Arbor Networks' Worldwide Infrastructure Security Report shows that denial of service attacks using sheer musclepower are slowing down. Traditionally, DDoS attacks bombarded targets with as much traffic as possible to tie up bandwidth and system resources.
This year, the largest single attack on an ISP saw traffic bombard a target at 49 Gbits/sec. Although that is 22% up on last year, it compares with a 67% increase from 2007–2008 and substantial yearly increases before that, Arbor Networks said.
Respondents to the Arbor survey said that attacks were becoming more sophisticated. Attackers are hitting firewalls, load-balancers, back-end database infrastructure and associated transaction capacity, the report said, along with cached data serving algorithms.
"This increasing sophistication is a disconcerting trend that has been captured in previous editions of the survey as well, and one that continues to worry network operators," said Danny McPherson, CSO at Arbor Networks. "With observable consolidation of content sources and migration to multi-tenant cloud or hosted infrastructure and services (e.g., DNS), the risk of attacks that impact multiple entities and more commonly induce collateral damage is heightened."
Almost 35% of respondents said that they were most worried about attacks on services and applications that make up cloud resources over the next twelve months. Last year's major concern, large-scale botnet-based attacks, slipped to second place, with 21% of providers citing that as their biggest concern.
Suspicions that brains continue to replace brawn have been bolstered by a reduction in large bandwidth-focused attacks on network providers. The report found that only one in five network providers experienced attacks in the one-to-four Gbit/sec range, compared to 30% a year ago. More attacks were reported that used less than a Gbit/sec of bandwidth. These attacks target service weaknesses such as back-end queries, Arbor Networks said.
The report also spoke of a 'perfect storm' for network providers. The implementation of the DNSSEC secure DNS protocol poses a major challenge, which has been compounded by the coming need to move to IPv6 as IPv4 numbers become exhausted.