Internet service providers are concerned about growing security threats to cloud-based services and about a "perfect storm" of technological change that could leave their networks more vulnerable to attacks, according to the annual Worldwide Infrastructure Security Report from Arbor Networks

The survey of 132 ISPs from around the world found, in part, that they are suffering from a "general pessimism" because of concerns over new types of attacks, including DNS poisoning, route hijacking, and service-level attacks.

The ISPs are also worried that three significant technology changes -- the shift to IP version 6 (IPv6), the adoption of DNS Sec (a new security scheme for domain name servers), and the use of 4-byte Autonomous System Numbers -- will render their networks vulnerable.

"There are a number of changes all happening at once that, in the short term, are adding additional new complexity to the network. At the same time, operators are struggling with issues they've always struggled with," says Craig Labovitz, chief scientist at Arbor, which makes security gear for carriers. (See Arbor Intros 40-Gig DDoS Defense.)

"To have so many things happening at once is somewhat unique. Any time you introduce one of these changes, there is concern, but three at once exacerbates the challenge," adds Labovitz.

While the move to IPv6 is necessary, because ISPs will soon run out of IPv4 addresses, there are a number of back-office systems not prepared to recognize new IPv6 addresses, according to Jennifer Pigg, vice president of the Anywhere Network research program at Yankee Group Research Inc. DNS Sec will improve security for DNSs in the long-term, but can be difficult to implement, she says.

"If not implemented correctly, DNS Sec could actually make a system more vulnerable," Pigg warns.

One possible bright spot, says Arbor's Labovitz, is that the growth in the magnitude of denial of service (DoS) attacks has slowed: This year’s largest reported distributed DoS (DDoS) attack was 49 Gbit/s, while attacks of 60 Gbit/s or more had been expected.

But the attacks themselves are involving more sophisticated techniques. "Starting two to three years ago, we saw much more of a focus on service-level attacks," says Labovitz. "They consume smaller amounts of bandwidth but have more bang for the buck," attacking strategic systems such as DNS servers or load balancers.

Because cloud-based services involve a number of distributed network resources, there is potential for increased vulnerability, since the failure of any component in a cloud-based service could threaten the service, notes Labovitz.

"As attacks shift, it's no longer a question of adding bandwidth or capacity, but a service provider’s ability to protect [itself] from much more crafted, surgical attacks."

As a result, service providers need to more carefully implement best practices in providing security, and be much more aware of how they are providing cloud services.

Labovitz also believes the telecom industry is not ready for widespread deployment of IPv6 and needs to do much more to prepare. While core network equipment may be all set to support the shift to IPv6, network edge gear, including firewalls and aggregation routers, must also be upgraded, he notes.

— Carol Wilson, Chief Editor, Events, Light Reading