It's no fun being a telecom security specialist these days. Distributed denial of service (DDoS) and botnet attacks on service providers’ services, infrastructure and customers are more frequent and ferocious than ever. Even worse, cyber criminals have learned how to turn some of the very devices designed for telecom security into attack vectors, according to a recent global survey of service providers.
What we're talking about here is an attack that could take out 99% of the content in the world.
Vice President of Global Sales Engineering and Consulting, Arbor Networks
About half (49%) of service providers that operate data centers reported a firewall or intrusion prevention system (IPS) outage due to a DDoS attack. Those systems, which are designed to prevent unauthorized access by carefully inspecting every request, can easily be overwhelmed by even a moderately-sized DDoS attack, said Carlos Morales, vice president of global sales engineering and consulting at Arbor Networks.
The transition to next-generation protocols IPv6 and DNS Security Extensions (DNSSEC) may also open service providers to DDoS vulnerabilities. Both contain features intended to increase security, but these features also slow down how quickly devices can process requests, making them attractive targets for hackers to create bottlenecks, Morales said.
"Unfortunately, what we're seeing is [that] the threat-to-defense gap is really the widest it's been since the inception of DDoS, when there really were no defenses against it," he said. "There are certain pockets of operators that do a lot more and invest a lot more, but there are also pockets that are woefully behind."
Last year saw the first report of a 100 Gbps DDoS attack, more than a hundredfold increase in attack size from 2009, as reported by telecom security vendor Arbor Networks in its sixth annual Network Infrastructure Security Report. The dubious milestone marks a thousand-fold increase in attack size since Arbor began the survey in 2005.
"How many networks really do have 100 Gbps of access? There are a select few … and [that capacity] is typically not in one place, so what we're talking about here is an attack that could take out 99% of the content in the world," Morales said.
Telecom security threats call for new defenses
Service providers must learn "to defend in a different way" in order to fight these new threats, Morales said. A local perspective on telecom security threats is deadly. Instead, telecom security specialists should adopt a broader perspective of the sources of attacks and the tools available to cyber criminals.
Stateful firewalls and IPS are poor DDoS barriers, Morales said. Intelligent DDoS mitigation systems can provide more protection. Other best practices include the use of access control lists (ACLs) hardware-based routers, flow specification, source- and destination-based remote-triggered blackhole lists, server hardening and unicast reverse path forwarding (RPF), he said.
"There's no silver bullet," Morales said. "It's like [asking], how do you eliminate robbery?"
Wireless operators lack visibility into telecom security threats
Mobile network operators may be the ripest targets of telecom security threats. More than half (55%) of mobile operator respondents reported outages in 2010 due to security incidents, and most said they had limited or no visibility into various parts of their wireless networks.
In the packet core, 59% indicated they had limited or no visibility into security threats, while 57% said they do not know the percentage of wireless subscriber nodes participating in botnets. Meanwhile, 80% of respondents said they experienced no DDoS attacks last year, which likely contained a large portion of false positives given the lack of visibility most carriers have, Morales said.
More than half (55%) of mobile operator respondents reported outages in 2010 due to security incidents.
"Mobile providers have found themselves as accidental ISPs," he said. "They're about 10 years behind their wireline colleagues in terms of security … [and] just because they carry the same name [as a wireline operator] doesn't mean they have the same defenses."
DDoS remains a threat to telecom security, bottom line
While DDoS attacks are somewhat passé today in enterprise IT security circles -- where security specialists defend against organized cybercrime that targets financial or information theft -- they remain a large and growing threat to telecom network security.
DDoS-related outages and DDoS attacks on telecom infrastructure and services rank high on service providers' list of security concerns in 2011, but many respondents said their worst fear is having their networks hijacked by hackers to execute DDoS attacks on end customers.
"You don't directly make money off of distributed denial of service attacks … [but] clearly, it can be used as a weapon of extortion or blackmail," said Graham Titterington, principal analyst at Ovum. "They're also used to distract attention. People will be so busy with a DDoS attack that they're not monitoring everything else at the same time -- just like the best way to rob a building is when it's on fire."
Attacks are now politically motivated as well, Titterington said. The flurry of DDoS attacks against WikiLeaks as well as its opponents may be the most prominent examples, but Titterington said telecom networks have also been caught in the DDoS and botnet crossfire during recent disputes between China and Japan or Russia and Georgia.
In addition to the burden of carrying junk traffic or suffering downtime, DDoS attacks are also bad for business, especially for operators that have a hosting or managed service business, according to Amy Larsen DeCarlo, principal analyst at Current Analysis. Attacks sometimes bring down more than one site, which won't inspire customer confidence in a carrier's ability to mitigate and prevent such threats.
Let us know what you think about the story; email: Jessica Scarpati, News Writer.