[121464] in North American Network Operators' Group
RE: 2009 Worldwide Infrastructure Security Report available for
daemon@ATHENA.MIT.EDU (Stefan Fouant)
Wed Jan 20 10:33:23 2010
From: "Stefan Fouant" <sfouant@shortestpathfirst.net>
To: "'Dobbins, Roland'" <rdobbins@arbor.net>, "'NANOG list'" <nanog@nanog.org>
In-Reply-To: <FD7A3DA9-1D61-4B39-9965-494A44867411@arbor.net>
Date: Wed, 20 Jan 2010 10:32:25 -0500
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> -----Original Message-----
> From: Dobbins, Roland [mailto:rdobbins@arbor.net]
> Sent: Wednesday, January 20, 2010 9:17 AM
> To: NANOG list
> Subject: 2009 Worldwide Infrastructure Security Report available for
> download.
> 
> 
> [Apologies for any duplication if you've seen this notification on
> other lists.]
> 
> We've just posted the 2009 Worldwide Infrastructure Security Report for
> download at this URL:
> 
> <http://www.arbornetworks.com/report>
> 
> This year's WWISR is based upon the broadest set of survey data
> collected by Arbor to date, with the number of respondents doubling
> from 66 to 132, and much greater input from non-USA/non-EMEA, regional
> providers.  The WWISR is based upon input from the global operational
> community, and as such, is unique in its focus on the operational
> security aspects of public-facing networks.
> 
> Many of you contributed to the survey which forms the foundation of the
> report; as always, we're grateful for your insight and participation,
> and welcome your feedback and comments.
Thanks Roland.
I'm wondering if you can clarify why 'Figure 1' only goes up to 2008 and
states in key findings "This year, providers reported a peak rate of only 49
Gbps".  I happen to personally recall looking at ATLAS sometime last year
and seeing an ongoing attack that was on orders of magnitude larger than
that.
It was interesting to see the observation that DDoS attack scale growth has
slowed over the past 12 months, including the authors belief that this is a
result of "the upper bounds of IP backbone network capacity (e.g., Nx10 Gbps
backbone link rates, awaiting upgrades to 100 Gbps rather than 40 Gbps
deployment)".  It is expected that 100 Gbps will be quickly adopted this
year in order to remove the inefficiencies of Nx10 Gbps LAG bundles, and 10
Gbps is likely to start being adopted at the server level.  Also there is
already talk about Terabit Ethernet sometime in 2015.  All of this leads me
to believe that attack size will likely increase again as these technologies
become more widely deployed.
An interesting observation was the decrease in the use of flow-based tools,
and the corresponding increase in the use of things like SNMP tools, DPI,
and customer calls for attack detection.  Surely this must have been a
factor of a larger respondent pool... I'd really like to think people aren't
opting not to use flow-based tools in favor or receiving customer calls :(
Completely agree on the disturbing observation of the increase in
rate-limiting as a primary mitigation mechanism for dealing with DDoS.  I've
seen more and more people using this as a mitigation strategy, against my
advice.  For anyone interested in more information on the topic, and why
rate-limiting is akin to cutting your foot off, I highly recommend you take
a look at the paper "Effectiveness of Rate-Limiting in Mitigating Flooding
DoS Attacks" presented by Jarmo Molsa at the Third IASTED International
conference.
It's nice that the report includes respondent organization types, but what
I'd really like to see is number of attacks broken down by industry.  I
think this would go a long way towards allowing companies to better quantify
their risk-score and associated spend based on their associated industry.
Otherwise, really good stuff.  Thanks for sharing!
Stefan Fouant, CISSP, JNCIE-M/T
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D