In addition, more than 70% operating data centers reported DDoS attacks over the last year, up dramatically from the year before.
According to Arbor Networks’ 9th Annual Worldwide Infrastructure Security Report (WISR), more than a third of responding data centers experienced attacks that exceeded total available internet connectivity, nearly double from the previous year. Staggeringly, about 10% saw more than 100 attacks per month.
The report also found that DNS infrastructure remains vulnerable. Just over one-third experienced customer-impacting DDoS attacks on DNS infrastructure – an increase of a quarter over the previous year.
“Despite a really high-profile year for DNS amplification attacks, including the largest attack ever monitored (Spamhaus), there are still a significant number of open DNS resolvers out there within the survey base,” said Andrew Cockburn, consulting engineer for Arbor’s carrier group, in a blog. “Fully 20% of our respondents do not restrict recursive lookups, which when extrapolated to the entire base of DNS resolvers, makes for rich pickings among those that are interested in launching this kind of attack.”
He added that after the Spamhaus attack, which was very well-publicized, Arbor saw a large number of copycat attacks in the months following. “And despite this, the number of open resolvers stayed pretty consistent with last year’s survey,” he said. “I think that the increase in lack of internal organizations with specific responsibility for DNS infrastructure is partly to blame. Without a targeted and holistic approach to security, such organizations have no way to connect the dots between their decisions to leave a resolver open, and the associated security risks.”
The report found that more than a quarter of respondents indicated that there is no security group within their organizations with formal responsibility for DNS security, up 19% from the previous report.
Also, there’s been a dramatic rise in DDoS attack size in general. In all previous years of the survey, the largest reported attack was 100Gbps. This year, attacks peaked at 309Gbps, and multiple respondents reported attacks larger than 100Gbps.
“Last year we saw eight times the number of attacks over 20Gbps when compared to 2012,” said Darren Anstee, solutions architect for EMEA at Arbor. “In short, attackers seem to have re-focused on utilizing large volumetric attacks to achieve their goals and this illustrates why layered DDoS defense is such an important message. “
Meanwhile, internal network, advanced persistent threats (APTs) and ubiquitous application-layer attacks continue to be everyday reality for IT departments too. The proportion of respondents seeing APTs on their networks has increased from 22% to 30% year over year – and respondents ranked botted hosts as their No. 1 concern.
“The other key aspect of the results this year, from my perspective, relates to internal network threats,” Anstee said. “Over half of respondents this year indicated that they had seen botted/compromised hosts and or APTs on their internal networks during the survey period. This clearly shows that threats are getting inside networks, either around or through perimeter defenses. Organizations need to augment their security postures so that they can identify suspicious or malicious activities wherever they might occur on their networks.”
The report also found that application-layer attacks are now common, with nearly all respondents indicating they have seen them during this survey period. There has also been continued strong growth in application-layer attacks targeting encrypted web services (HTTPS): these are up 17% over the previous year's report.