Mobile providers, IPv6 prompt DDoS worries

The design of mobile data networks and gradual transition to internet protocol version 6 (IPv6) have created easy targets for distributed denial of service (DDoS) attacks, according to security vendor Arbor Networks.

Arbor's Asia Pacific solutions architect, Roland Dobbins, labelled mobile providers "accidental ISPs" and likened their network design principles with poorly designed enterprise networks.

"Most mobile wireless networks were designed with minutes in mind, the TCP/IP part was an afterthought," Dobbins told attendees at the Australian Network Operators Group (AusNOG) conference in Sydney last week.

"With the rise and popularity of iOS devices, mobile providers worldwide have essentially become accidental ISPs - the data side is more important than the voice side."

DDoS attacks had spiked 102 percent over 2010, according to a survey of providers by Arbor.

Despite their expertise in wireless communications, mobile providers have not proved up to task when it comes to provisioning protected data for smartphones, according to Dobbins.

The widespread installation of carrier-grade network address translation (NAT) devices and stateful firewalls across the networks had harmed the network's integrity and allowed for greater chance of DDoS attacks from a botnet of smartphones or wireless-enabled devices, he said.

Despite having the past several years to regain expertise in the field, he found the same mistakes replicated across newer deployments of WiMAX and LTE networks.

The network design had allowed connected devices to deliberately or inadvertently trigger DDoS attacks by continuously pinging a carrier for hosts or open ports.

"Now you have a big data outage for many, many users who are served by the stateful firewall," he said.

The proliferation of NAT devices across carrier and enterprise networks was unlikely to be abated soon, too, as both attempted to transition toward IPv6 in coming years.

"We're actually going to see more NAT with IPv6," he said, likening carriers and enterprises with making the same mistakes as their mobile counterparts.

To minimise risk of DDoS, Dobbins recommended companies drop deployments of unnecessary hardware providing more points of failure on a network, while providing sufficient protection to those hardware devices that did remain.

Even on growing mobile carrier networks, providers needed to control their users.

"You need to have enough visibility in your network traffic to understand when this malicious, harmful traffic is being generated by botted hosts on your wireless networks and have the ability to mitigate that traffic and potentially quarantine those users," he said.