The 12th Annual Worldwide Infrastructure Security Report (WISR) by Arbor Networks Inc., the security division of NETSCOUT (NASDAQ: NTCT), shows the stakes have changed for network and security teams. The threat landscape has been transformed by the emergence of Internet of Things (IoT) botnets. As IoT devices proliferate across networks, bringing tremendous benefits to businesses and consumers, attackers are able to weaponise them due to inherent security vulnerabilities.

This year’s report goes in-depth, covering how attackers exploit and recruit IoT devices, how IoT botnets enabled by Mirai source code operate and offers practical advice on how to defend against them.

The largest distributed denial-of-service (DDoS) attack reported this year was 800 Gbps, a 60% increase over 2015’s largest attack of 500 Gbps. Not only are DDoS attacks getting larger, but they are also becoming more frequent and complex. This increased scale and complexity has led more businesses to deploy purpose-built DDoS protection solutions, implement best practice hybrid defences and increase time for incident response practice – all positive developments in an otherwise gloomy threat environment.

“The survey respondents have grown accustomed to a constantly evolving threat environment with steady increases in attack size and complexity over the past decade,” said Darren Anstee, Arbor Networks Chief Security Technologist. “However, IoT botnets are a game changer because of the numbers involved. There are billions of these devices deployed, and they are being easily weaponised to launch massive attacks. Increasing concern over the threat environment is reflected in the survey results, which show significant improvements in the deployment of best practice technologies and response processes.”

Survey Methodology
The 2016 Worldwide Infrastructure Security Report (WISR) is based on a survey comprised of 133 free-form and multiple choice questions. This is a significant decrease from 172 last year.

Beyond the reduction in the number of questions, this year’s survey has specific logic flows that enable service providers and enterprise/government/education respondents to see a different set of questions depending upon their self-classification. The questions diverge depending upon the nature of the respondent.

Arbor distributes the WISR survey by specifically targeting individuals within the operational security community to get as accurate a picture as possible. Survey participation remains strong despite additional efforts to encourage recusal of respondents without direct network or security operational experience. The number of responses this year was 356 as compared to 354 for the previous survey.


Innovation and Exploitation Fuel DDoS Attack Landscape: The emergence of botnets that exploit inherent security weaknesses in IoT devices and the release of the Mirai botnet source code have increased attackers’ abilities to launch extremely large attacks.

Scale: The massive growth in attack size has been driven by increased attack activity on all reflection/amplification protocols, and by the weaponisation of IoT devices and the emergence of IoT botnets.
Since Arbor began the WISR in 2005, DDoS attack size has grown 7,900%, for a compound annual growth rate (CAGR) of 44%
In the past five years alone, DDoS attack size has grown 1,233%, for a CAGR of 68%

Frequency: The chances of being hit by a DDoS attack have never been higher, with respondents showing increased rates of attack.

  • 53% of service providers indicated they are seeing more than 21 attacks per month – up from 44% last year
  • 21% of data-centre respondents saw more than 50 attacks per month, versus only 8% last year
  • 45% of enterprise, government and education respondents experienced more than 10 attacks per month – a 17% year over year increase

Complexity: Multiple simultaneous attack vectors are increasingly being used to target different aspects of a victim’s infrastructure at the same time. These multi-vector attacks are popular because they can be difficult to defend against and are often highly effective, driving home the need for an agile, multi-layer defence.
67% of service providers and 40% of Enterprise, Government and Education (EGE) reported seeing multi-vector attacks on their networks

Consequences of DDoS Attacks Are Becoming Clear: DDoS attacks have successfully made many leading web properties unreachable – costing thousands, sometimes millions, of dollars in revenue. This has led the C-suite and company boards to make DDoS defence a top priority.

  • 61% of data centre operators reported attacks totally saturating data centre bandwidth
  • 25% of data centre and cloud providers saw the cost of a major DDoS attack rise above $100,000, and 5% cited costs of over $1 million
  • 41% of EGE organisations reported DDoS attacks exceeding their total internet capacity. Nearly 60% of EGE respondents estimate downtime costs above $500/minute

More Appreciation of Risk Leads to Better Behaviour: This year’s survey results indicate a better understanding of the brand damage and operational expense of successful DDoS attacks, driving focus on best-practice defensive strategies. Across the board, in every industry, there has been an increase in the use of purpose-built DDoS protection solutions and best practice methods.

  • 77% of service provider respondents are capable of mitigating attacks in less than 20 minutes
  • Nearly 55% of EGE respondents now carry out DDoS defence simulations, with approximately 40% carrying them out at least quarterly
  • The proportion of data centre and cloud provider respondents that are using firewalls for DDoS defence has fallen from 71% to 40%

Demographics of Survey Respondents
Service providers represent the majority of respondents at 64 percent (Figure 1) — a 12 percent increase over last year. The remaining 36 percent come from enterprise, government and education (EGE) network operators.

Breaking down the EGE segment, 61 percent are enterprise respondents, with 35 percent and 14 percent representing education and government respectively.
Within the service provider category, tier 2/3 and tier 1 operators are the main groupings, as in previous iterations of this report (Figure 2).

Looking closer at the EGE respondents, we identified a broad representation of verticals (Figure 3). The largest proportion of enterprise respondents are from banking/finance at 32 percent, a significant increase from 18 percent last year. Technology, automotive/transportation and manufacturing are also well represented, rounding out the top four verticals.

Two-thirds of all respondents identify as security, network or operations professionals (Figure 4), a similar result to last year. Security professionals are the highest represented demographic, with 40 percent having this background.

The survey garnered wide participation from all regions (Figure 5). The United States and Canada represent the lead region for participation, with Western, Central and Eastern Europe following closely in second place. Participation from Asia Pacific and Oceana increased significantly this year, with small decreases proportionally for Latin America, the Middle East and Africa.