Security architects who monitor and manage many of the underlying systems that ensure smooth data flow across the Internet are growing anxious over the deployments of some of the latest technologies designed to improve Internet security and reliability.
While domain name system security extension (DNSSEC) deployments and IPv6 offer a number of benefits, a lack of support and expertise could prompt an emerging wave of new botnet attacks, according to several security architects responding to a new survey from Arbor Networks Inc., a vendor that sells appliances that defend against botnet attacks.
The survey, in its fifth year, posed questions to 132 security professionals, many of them lead security architects at ISPs and large telecommunications firms. It is designed to highlight the security threats facing service providers.
Nearly 35% of those surveyed said sophisticated service and application-layer attacks represent the largest operational threat over the next 12 months, displacing large scale botnet-enabled attacks, which came in second this year at 21%.
"When Web services were located in single data centers in some aspects they were easier to defend, but now we're dealing with more distributed environments," said Craig Labovitz, chief scientist at Lexington Mass.-based Arbor Networks. "There are many more components today, and as Web services are evolving, so are the attacks."
Distributed denial-of-service (DDoS) attacks, driven by botnets, have doubled in bandwidth since the attack was first identified in 2001. But according to the survey, botnet operators appear to be changing their tactics to make some DDoS attacks more difficult to detect and more focused on specific systems running a network.
DDoS attacks have risen from 400 Mbps in 2001 to more than 40 Gbps, but the survey found the attack scale growth slowing in 2009. Botnet operators also may be reaching the threshold for sustained malicious DDoS traffic, Labovitz said. In 2009, the highest sustained attack peaked at 49 Gbps.
"The lower bandwidth attacks are focused not so much on flooding the pipes and routers, but disabling and disrupting certain aspects of the distributed Web service," Labovitz said.
And while high-profile volume attacks such as the DDoS attacks that brought down some South Korean and U.S. government websites are not sophisticated, the attacks are designed to remain undetected, which is what worries security architects the most, Labovitz said.
IPv6 security issues, DNSSEC concerns
Arbor said missing IPv6 security features in routers, firewalls and critical network infrastructure lacking support for IPv6 are a cause for concern. A lack of skilled professionals to test and deploy IPv6 supporting equipment may also result in more Internet-wide security vulnerabilities. Labovitz said most providers don't believe all their routers can support IPv6 and provide the level of security necessary to sustain network up-time.
"The concern is that we've had issues with a string of availabilities of vanilla IPv4 and now we're going to be introducing more things into the network," Labovitz said. "They're concerned it could tax technology operations and support, and cause significant challenges."
The survey found network operators concerned about an increase in attacks targeting DNS infrastructure, load balancers and large-scale SQL server back-end infrastructures.
The same concerns ring true for infrastructures that support DNSSEC. While the technology upgrade to DNS is expected to result in improved authentication and data integrity, deployments have been slow, but network security experts expect most top-level domains to be fully supporting DNSSEC by 2011.
Labovitz said the technology resolves many types of DNS injection attacks, but other underlying threats exist.
"There are many more moving parts," he said. "It makes DNS messages bigger and more complicated."