Distributed denial of service attacks aren't getting bigger, but they are getting smarter and more enterprises are experiencing financial consequences as a result, according to Netscout Arbor's 13th Annual Worldwide Infrastructure Security Report (WISR). The answers, the security vendor proposes, involve greater automation to more quickly detect and mitigate attacks, and a multi-layered approach that combines network and on-premises security.
The NetScout Systems Inc. (Nasdaq: NTCT) Arbor WISR is based on a survey of 390 service providers of all sizes and types globally (55% of respondents) and enterprise-government-education organizations (45% of respondents.) It is, in many ways, the granddaddy of annual security reports, dating back to when Arbor Networks was a standalone provider trying to convince network operators that security was a major issue in the Internet era. The need for that kind of persuasion has obviously passed and other annual reports, some from operators themselves, now tackle similar issues.
One interesting tidbit from this year's report is that the use of virtualization technologies -- network functions virtualization and software-defined networking -- is growing significantly, particularly in the data center, as shown in the chart below.
"What we have seen is while deployment has doubled, it is still a small percentage," comments Gary Sockrider, Arbor's principal security technologist. "Everybody wants to get there but there are a lot of barriers including operational concerns, interoperability and costs. They want to get there but they are being cautious."
Some of the operational concerns relate to security, he notes, as there is worry that giving over third-party control of hardware raises new risks, and that the technology is not yet mature enough. "I have no doubt we will continue this march into SDN and NFV deployments," he says. "One of things I found is that enterprises are catching up, more of them are looking at SDN."
What the Arbor WISR continues to do is show the annual variations in types of attacks and this year that is focused on what it deems "innovation at the edge" of the network. That's where the growth in attacks targeting applications, services and infrastructure devices such as firewalls is taking place, says Sockrider.
"What we are seeing is an increased complexity of attacks, and the consequences of those attacks and what are people doing about it," he tells Light Reading in an interview. "Fifty-seven percent of enterprises and 45% of data center operators saw their Internet bandwidth saturated due to a DDoS attack, up from forty-two percent last year."
The consequences of the smarter attacks were also on the rise: Almost double the number of companies (56%) reported a financial impact of attacks between $10,000 and $100,000, and five times as many enterprises reported financial impact of an attack at greater than $100,000, he says. Even so, financial losses were not the primary concern: 57% of those surveyed cited reputation or brand damage as the main impact on their business and 48% said customer churn was a key problem following an attack.
That doesn't mean attacks are getting bigger -- in fact the peak attack is actually smaller this year, he notes, down to 600 gigabits. "People talk a lot and focus on the giant volumetric attacks, but that's not really the issue this year," Sockrider says. "It's not like 600-gig is a small attack, but it is enough to get the job done. And that is what attackers are doing -- just enough to get the job done."
More complex, multi-vector attacks are on the rise, with 59% of service providers and 48% of enterprises experiencing those attacks, up 20% from 2016. This kind of attack involves a combination of a flood of traffic with application layer attacks and state exhaustion to create a sustained offensive against an enterprise, making it harder to mitigate.
Combating those multi-vector attacks requires a multi-layer solution, combining upstream services -- such as cloud-based DDoS mitigation services -- with inline clients located much closer to the application itself, Sockrider says. Arbor, of course, provides both service provider and enterprise security products.
"When you are talking about volumetric attacks, it's a no-brainer you have to deal with that upstream," he says. "There is no gear you can put on a 10-gig pipe to stop a 100-gig attack; you need a cloud-based DDoS mitigation or a solution from your upstream provider."
State exhaustion is an attack meant to fly under the radar so it doesn't exceed Internet capacity and can go undetected by an upstream provider, "since they are looking at data from millions of different companies and it's hard to drill down to identify an application-level attack," Sockrider says. "Those need to be dealt with much closer to the application or service itself. That is where we recommend an inline always-on type of client that looks at every packet, understanding what applications are behind it and specifically looking at that apps traffic."
The ideal situation is one in which the cloud-based solution service communicates with the client solution in a combined multi-layer approach that can be automated to address multi-vector attacks as they evolve, he says.
— Carol Wilson, Editor-at-Large, Light Reading