Increasingly-intense distributed denial-of-service (DDOS) attacks on ISP backbones are surpassing providers' capacity and knocking customers offline, according to a new survey of service providers by Arbor Networks.

While most large ISPs have upgraded their backbones to 10-Gbit/s speeds over the past two years, three respondents said they have experienced sustained attacks from 20- to 22 Gbit/s, and one hosting services provider in the survey reported a 24-Gbit/s DNS-targeted attack. The most powerful sustained attack previously was 17 Gbit/s, which was reported in last year's survey by Arbor.

Thirty-six percent of the ISPs that responded to the survey -- which covers activity from July 2006 through June 2007 -- had suffered from sustained attacks of 1 Gbit/s or more over the past 12 months.

"There's been pretty significant growth in sustained attack size over a six-year period," says Danny McPherson, chief research officer for Arbor Networks. "Going from a 400-Mbit/s attack on Yahoo and Amazon in '01 to 24 Gbit/s [in one attack] in the last year."

McPherson says attacks that are two times the capacity of the ISP's backbone can hit enterprises and other customers hard. "That can cause a lot of collateral damage to the network. There are lots of other [organizations] upstream and on the same POP."

"Most enterprises have a less than 1-Gbit/s connection to the Internet, so this would overwhelm them," he says.

Nearly 60 percent of the ISPs in the survey said less than 10 attacks on their infrastructure per month actually affect their customers, and nearly 20 percent say anywhere from 10- to 100 of attacks do. Arbor expects that number to increase as more ISPs offer managed DDOS mitigation services, where ISPs more actively track attacks that affect their customers rather than relying on them to report problems.

And the number of ISPs surveyed who offer managed security services jumped from six last year to 40 this year, McPherson notes. Most of these services basically filter attack traffic and "clean" pipes, he says.

Not surprisingly, ISPs say botnets are the number one threat to their networks, and that these malicious networks are growing in size and sophistication. Botnets are used for DOS attacks (71 percent), sending spam (64 percent), as open proxies (34 percent), for storing ID theft information (16 percent), and as part of phishing systems (37 percent), according to respondents.

DDOS attacks fell from number one to a close second, according to the survey. Around 65 percent said DDOS attacks went after commercial services their customers offer on the Net, including Web server, portal, and email services. Nearly 35 percent said DDOSes were aimed at their network services such as DNS and NTP.

ISPs said the main vulnerability used for attacking their infrastructures were external password attacks (41 percent), host compromise (31 percent), and insider threat (21 percent). "The insider threat number was high," Arbor's McPherson says. "But also included there are [employee] mobile devices that are infected."

There are a couple of vulnerable hotspots on service provider backbones: More than half said they had no way to detect or mitigate DNS attacks, and nearly 90 percent don't have the ability to protect VOIP.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.