The combination of strained budgets and the growing sophistication of cyber attacks has Internet service provider security executives more concerned now than in the recent past, according to Arbor Networks’ annual Worldwide Infrastructure Security Report. The security solutions vendor talked with 66 of its service provider customers globally to compile the data, which shows that the size of some “brute-force” attacks is also approaching alarming proportions.

The study also revealed a need for ISPs to work together more closely on security issues and for the industry to include service providers in on the process of identifying vulnerabilities and patches.

“In the past, we found customers spent most of their resources addressing denial-of-service (DoS) attacks,” said Craig Labovitz, chief scientist at Arbor Networks and co-author of the study. “But this year, one trend has continued to accelerate, and that is application-specific attacks. As a result, we have seen some prolonged outages reported by ISPs.”

These more sophisticated attacks target specific resources, with the intent to exhaust and bring down a service, Labovitz said.

“I think it is a continued evolution,” he said. “ISPs have deployed gear to deal with flooding attacks, so the attackers have raised the bar, they have responded by finding new avenues of attack. The services that they are deploying today are getting pretty sophisticated. They are using different types of media, Web 2.0, online, in-the-cloud services. Before an attacker could try to flood a Web server; now there are different database components, distributed components, that they can target. Things are growing more complex, providing more avenues of attack.”

At the same time, the brute-force attacks are growing in size. The Arbor study found the largest distributed DoS (DDoS) attacks broke the 40-gigabit threshold this year, meaning the size of these attacks is outpacing the growth in underlying transmission speed and infrastructure investment.

The combination of more sophisticated and larger attacks and constrained budgets has ISP security executives in something like a funk, Labovitz said.