Security Strategies

Anti-Spoofing Decline 'Bad News' for Security

The past year has seen a huge spike in the number of large cyber attacks and many organizations look poorly equipped to cope with an incident, according to the latest Worldwide Infrastructure Security Report from Arbor Networks.

Discussing the report's major findings with Light Reading, Darren Anstee, Arbor Networks 's director of Solution Architects, says there has been a return to the use of "big volumetrics" among cyber criminals previously focused on much stealthier application-layer attacks.

"Before 2013 you would have seen only a handful of these attacks, but there were 39 at the 100Gbit/s level or higher in 2013 and 159 such attacks last year," he says.

The largest reported attack was 400 Gbit/s but other organizations surveyed by Arbor for the security report reported attacks of 300 Gbit/s, 200 Gbit/s and 170 Gbit/s, with several reporting events that exceeded the 100Gbit/s threshold.

Source: Arbor Networks
Source: Arbor Networks

Anstee says cyber criminals have been taking advantage of the fact that many networks do not make use of anti-spoofing filters, which prevent hackers from faking IP addresses to carry out attacks using so-called reflection/amplification techniques.

Indeed, the biggest surprise from this year's findings was a decrease in the proportion of survey respondents using anti-spoofing filters -- down from about one half in recent years to just one third in 2014.

"Given media coverage around these attacks, I would have thought more operators would use anti-spoofing, because you can only do reflection/amplification by faking your IP address," says Anstee.

One possible explanation could be the growth in the number and variety of survey respondents: Arbor asked questions of 287 respondents last year -- up from 220 in 2013 -- with 60% drawn from the communications service provider (CSP) community and the rest from the enterprise, government and education (EGE) sectors.

"We're seeing that best practices aren't as widely deployed as we might have previously thought," says Anstee. Arbor's report describes the finding as "bad news".

Interestingly, EGE respondents are still seeing a higher proportion of application-layer attacks than CSPs. Some 29% of attacks fell into this category, according to EGE respondents, compared with just 17% of the attacks on service providers.

Anstee says that application-layer attacks can be relatively hard to detect and that EGE organizations tend to have more in-depth visibility of the traffic on their networks than large service providers.

Want to know more about cloud services? Check out our dedicated cloud services content channel here on Light Reading.

Despite the fall in the proportion of respondents using anti-spoofing filters, Anstee refutes the suggestion that organizations are not taking the security threats seriously enough. As he notes, when it comes to defending against distributed denial-of-service (DDoS) attacks, intelligent DDoS mitigation systems (IDMS) have now overtaken more old-fashioned access control lists (ACLs) as the most popular safeguard. Around 70% of respondents claim now to be using IDMS, while 63% employ ACLs. (See Cloud Providers: Beware DDoS Domino Effect.)

Clearly, as a vendor of IDMS, Arbor has a vested interest in popularizing them as a security measure, but the findings do appear to confirm that interest in DDoS protection services is rising.

"Service providers are taking the threat seriously and putting specialist solutions in place to deal with DDoS," says Anstee. (That CSPs are taking security very seriously was clear from the results of a Heavy Reading survey conducted in late 2014 -- see Security Suffers From 'Not My Job' Mentality .)

Arbor also flags an encouraging increase in the proportion of respondents able to respond to an attack in less than 20 minutes -- up from 60% in 2013 to 68% last year.

Meanwhile, with 29% of respondents reporting attacks on cloud services, compared with just 19% in 2013, demand for DDoS detection and mitigation services among cloud and hosting organizations has risen sharply. Some 59% of cloud and hosting providers expressed interest in DDoS services, a higher proportion than in any other vertical market.

Source: Arbor Networks
Source: Arbor Networks

"The cloud is becoming pervasive but if you can't reach cloud services across the Internet they are not much use," says Anstee. "Service providers are being driven to put protection in place."

As for the impact of cybercrime, survey respondents cited operational expense and reputational damage as the chief concerns, but there was also a jump in the proportion seeing revenue losses as a result of DDoS attacks. Among data center operators, specifically, 44% of respondents reported revenue losses in 2014, up from 27% in 2013.

Source: Arbor Networks
Source: Arbor Networks

— Iain Morris, Circle me on Google+ Follow me on TwitterVisit my LinkedIn profile, News Editor, Light Reading

kq4ym 1/27/2015 | 3:00:10 PM
Re: Hacker motivations That's an interesting observation: distraction for other means. I wonder if there's enough data to really see what's going on thought. With only 200 some respondents, it may be that the results are not as accurate as could be with the latest suvey.
DHagar 1/27/2015 | 2:51:33 PM
Re: Hacker motivations Iainmorris, interesting discover of the motivations and the "bait-and-switch" to divert for other crimes.  I am thinking because it is becoming more prevealent that they are lulling companies into the idea that it is not so bad or unusual.

I am wondering how much is also corporate espionage and/or market disruption.

Great info.
iainmorris 1/27/2015 | 12:15:54 PM
Hacker motivations Interesting insights from Arbor on the motivations behind attacks, as well. Pure vandalism now the number one motivation, ahead of "ideological hactivism", but there also seems to be growth in cybercrime as a way of distracting attention from other crimes such as stealing data and money. "You distract the security team while you do something else," says Arbor's Anstee.
Sign In