% 60%


CONTENTS
50%

INTRODUCTION
Sixty-eight percent of all respondents indicated 40%

KEY FINDINGS that they operate a DNS infrastructure, slightly


down from 74 percent in 2016, but in line with 30%

2015 (Figure 96).


SERVICE PROVIDER 20%

ATLAS SPECIAL OP E R AT E D N S SE RVE RS I N T H E N E T WO R K ?


10%
REPORT

0%
ASERT SPECIAL NORTH AMERICA WESTERN, CENTRAL ASIA PACIFIC LATIN AMERICA MIDDLE EAST

REPORT: PART 1 YES NO + EASTERN EUROPE + OCEANIA + AFRICA

Figure 97 DNS Operators (Per Region HQ)

ENTERPRISE,
GOVERNMENT +
EDUCATION (EGE)
68% 32% 73% 80%
69%
Figure 96 DNS Operators
64% 70%
ASERT SPECIAL 60% 63%
REPORT: PART 2
Most of the DNS operators are in United States, 60%

DNS OPERATORS Canada and Europe (Figure 97), although their


network operations cover all parts of the globe 50%
(Figure 98). This shows that operating a DNS
CONCLUSION
infrastructure is more common in North 40%
America and Europe than in Latin America or in
ABOUT THE the Middle East, Africa and Asia-Pacific regions. 30%
AUTHORS
Looking at respondent types, 79 percent of
20%
enterprise, government and education (EGE)
GLOSSARY
organizations are running DNS servers,
10%
slightly up from 75 percent in 2016. Like in
the previous year, we observed that EGE
respondents are taking control of critical 0%
NORTH AMERICA WESTERN, CENTRAL ASIA PACIFIC LATIN AMERICA MIDDLE EAST
infrastructures like DNS, rather than + EASTERN EUROPE + OCEANIA + AFRICA

outsourcing their management. Figure 98 DNS Operators (Per Region Operations)


PREVIOUS 80 NEXT
DDoS Simulations (EGE Organizational NETSCOUT
Security) Arbor Special Report

WORLDWIDE In 2017, we again asked all respondents if DNS security was managed by a
INFRASTRUCTURE special dedicated group, a primary security team or if there was no assigned
SECURITY REPORT responsibility (Figure 99). The results once again showed a small improvement
over the previous year, as the percentage with a dedicated DNS security team
increased from 22 to 25 percent, and those with no specific responsible group Same 60% 16% No security group
TABLE OF
CONTENTS fell from 20 to 16 percent. security is responsible for
group securing DNS
Looking at the breakout between EGE organizations and service providers, there infrastructure
and services
INTRODUCTION was a substantial increase of EGE organizations with a dedicated DNS security
team, at 24 percent in 2017 up from 16 in the previous year (Figure 100). As for
service providers, it is disappointing to see that those with a special security group 25% Special security
KEY FINDINGS group for DNS
for DNS have decreased slightly, from 27 percent to 25, considering the criticality
of DNS to these organizations. On a more positive note, in 2017, the percentage of
SERVICE PROVIDER both EGE organizations and service providers with no security group decreased,
from 18 percent to 15 for EGEs and from 23 percent to 16 for service providers. Figure 99 DNS Security Responsibility (All Respondents)

Source: Arbor Networks, Inc.


ATLAS SPECIAL
REPORT

80%
ASERT SPECIAL
REPORT: PART 1
70%
61% 59%
ENTERPRISE,
GOVERNMENT + 60%
EDUCATION (EGE)

50%
ASERT SPECIAL
REPORT: PART 2
40%

DNS OPERATORS
30% 24% 25%

CONCLUSION
15% 16%
20%

ABOUT THE Same security group


AUTHORS 10% Special security group for DNS
No security group is responsible
for securing DNS infrastructure
GLOSSARY 0% and services

ENTERPRISE, GOVERNMENT + EDUCATION SERVICE PROVIDER

Figure 100 DNS Security Responsibility (Per Operator Type)

PREVIOUS 81 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE Visibility of DNS traffic in 2017


INFRASTRUCTURE was similar to the previous year, Yes, at Layers
SECURITY REPORT
73% 3 and 4
with 73 percent of all respondents
having visibility at Layers 3
and 4, and 43 percent at Layer 7
TABLE OF
CONTENTS (Figure 101). Only 33 percent of 43% Yes, at Layer 7
service providers have visibility
of their DNS traffic at Layer 7,
INTRODUCTION which is down from 42 percent 13% No visibility
in 2016 (Figure 102). In contrast,
49 percent of EGE organizations
KEY FINDINGS
reported having visibility of their 0% 10% 20% 30% 40% 50% 60% 70% 80%
DNS traffic at Layer 7, an increase
SERVICE PROVIDER from 35 percent in 2016. Figure 101 DNS Visibility

ATLAS SPECIAL
REPORT It is a positive sign that
more EGE organizations are
73% 74%
ASERT SPECIAL taking control of their DNS 80%
REPORT: PART 1 infrastructure and visibility
at Layer 7, as effective 70%
ENTERPRISE, mitigation of DDoS attacks
GOVERNMENT +
EDUCATION (EGE) targeting DNS requires 60%

application-layer visibility. 49%

ASERT SPECIAL 50%


REPORT: PART 2

40% 33%
DNS OPERATORS

30%
CONCLUSION

20%
15%
ABOUT THE 11%
AUTHORS
Yes, at Layers 3 and 4 10%
Yes, at Layer 7
GLOSSARY
No visibility
0%

ENTERPRISE, GOVERNMENT + EDUCATION SERVICE PROVIDER

Figure 102 DNS Visibility (Per Operator Type)

PREVIOUS 82 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE As stated in previous reports, DNS is critical to maintaining the R E S T R ICT R EC URS I V E
INFRASTRUCTURE
SECURITY REPORT
availability of services. Unfortunately, DNS servers are popular both D N S LO O K UP S TO YES NO
as direct targets of DDoS attacks, but also as unwilling amplification YO UR C US T O MERS
and reflection actors. As a result, it is disappointing again to note that A N D N E T WO R KS ?
TABLE OF
CONTENTS
19 percent of respondents still did not restrict access to their recursive
DNS servers in 2017 (Figure 103).
Figure 103 Recursive DNS Restrictions
81% 19%
INTRODUCTION

KEY FINDINGS

58%
SERVICE PROVIDER The percentage of DDoS attacks D D oS AT TAC KS AGA IN S T D N S 60% 56%
that target DNS infrastructures IN FR AS T R UCT UR E T H AT LE D

No
and affect service did not T O A V IS IB LE O UTAG E ?
ATLAS SPECIAL

No
change from 2016 for all our
REPORT
respondents (Figure 104). While 50%
we can see organizations are No
ASERT SPECIAL making progress in protecting
REPORT: PART 1 their DNS infrastructure, this
shows that DDoS attacks 57% 40%
targeting DNS servers remain
ENTERPRISE,
a constant threat.
GOVERNMENT +
EDUCATION (EGE) 31%
Among EGE organizations, the
percentage that experienced Yes 30%
ASERT SPECIAL publicly visible service outages

Yes
REPORT: PART 2 increased to 22 percent in
2017, up from 13 percent in
25% 22%
23%

the previous year (Figure 105).


DNS OPERATORS

Do Not Know
20%

Yes
Conversely, the proportion
of service providers suffering
CONCLUSION these attacks dropped to Do not know 11%
31 percent in 2017 from

ABOUT THE
39 the previous year.
18% 10%

Do Not Know
AUTHORS

Figure 104 DNS Service Affecting DDoS Attacks


GLOSSARY
0%
ENTERPRISE, GOVERNMENT SERVICE PROVIDER
+ EDUCATION

Figure 105 DNS Service Affecting DDoS Attacks (Per Organization Type)

PREVIOUS 83 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE E X P E RI E NCE D D D o S E X P E R IE N C E D D D oS DDoS attacks are still targeting Authoritative DNS servers (Figure 106) more frequently than Recursive
INFRASTRUCTURE AT TACKS AGAI N ST AT TAC KS AGA IN S T servers (Figure 107). However, there was an overall reduction in attacks for both EGE organizations and
SECURITY REPORT AU T H ORI TAT I VE REC UR S IV E D N S service providers. The percentage of respondents seeing attacks against Recursive servers went down
D N S SE RVE RS? SE RV E R S ? from 30 percent in 2016 to 24 in 2017, while the proportion of respondents seeing DDoS attacks
targeting Authoritative DNS servers decreased slightly to 32 percent.
TABLE OF
CONTENTS
YES YES As expected, service providers saw more attacks against both Recursive and Authoritative DNS servers
(Figure 108). Forty-four percent of providers reported attacks against their Authoritative DNS servers
INTRODUCTION compared to 23 percent for EGE organizations, an increase for EGE respondents from 16 percent in 2016.

KEY FINDINGS
32% 24% Thirty-four percent of providers saw attacks against their Recursive DNS servers (Figure 109), down from
44 percent in 2016, while 18 percent of EGEs experienced these attacks, down from 24 percent in 2016.

SERVICE PROVIDER
60% 60% 57%
NO NO 54%
ATLAS SPECIAL

No
REPORT

50% 52%

No
50% 50%
ASERT SPECIAL 44% 44% 44%
REPORT: PART 1

No
Yes

No
ENTERPRISE, 40% 40%
GOVERNMENT + 34%
EDUCATION (EGE) DO NOT DO NOT
KNOW KNOW

Yes
18% 24%
30% 30%
ASERT SPECIAL 25%
REPORT: PART 2 23% 23%
22%

Do Not Know
Yes 18%

Do Not Know
DNS OPERATORS 20% 20%

Do Not Know
Yes
Figure 106 DDoS Attacks Figure 107 DDoS Attacks 12%
CONCLUSION Against Authoritative Against Recursive
DNS Servers DNS Servers

Do Not Know
10% 10%
ABOUT THE
AUTHORS

0% 0%
GLOSSARY
ENTERPRISE, SERVICE ENTERPRISE, SERVICE
GOVERNMENT + EDUCATION PROVIDER GOVERNMENT + EDUCATION PROVIDER

Figure 108 DDoS Attacks Against Authoritative DNS Servers Figure 109 DDoS Attacks Against Recursive DNS Servers
(Per Organization Type) (Per Organization Type)

PREVIOUS 84 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE 100%
INFRASTRUCTURE
SECURITY REPORT
90%

82%
TABLE OF
CONTENTS 80%
Intelligent DDoS mitigation
system (IDMS)

66%
INTRODUCTION Separate production 70%
and out-of-band (OOB)

61%
management networks

57%
KEY FINDINGS Interface ACLs on 60%

54%
network edge
Unicast reverse-path

46%
46%
SERVICE PROVIDER 50%
forwarding (uRPF) and/or other

42%
anti-spoofing mechanisms

39%
39%
ATLAS SPECIAL Source-based remote
triggered blackhole (S/RTBH) 40%
REPORT
Destination-based remote

28%

28%

28%
triggered blackhole (D/RTBH)

26%
ASERT SPECIAL 30%

23%
FlowSpec on gateway

22%
REPORT: PART 1 or access routers

18%
DNS response rate
20%
limiting (RRLs)

13%

12%
ENTERPRISE,
Firewalls

9%
GOVERNMENT +
EDUCATION (EGE) IPS/IDS 10%

ASERT SPECIAL Figure 110 DNS Security Measures 0%


(By Organization Type)
REPORT: PART 2 ENTERPRISE, GOVERNMENT + EDUCATION SERVICE PROVIDER

DNS OPERATORS
The security measures put in place to protect DNS infrastructures vary greatly once again between service
CONCLUSION providers and EGE organizations. For service providers, Intelligent DDoS Mitigation Systems (IDMS) were again
the most popular defense mechanism, with 66 percent of respondents having them deployed, up slightly from 64
in 2016 (Figure 110). Following in second and third place are firewalls and ACLs, respectively at 61 and 54 percent.
ABOUT THE Seeing firewalls as the second most reported option is disappointing, as these devices do not protect adequately
AUTHORS against DDoS attacks due to their nature and the ease with which a state-based attack can overwhelm them.

In EGE organizations, firewalls were the most popular choice, at 82 percent up from 79 percent in 2016, which
GLOSSARY
again is disappointing. In second place were IPS/IDS at 57 percent, another piece of bad news considering that
they are similarly vulnerable to DDoS attacks.

PREVIOUS 85 NEXT
NETSCOUT Arbor Special Report

CONCLUSION
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT

TABLE OF
CONTENTS

INTRODUCTION

KEY FINDINGS

SERVICE PROVIDER

ATLAS SPECIAL
REPORT

ASERT SPECIAL
REPORT: PART 1

Following the introduction of electronic
computers in the 1950s, early concepts of wide
ENTERPRISE,
area networking originated in the United States,
GOVERNMENT +
EDUCATION (EGE) United Kingdom and France. The U.S. Department
of Defense awarded contracts in the 1960s, which
ASERT SPECIAL
eventually lead to the ARPANET project. The first
REPORT: PART 2 message was sent over the ARPANET in 1969.

The concept of transmission control protocol/


DNS OPERATORS
internet protocol (TCP/IP) suite was presented


in a paper in 1974 by authors Vinton Cerf and
CONCLUSION Robert Kahn, who also came up with the term
internet, which was short for “inter-networking of
ABOUT THE networks.” Commercial internet service providers
AUTHORS
We had no idea that this would turn (ISPs) began to emerge in the late 1980s.

GLOSSARY
into a global and public infrastructure.
VINT CERF

” PREVIOUS 86 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE
INFRASTRUCTURE Since the mid-1990s, the internet has had a revolutionary
SECURITY REPORT
impact on culture, commerce and technology, including
TABLE OF the rise of near-instant communication.
CONTENTS

INTRODUCTION While it transported only one percent of the information This year, we’ve seen increasing sophistication of
flowing through two-way telecommunications networks IoT-based botnet attack capabilities. These modern
Proportion of global two-way
KEY FINDINGS in 1993, the internet grew rapidly. It carried 51 percent botnets are capable of delivering attacks that include
telecommunications
of two-way traffic by 2000 and more than 97 percent application-layer, volumetric and complex multi-vector
traversing the internet.
by 2007. The internet continues to grow today, driven DDoS attacks. Further, easy-to-use DDoS for hire services
SERVICE PROVIDER
by ever greater amounts of information, commerce, have helped make more sophisticated multi-vector DDoS

ATLAS SPECIAL
1993
1% entertainment and social networking. attacks increasingly common.

REPORT Now, more than ever, business and commerce simply On a positive note, both service providers and

ASERT SPECIAL
2000
51% cannot exist without robust internet infrastructure
that is continuously available. Even recreation and
enterprises share an increased appreciation of the
impact a successful DDoS attack can have. This is
REPORT: PART 1 socialization depend on the internet to deliver leading to the adoption of more effective defenses.

97%
information, goods and services. It is this environment In service provider networks, it is now widely accepted
2007 that simultaneously enables our modern lifestyle and that purpose-built Intelligent DDoS Mitigation Systems
ENTERPRISE, work routines while also putting them at risk from serving as part of a layered defense are the only
GOVERNMENT +
those who would exploit this ubiquitous availability effective option for mitigating DDoS attacks. Enterprise,
EDUCATION (EGE)
for nefarious purposes. government and education organizations also indicated
that they have an increasing understanding of this
ASERT SPECIAL As we have seen in this year’s report, attackers reality. While many still deployed traditional security
REPORT: PART 2 continue to build and weaponize massive IoT botnets technologies for DDoS defense, there is increased
of unprecedented size and capability. Volumetric acceptance of the shortcomings of these solutions.
DNS OPERATORS DDoS attacks have scaled back a bit in sheer size, but
continue to increase in frequency. In last year’s report, While online gaming is seen as the top motivation
we highlighted the use of reflection/amplification DDoS behind DDoS attacks this year, criminal activity and
CONCLUSION
attacks as equally effective to IoT botnets for generation especially extortion remain major drivers of malicious
of very large scale volumetric DDoS attacks. activity. The motivations behind attacks are many and
ABOUT THE varied, but the ease with which anyone can launch
AUTHORS attacks is a growing problem. DNS continues to be one


of the most targeted internet services. DNS servers are
popular both as direct targets of DDoS attacks, but also
GLOSSARY


The internet is becoming the town square as unwilling amplification and reflection actors. It is a
positive sign that more organizations are taking control
for the global village of tomorrow. of their DNS infrastructure and ensuring visibility of DNS
traffic at Layer 7, as effective mitigation of DDoS attacks
B I L L G AT E S
targeting DNS requires application-layer visibility.

PREVIOUS 87 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT

It is the obvious which is so difficult to see most of the time. People say
‘It’s as plain as the nose on your face.’ But how much of the nose on your


TABLE OF
CONTENTS face can you see, unless someone holds a mirror up to you?
INTRODUCTION ISAAC ASIMOV

KEY FINDINGS

SERVICE PROVIDER The global shortage of security professionals, NETSCOUT Arbor is proud to release the
continues to worsen with no end in sight. 13th annual Worldwide Infrastructure Security
ATLAS SPECIAL While many organizations pursue outsourcing, Report. This report is designed to help network
REPORT machine learning or automation strategies operators understand the breadth of the
to help fill the gap, increased efficiency and threats that they face, gain insight into what
organic growth of internal teams are still vital their peers are doing to address these threats,
ASERT SPECIAL
strategies. This is the second consecutive year and comprehend both new and continuing
REPORT: PART 1
the survey shows an overall decline in service trends. This year’s report features responses
providers implementing security infrastructure from service provider, enterprise, government
ENTERPRISE, best practices. Surprisingly, given the and education organizations.
GOVERNMENT + popularity of reflection attacks over the
EDUCATION (EGE)
last five years, the adoption of anti-spoofing
filters decreased.
A good global distribution of
ASERT SPECIAL respondents rounds out what has
REPORT: PART 2 Reputation/brand damage and operational been our broadest representation of
expense are still the top business impacts
of DDoS attacks. There was also a big jump
the internet community ever. We hope
DNS OPERATORS
in revenue loss. Survey responses broadly that you find the information useful
indicate that the cost of a major DDoS attack in protecting your business for
CONCLUSION is increasingly significant. Over three quarters
the coming year.
of enterprise, government and education
ABOUT THE network operators reported that DDoS
AUTHORS mitigation was a part of either their business
or IT risk assessments. And, more service
providers are now offering DDoS protection
GLOSSARY
services, given the continued increasing
interest in these services among customers
across a broad range of verticals.

PREVIOUS 88 NEXT
NETSCOUT Arbor Special Report

ABOUT THE
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT

AUTHORS
TABLE OF
CONTENTS
Paul Bowen
PRINCIPAL SECURITY TECHNOLOGIST, NETSCOUT ARBOR
INTRODUCTION
pbowen@arbor.net

KEY FINDINGS Paul Bowen brings over 22 years of experience to his


Philippe Alcoy role at NETSCOUT Arbor where his primary focus is on
advanced threats. Previously he was an architect for
SERVICE PROVIDER
PRINCIPAL SECURITY TECHNOLOGIST, NETSCOUT ARBOR advanced threat solutions at Fortinet. He also was the
palcoy@arbor.net architect for Mandiant cloud-based SIEM, called TAP.
ATLAS SPECIAL Paul spent two years as a security and compliance
REPORT Philippe has more than 20 years of experience in conference speaker for Hewlett-Packard as a member
Cybersecurity Defense & Attack. He started his career of Office for Advanced Solutions, seven years as a
with AvantGo in the city of London, securing and mobilizing principal Engineer for Arcsight and 10 years as a manager
ASERT SPECIAL
REPORT: PART 1 web applications on early smartphones and PDAs for banks of global security for Estée Lauder.
and insurances. After the first IT bubble burst, he joined
vulnerability assessment pioneers eEye Digital Security
ENTERPRISE, and started a 15-year stint in technical leadership, consulting C.F. Chui
GOVERNMENT + and management roles in the IT security, risk and compliance
EDUCATION (EGE) PRINCIPAL SECURITY TECHNOLOGIST, NETSCOUT ARBOR
management market. Philippe relocated to Asia 10 years
ago to manage Qualys APAC operation, looking after large cfchui@arbor.net
ASERT SPECIAL enterprises and managed security service providers.
With more than 20 years of experience in the networking
REPORT: PART 2 He recently joined the office of the CTO at NETSCOUT
industry, C.F. Chui is a veteran in designing, implementing
Arbor focusing on advanced threat and research.
and supporting highly available network systems and
DNS OPERATORS solutions. In his current role with NETSCOUT Arbor,
Steinthor Bjarnason C.F. works closely with customers in the Asia-Pacific region
to develop and optimize approaches for their network
CONCLUSION SENIOR NETWORK SECURITY ANALYST, NETSCOUT ARBOR security solutions to ensure the most effective deployment
sbjarnason@arbor.net and highest customer satisfaction. He is also actively
ABOUT THE involved in NETSCOUT Arbor’s global research projects.
AUTHORS Steinthor Bjarnason is a Senior Network Security Analyst Before joining NETSCOUT Arbor, C.F. held different regional
on the NETSCOUT Arbor ASERT team, performing applied positions in pre- and post-sales for various large core
research on new technologies and solutions to defend routing and switching vendors. His expertise lies mainly
GLOSSARY
against DDoS attacks. He has more than 18 years of in the areas of internet routing technology, network threat
experience working on internet security, IoT security, detection and network visibility solutions.
cloud security, SDN security, core network security
and DDoS attack mitigation. Steinthor is an inventor and
principal of the Cisco Autonomic Networking Initiative,
with a specific focus on security automation where he
holds a number of related patents.
PREVIOUS 89 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE
INFRASTRUCTURE Kirill Kasavchenko
SECURITY REPORT PRINCIPAL SECURITY TECHNOLOGIST, NETSCOUT ARBOR
kkasavchenko@arbor.net
TABLE OF
CONTENTS Kirill has more than 14 years of experience in various
post- and pre-sales roles dealing with telecom and large
enterprises in more than 30 countries in Europe, Middle
INTRODUCTION
East, Russia and CIS. His areas of interest are network
design and network security at a large scale. On the
KEY FINDINGS CTO team at NETSCOUT Arbor, Kirill focuses on emerging

ABOUT
technologies and global research projects, applying his
expertise in routing and protocol analysis to find new
SERVICE PROVIDER ways to protect customers’ networks.

ATLAS SPECIAL
REPORT
Kirill holds B.S. and M.S. with honors in Computer Sciences
from the Saint Petersburg University of IT, Mechanics
and Optics as well as a number of industry certifications
THE EDITOR
including Cisco CCIE. Prior to joining Arbor in 2011 he spent
ASERT SPECIAL
REPORT: PART 1
seven years on different positions ranging from network Darren Anstee
technician to chief engineer at systems integrators and
CHIEF TECHNICAL OFFICER, NETSCOUT ARBOR
network infrastructure vendors.
ENTERPRISE, danstee@arbor.net
GOVERNMENT +
EDUCATION (EGE) Gary Sockrider Darren serves as the Chief Technical Officer for
NETSCOUT Arbor, developing the technology strategy
PRINCIPAL SECURITY TECHNOLOGIST, NETSCOUT ARBOR
of NETSCOUT Arbor products and services. His efforts
ASERT SPECIAL gsockrider@arbor.net help customers see and understand network traffic in
REPORT: PART 2 order to tackle their most complex security challenges.
Gary Sockrider is an industry veteran bringing over
25 years of broad technology experience including routing He works closely with NETSCOUT Arbor’s Security
DNS OPERATORS
and switching, mobility, collaboration and cloud but always Engineering & Response Team (ASERT), product
with an eye on security. His previous roles include security management, sales and engineering organizations
CONCLUSION SME, consultancy, customer support, IT and product to drive alignment on the next generation capabilities
management. He seeks to understand and convey the that will help NETSCOUT Arbor’s customers across
constantly evolving threat landscape, as well as the enterprise and service provider markets. Darren has
ABOUT THE
techniques and solutions that address the challenges over twenty years of experience in networking and
AUTHORS
they present. Prior to joining NETSCOUT Arbor in 2012, security, the last 14 years spent with NETSCOUT Arbor.
he spent 12 years at Cisco Systems and held previous
GLOSSARY positions with Avaya and Cable & Wireless.

PREVIOUS 90 NEXT
NETSCOUT Arbor Special Report

GLOSSARY
WORLDWIDE
INFRASTRUCTURE
SECURITY REPORT

TABLE OF
CONTENTS

INTRODUCTION

KEY FINDINGS

ACL Access Control List EGE Enterprise, Government


SERVICE PROVIDER A E & Education
I
APT Advanced Persistent Threat ICMP Internet Control Message Protocol
ASERT Arbor Security Engineering IDMS Intelligent DDoS Mitigation System
ATLAS SPECIAL & Response Team IDS Intrusion Detection System
REPORT
AT Advanced Threat
G Gbps Gigabits-per-second IGP Interior Gateway Protocol
ATLAS Active Threat Level Gi Global Internet IoT Internet of Things
ASERT SPECIAL Analysis System GTP-C General Packet Radio Service IPS Intrusion Prevention System
REPORT: PART 1
AV Anti-Virus (GPRS) tunneling protocol (GTP)
IPv4 Internet Protocol Version 4
GTP-U GPRS Tunneling Protocol
ENTERPRISE, IPv6 Internet Protocol Version 6
User Plane
GOVERNMENT + IR Incident Response
EDUCATION (EGE) BCP Best Current Practice GTSM Generalized TTL Security
B Mechanism IRC Internet Relay Chat
BYOD Bring Your Own Device
ISP Internet Service Provider
ASERT SPECIAL
REPORT: PART 2
H HTTP Hypertext Transfer Protocol
CDN Content Delivery Network K
DNS OPERATORS C HTTP/S HTTP Secure KPI Key Performance Indicator
C&C Command-and-Control
iACL Infrastructure ACL

CONCLUSION L
LTE Long Term Evolution
DCN Data Communication Network
ABOUT THE D
DNS Domain Name System
AUTHORS
DDoS Distributed Denial of Service M
Mbps Megabits-per-second
D-RTBH Destination-Based Remotely
GLOSSARY MDM Mobile Device Management
Triggered Blackholing
MITM Man in the Middle
S-RTBH Source-Based Remotely Triggered
Blackholing MNO Mobile Network Operator
MPC Mobile Packet Core
MSSP Managed Security Service Provider

PREVIOUS 91 NEXT
NETSCOUT Arbor Special Report

WORLDWIDE
INFRASTRUCTURE N S U
NAT Network Address Translation SDN Software-defined networking UDP User Datagram Protocol
SECURITY REPORT
NFV Network Functions Virtualization SEG Security Gateways uRPF Unicast Reverse Path Forwarding
NGFW Next Generation Firewall SIEM Security Information Event UTM Unified Threat Management
TABLE OF
NMS Network Management System Management
CONTENTS
NTP Network Time Protocol SIP Session Initiation Protocol
SMTP Simple Mail Transfer Protocol
V
INTRODUCTION VoIP Voice Over Internet Protocol
SNMP Simple Network Management
O Protocol
KEY FINDINGS OOB Out of band
SOC Security Operations Center W
OPSEC Operational Security WAF Web Application Firewall
S/RTBH Source-based Remotely Triggered
SERVICE PROVIDER OTT Over the Top WiMAX Worldwide Interoperability
Blackholing
for Microwave Access
SSDP Simple Service Discovery Protocol
ATLAS SPECIAL
REPORT
P SSL Secure Socket Layer
PAT Port Address Translation
SYN Synchronize
PCAP Packet Capture
ASERT SPECIAL
REPORT: PART 1 T
Q TLD Top Level Domain
QoE Quality of Experience
ENTERPRISE, TLS Transport Layer Security
GOVERNMENT + Tbps Terabits per second
EDUCATION (EGE)
R
RAN Radio Access Network
ASERT SPECIAL
REPORT: PART 2

DNS OPERATORS

GLOSSARY
CONCLUSION

ABOUT THE
AUTHORS

GLOSSARY

PREVIOUS 92 NEXT
CORPORATE HEADQUARTERS
76 Blanchard Road
Burlington, MA 01803 USA
Toll Free +1 866 212 7267
T +1 781 362 4300

NORTH AMERICA SALES


Toll Free +1 855 773 9200

EUROPE
T +44 207 127 8147

ASIA-PACIFIC
T +65 6664 3140

LATIN + CENTRAL AMERICA


T +52 55 4624 4842

arbornetworks.com ABOUT NETSCOUT


NETSCOUT SYSTEMS, INC. (NASDAQ: NTCT) assures digital business services against disruptions in availability, performance,
and security. Our market and technology leadership stems from combining our patented smart data technology with smart analytics.
We provide real-time, pervasive visibility, and insights customers need to accelerate, and secure their digital transformation. Our
approach transforms the way organizations plan, deliver, integrate, test, and deploy services and applications. Our nGenius service
assurance solutions provide real-time, contextual analysis of service, network, and application performance. Arbor security solutions
protect against DDoS attacks that threaten availability, and advanced threats that infiltrate networks to steal critical business assets.
To learn more about improving service, network, and application performance in physical or virtual data centers, or in the cloud, and
how NETSCOUT’s performance and security solutions, powered by service intelligence can help you move forward with confidence,
visit www.netscout.com or follow @NETSCOUT and @ArborNetworks on Twitter, Facebook, or LinkedIn.

© 2018 NETSCOUT SYSTEMS, INC. All rights reserved. NETSCOUT, the NETSCOUT logo, Guardians of the Connected World, Adaptive Service Intelligence, Arbor Networks,
the Arbor Networks logo, ATLAS, InfiniStream, InfiniStreamNG, nGenius, and nGeniusONE are registered trademarks or trademarks of NETSCOUT SYSTEMS, INC., and/or
its subsidiaries and/or affiliates in the USA and/or other countries. Third-party trademarks mentioned are the property of their respective owners.