Security architects fear savvy botnet attacks, IPv6 security issues

By Robert Westervelt, News Editor 20 Jan 2010 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Security architects who monitor and manage many of the underlying systems that ensure smooth data flow across the Internet are growing anxious over the deployments of some of the latest technologies designed to improve Internet security and reliability.

While domain name system security extension (DNSSEC) deployments and IPv6 offer a number of benefits, a lack of support and expertise could prompt an emerging wave of new botnet attacks, according to several security architects responding to a new survey from Arbor Networks Inc., a vendor that sells appliances that defend against botnet attacks.

The survey, in its fifth year, posed questions to 132 security professionals, many of them lead security architects at ISPs and large telecommunications firms. It is designed to highlight the security threats facing service providers.

Nearly 35% of those surveyed said sophisticated serv...

Tags: Security Industry Market Trends, Predictions and Forecasts,  Network Protocols and Security,  Denial of Service (DoS) Attack Prevention,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Industry Market Trends, Predictions and Forecasts Verizon data breach report 2010: Insider breaches on the rise Security Wire Weekly podcast: Black Hat 2010 preview Gartner: IT security spending to remain steady, but not a top CIO priority SMS two-factor authentication for electronic identity verification Bruce Schneier on security for cloud computing Bruce Schneier on cryptography and government information security Outsourced security extends to wealth of services, study finds Estonia defense minister talks about 2007 cyberattacks Robert Maley dismissal, in retrospect, not surprising RSA Conference 2010 in review Security Industry Market Trends, Predictions and Forecasts Research Network Protocols and Security ICANN announces DNSSEC deployment to root Internet servers Black Hat: Researchers poke holes in HTTPS, SSL Web browser security Black Hat 2010: Study tests SSL protocol use, finds SSL errors Smart grid system protection: SCADA security will challenge Feds Free port scan: How to use Angry IP scanner Experts see DNSSEC deployments gaining traction VeriSign on DNSSEC support VeriSign on DNSSEC support Joining security information management systems with identity management systems boosts security Can secure FTP services protect sensitive data from hackers? Denial of Service (DoS) Attack Prevention Frustration growing over limited ability to shut down botnets New tool enables botnet command and control via Twitter Assessing the botnet threat Schneier-Ranum Face-Off: Should we ban anonymity on the Internet? Server Message Block Version 2 security in question: Disable or patch? SCADA system, critical infrastructure security lacking, survey finds Web application attacks security guide: Preventing attacks and flaws DDoS attack strikes UltraDNS, affects Amazon, Wal-Mart VeriSign extends DDoS attack protection service Conficker authors prepping for next stage, researcher says Denial of Service (DoS) Attack Prevention Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary backscatter body scanning  (SearchSecurity.com) marketecture  (SearchSecurity.com) NCSA  (SearchSecurity.com) Palladium  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

ice and application-layer attacks represent the largest operational threat over the next 12 months, displacing large scale botnet-enabled attacks, which came in second this year at 21%.

"When Web services were located in single data centers in some aspects they were easier to defend, but now we're dealing with more distributed environments," said Craig Labovitz, chief scientist at Lexington Mass.-based Arbor Networks. "There are many more components today, and as Web services are evolving, so are the attacks."

Distributed denial-of-service (DDoS) attacks, driven by botnets, have doubled in bandwidth since the attack was first identified in 2001. But according to the survey, botnet operators appear to be changing their tactics to make some DDoS attacks more difficult to detect and more focused on specific systems running a network.

DDoS attacks have risen from 400 Mbps in 2001 to more than 40 Gbps, but the survey found the attack scale growth slowing in 2009. Botnet operators also may be reaching the threshold for sustained malicious DDoS traffic, Labovitz said. In 2009, the highest sustained attack peaked at 49 Gbps.

"The lower bandwidth attacks are focused not so much on flooding the pipes and routers, but disabling and disrupting certain aspects of the distributed Web service," Labovitz said.

And while high-profile volume attacks such as the DDoS attacks that brought down some South Korean and U.S. government websites are not sophisticated, the attacks are designed to remain undetected, which is what worries security architects the most, Labovitz said.

IPv6 security issues, DNSSEC concerns
Arbor said missing IPv6 security features in routers, firewalls and critical network infrastructure lacking support for IPv6 are a cause for concern. A lack of skilled professionals to test and deploy IPv6 supporting equipment may also result in more Internet-wide security vulnerabilities. Labovitz said most providers don't believe all their routers can support IPv6 and provide the level of security necessary to sustain network up-time.

"The concern is that we've had issues with a string of availabilities of vanilla IPv4 and now we're going to be introducing more things into the network," Labovitz said. "They're concerned it could tax technology operations and support, and cause significant challenges."

The survey found network operators concerned about an increase in attacks targeting DNS infrastructure, load balancers and large-scale SQL server back-end infrastructures.

The same concerns ring true for infrastructures that support DNSSEC. While the technology upgrade to DNS is expected to result in improved authentication and data integrity, deployments have been slow, but network security experts expect most top-level domains to be fully supporting DNSSEC by 2011.

Labovitz said the technology resolves many types of DNS injection attacks, but other underlying threats exist.

"There are many more moving parts," he said. "It makes DNS messages bigger and more complicated."