One great initiative that Microsoft has taken on is the Microsoft Active Protections Program (MAPP). MAPP is forum for software providers to share and access vulnerability information to help them update their software faster in response to new vulnerabilities. MAPP is an example of how sharing security information between companies can be beneficial to the whole industry.
Akamai State of the Internet Report
Akamai has been producing their State of the Internet Reportfor many years now. Akamai's extremely large cloud and Content Distribution Network (CDN) gives them access to a large amount of data about Internet threats targeting them and their customers. This year, Akamai acquired Prolexic, a network security company that provides services that help companies avoid damaging DDoS attacks. Akamai is leveraging the Prolexic services to help Akamai's CDN and cloud customers mitigate the effects of the service-affecting attacks. Prolexic used to publish their own Quarterly Global DDoS Attack Report but that research has now been brought into the quarterly State of the Internet Report.
Their Q3 2014 State of the Internet Report is available for download now. This report talks a lot about the increase in bandwidth of DDoS attacks due to the increasing Internet access speeds whereby subscriber devices are used as bots to generate the traffic. The attack mentions that reflection attacks using DNS and NTP are starting to wane, but new reflecting attacks using different protocols like SSDP and UPnP and leveraging vulnerable mobile, CPE and IoT devices may become pervasive. This report also mentioned that the U.S. was the primary source of DDoS attacks.
Arbor Networks Worldwide Infrastructure Security Report (WISR)
Arbor Networks has also been publishing annual security reports since about 2004. Their ninthWorldwide Infrastructure Security Report (WISR) covers data gathered from late 2012 to late 2013. This report is based on data that their DDoS products gather and information from their user base on survey results from over 220 service providers and large enterprises worldwide. This data is also based on the information gathered from their Active Threat Level Analysis System (ATLAS) global threat intelligence system from their Peakflow SP customers. Arbor Networks also publishes threatinformation from their Arbor Security Engineering & Response Team (ASERT) group based on ATLAS information.
The current WISR indicated that the largest DDoS attacks are now well over 100Gbps where just a few years ago they were peaking at 40Gbps. The duration of DDoS attacks is also typically less than an hour in duration. This report also confirmed a rise in the number of IPv6-enabled service provider networks and that IPv6 transport was used on some DDoS attacks. However, IPv6 traffic visibility trails IPv4 traffic visibility. This report confirmed the use of DNS and NTP as packet amplification techniques used by attackers. One interesting set of statistics was on the size of the OPSEC teams. A few organizations had large OPSEC teams, while the majority of companies have extremely small teams or no team to speak of and lack of headcount or resources was listed as the largest OPSEC team challenge. This report also shows that most organizations are using ACLs, firewalls, IPSs and Intelligent DDoS Mitigation Systems (IDMS) to defend against DDoS attacks.