-----Original Message----- From: Dobbins, Roland [mailto:rdobbins@arbor.net] Sent: Wednesday, January 20, 2010 9:17 AM To: NANOG list Subject: 2009 Worldwide Infrastructure Security Report available for download.
[Apologies for any duplication if you've seen this notification on other lists.]
We've just posted the 2009 Worldwide Infrastructure Security Report for download at this URL:
<http://www.arbornetworks.com/report>
This year's WWISR is based upon the broadest set of survey data collected by Arbor to date, with the number of respondents doubling from 66 to 132, and much greater input from non-USA/non-EMEA, regional providers. The WWISR is based upon input from the global operational community, and as such, is unique in its focus on the operational security aspects of public-facing networks.
Many of you contributed to the survey which forms the foundation of the report; as always, we're grateful for your insight and participation, and welcome your feedback and comments.
Thanks Roland. I'm wondering if you can clarify why 'Figure 1' only goes up to 2008 and states in key findings "This year, providers reported a peak rate of only 49 Gbps". I happen to personally recall looking at ATLAS sometime last year and seeing an ongoing attack that was on orders of magnitude larger than that. It was interesting to see the observation that DDoS attack scale growth has slowed over the past 12 months, including the authors belief that this is a result of "the upper bounds of IP backbone network capacity (e.g., Nx10 Gbps backbone link rates, awaiting upgrades to 100 Gbps rather than 40 Gbps deployment)". It is expected that 100 Gbps will be quickly adopted this year in order to remove the inefficiencies of Nx10 Gbps LAG bundles, and 10 Gbps is likely to start being adopted at the server level. Also there is already talk about Terabit Ethernet sometime in 2015. All of this leads me to believe that attack size will likely increase again as these technologies become more widely deployed. An interesting observation was the decrease in the use of flow-based tools, and the corresponding increase in the use of things like SNMP tools, DPI, and customer calls for attack detection. Surely this must have been a factor of a larger respondent pool... I'd really like to think people aren't opting not to use flow-based tools in favor or receiving customer calls :( Completely agree on the disturbing observation of the increase in rate-limiting as a primary mitigation mechanism for dealing with DDoS. I've seen more and more people using this as a mitigation strategy, against my advice. For anyone interested in more information on the topic, and why rate-limiting is akin to cutting your foot off, I highly recommend you take a look at the paper "Effectiveness of Rate-Limiting in Mitigating Flooding DoS Attacks" presented by Jarmo Molsa at the Third IASTED International conference. It's nice that the report includes respondent organization types, but what I'd really like to see is number of attacks broken down by industry. I think this would go a long way towards allowing companies to better quantify their risk-score and associated spend based on their associated industry. Otherwise, really good stuff. Thanks for sharing! Stefan Fouant, CISSP, JNCIE-M/T www.shortestpathfirst.net GPG Key ID: 0xB5E3803D