Cyber warfare against enterprises grows more brutal by the year, but now carriers are getting caught in the crossfire as more organizations move sensitive data into operators' clouds, according to a survey sponsored by telecom network security vendor Arbor Networks. Cloud security is a telecom issue as much as it is an enterprise issue.
It's imperative that we not only anticipate the next threat but identify and develop mitigation techniques.
Product Director of Managed Security Services, AT&T
"The attacks are following the engineering. It's a continual war of escalation. Bandwidth used to be more of an issue when everything was localized -- when everything was in one data center behind one firewall," said Craig Labovitz, chief scientist at Arbor Networks. "Now that more and more enterprises and Fortune 500s are distributing everything to the cloud, it's less about bandwidth and more about picking off cloud services."
The cloud security trend was one of five key findings in Arbor's fifth annual Worldwide Infrastructure Security Report, which surveyed 132 telecom network security professionals at Tier 1, Tier 2 and other IP network operators across the globe about attacks on their Internet backbones in 2009.
By attacking carrier infrastructure in the service layer -- such as DNS servers, load balancers and caches -- hackers can achieve much more "distributed" attacks across enterprises and applications, Labovitz said.
"It's not [against] a single target anymore," he said. "If you can't resolve a DNS server, it doesn't matter if you can't reach [one] HTTP address."
Cloud security can lead to privacy worries
Combating attacks against cloud-based infrastructure presents tricky privacy challenges, according to Steve Hurst, product director of managed security services at AT&T. Carriers walk a fine line when it comes to cloud security, he said, balancing the policies of one customer with carrier's duty to protect thousands of others.
"You don't necessarily want your carrier, without explicit permission, looking at packets," Hurst said. "[But] we do feel it's a responsibility of ours to protect the infrastructure and protect the applications so all users have access to them as needed."
AT&T's cloud security experts spend time with customers discussing proactive steps, such as content filtering and application controls, to protect their data or applications against attacks on the AT&T cloud, he said.
"There is a lot of education that goes on," Hurst said. "[People in general] are very good at protecting [themselves] against the threats that we have seen, and we as people are very poor at anticipating the next threat. However, from our perspective, it's imperative that we not only anticipate the next threat but identify and develop mitigation techniques."
To guard its Internet backbone, AT&T has found even analyzing packets at the header level can tip off operations engineers about a budding attack, Hurst said.
"We can pick up the precursors of events -- it's a code writer testing his codes, it's someone checking to see if something is going to work," he said. "When events are being directed against us as a corporation, we can then investigate those instances further ... to protect both our corporate and commercial networks."
Although application-level attacks were not the largest attacks in terms of traffic volume, they represented "some of the most sophisticated and operationally significant attacks" operators observed over the past year, according to the Arbor Networks survey.
"Several respondents indicated that infrastructure-impacting attacks they observe are not generally expressly targeting their infrastructure but, instead, are simply the result of collateral damage," the survey's authors wrote.
Flood-based attacks remained the most predominant attack vector (45%) in 2009, but more carriers said they fear service, host or link distributed denial-of-service (DDoS) attacks (35%) than bots and botnet-enabled attacks (21%) over the next year.
"The bad guys are beating us," wrote one anonymous respondent.
Telecom network security faces 'perfect storm' of routing changes
Meanwhile, a "perfect storm" of converging network engineering changes threatens to saddle carriers with "the greatest and potentially most disruptive set of circumstances in the history of the Internet," the survey stated.
Carriers have been hearing for years about looming IPv4 address exhaustion and the dangers of being ill-equipped for IPv6 migration, but Labovitz said operators are unprepared for other major routing migrations -- namely, 4-byte autonomous system numbers and DNS Security Extensions.
"There are a lot of things that have been bubbling for a while…. They've been more white papers than reality, but I think that might change," he said. "Not just one of those is coming true, but all three or four are coming true at once."
AT&T owns less than 10% of the IPv4s left, Hurst said, but he noted that security experts there are confident in migrating to IPv6 after having been involved in its development.
"We have been implementing changes in our infrastructure to allow us to operate in IPv6 or a dual-stack environment," Hurst said. "We focus on a dual-stack environment because we feel all companies are not going to immediately move to IPv6 … and we feel it's our responsibility to protect customer traffic whether it's traveling in IPv4 or IPv6."
Let us know what you think about the story; email: Jessica Scarpati, News Writer