IPv6 and DNSSEC security concerns

Security administrators are anxious, perhaps with good reason.

Security architects who monitor and manage many of the underlying systems that ensure smooth data flow across the Internet are growing anxious over the deployments of some of the latest technologies designed to improve Internet security and reliability.

While domain name system security extension (DNSSEC) deployments and IPv6 offer a number of benefits, a lack of support and expertise could prompt an emerging wave of new botnet attacks, according to several security architects responding to a new survey from Arbor Networks Inc., a vendor that sells appliances that defend against botnet attacks.

The survey, in its fifth year, posed questions to 132 security professionals, many of them lead security architects at ISPs and large telecommunications firms. It is designed to highlight the security threats facing service providers.

Nearly 35% of those surveyed said sophisticated service and application-layer attacks represent the largest operational threat over the next 12 months, displacing large scale botnet-enabled attacks, which came in second this year at 21%.

“When Web services were located in single data centers in some aspects they were easier to defend, but now we’re dealing with more distributed environments,” said Craig Labovitz, chief scientist at Lexington Mass.-based Arbor Networks. “There are many more components today, and as Web services are evolving, so are the attacks.”

The big concern DDoS attacks which are becoming difficult to detect.

Distributed denial-of-service (DDoS) attacks, driven by botnets, have doubled in bandwidth since the attack was first identified in 2001. But according to the survey, botnet operators appear to be changing their tactics to make some DDoS attacks more difficult to detect and more focused on specific systems running a network.

DDoS attacks have risen from 400 Mbps in 2001 to more than 40 Gbps, but the survey found the attack scale growth slowing in 2009. Botnet operators also may be reaching the threshold for sustained malicious DDoS traffic, Labovitz said. In 2009, the highest sustained attack peaked at 49 Gbps.

“The lower bandwidth attacks are focused not so much on flooding the pipes and routers, but disabling and disrupting certain aspects of the distributed Web service,” Labovitz said.

And while high-profile volume attacks such as the DDoS attacks that brought down some South Korean and U.S. government websites are not sophisticated, the attacks are designed to remain undetected, which is what worries security architects the most, Labovitz said.

Another major concern: the lack of IPv6 security features.

Arbor said missing IPv6 security features in routers, firewalls and critical network infrastructure lacking support for IPv6 are a cause for concern. A lack of skilled professionals to test and deploy IPv6 supporting equipment may also result in more Internet-wide security vulnerabilities. Labovitz said most providers don’t believe all their routers can support IPv6 and provide the level of security necessary to sustain network up-time.

“The concern is that we’ve had issues with a string of availabilities of vanilla IPv4 and now we’re going to be introducing more things into the network,” Labovitz said. “They’re concerned it could tax technology operations and support, and cause significant challenges.”

Similar concerns exit for DNSSEC.

The survey found network operators concerned about an increase in attacks targeting DNS infrastructure, load balancers and large-scale SQL server back-end infrastructures.

The same concerns ring true for infrastructures that support DNSSEC. While the technology upgrade to DNS is expected to result in improved authentication and data integrity, deployments have been slow, but network security experts expect most top-level domains to be fully supporting DNSSEC by 2011.

Labovitz said the technology resolves many types of DNS injection attacks, but other underlying threats exist.

“There are many more moving parts,” he said. “It makes DNS messages bigger and more complicated.” (Source: SearchSecurity.com)

Reblog this post [with Zemanta]

About brvanlanen

Just a thirty-something guy currently hanging it up in the greater Green Bay area. My post-high school educational background is mainly in the Information Technology field. Specifically I have an A.A.S. in Computer Network Systems and a B.S. in Information Systems Security, both from ITT Technical Institute, in addition to A and MCDST certifications. In my free time I enjoy spending time with my family, cooking and sports. My Christian faith is also important to me as a Missouri-Synod Lutheran and all my children attend a Lutheran grade school. When it comes to political leanings I am a conservative first and foremost which you will discover rather quickly. As for sports I am a huge fan of the Green Bay Packers.

Posted on January 22, 2010, in attacks, Cybersecurity, IT Support, Network Administration, Security, Technology News and tagged , , , , , , , , . Bookmark the permalink. Comments Off on IPv6 and DNSSEC security concerns.

Comments are closed.

%d bloggers like this: