Arbor Networks ATLAS DDoS attack data for Q2 2013

15,582 views

Published on

This presentation provides details into DDoS attack data for Q2 2013. It was gathered from Arbor Networks' ATLAS portal which is a truly innovative, one-of-a-kind Internet monitoring system. ATLAS is a collaborative effort with 270+ service providers who have agreed to share anonymous traffic data on an hourly basis, together with data from Arbor dark address monitoring probes, as well as third-party and other data feeds. The network and security intelligence delivered via ATLAS gives Arbor customers a considerable competitive advantage because of the powerful combination of the micro view of their own network (via Arbor products) together with the macro view of global Internet traffic (via ATLAS).

The data for Q2 2013 shows that DDoS continues to be a global threat, with a clear increase in attack size, speed and complexity.

Published in: News & Politics, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
15,582
On SlideShare
0
From Embeds
0
Number of Embeds
12,187
Actions
Shares
0
Downloads
135
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Arbor Networks ATLAS DDoS attack data for Q2 2013

  1. 1. ATLAS Q2 2013 Update July 2013
  2. 2. The Arbor ATLAS Initiative: Internet Trends §  275+  ISPs  sharing  real-­‐3me  data  -­‐  >  ATLAS  Internet  Trends   –  Automated  hourly  export  of  XML  file  to  Arbor  server  (HTTPS)   –  File  is  anonymous,  only  tagged  with   –  User  Specified  Region  e.g.  Europe   –  Provider  Type  (self  categorized)  e.g.  Tier  1       §  Data  derived  from  Flow  /  BGP  /  SNMP  correla3on   –  Arbor  Peakflow  SP  product   –  Correlates  Sampled  Flow  /  BGP  in  real-­‐3me   –  Distributed  in  nature   –  Network  /  Router  /  Interface  etc.  Traffic  Repor3ng   –  Threat  Detec3on  (DDoS  /  infected  sub)     –  Mul3ple  detec3on  mechanisms   §  ATLAS currently monitoring a peak of 47Tbps of IPv4 traffic (peak) across all respondents. -  A significant proportion of Internet traffic
  3. 3. The Arbor ATLAS Initiative: Internet Trends 1H 2013 §  Key  Findings  (comparing  1H  2013  to  2012):   §  PPS  a`acks  sizes  seem  to  be  trending  downward,  reversing  the  strong   growth  trend  seen  in  late  2011  and  through  2012.     §  BPS  a`ack  sizes  trending  upwards,  46.5%  now  over  1Gb/sec,  a  jump  of   13.5%  from  2012.     §  Average  a`ack  sizes  illustrate  the  above.  Average  BPS  a`ack  size  is  up  43%   so  far  this  year,  average  PPS  size  down  35%   §  Propor3on  of  a`acks  in  the  2  –  10Gbps  range  more  than  doubles,    from   14.78%  to  29.8%   §  In  the  first  half  or  2013  we  have  seen  more  than  double  the  TOTAL  number   of  a`acks  over  20Gb/sec  we  saw  in  the  whole  of  2012!   §  3.26%  of  a`acks  now  over  10Gb/sec,  propor3onally  this  is  an  increase  of   41.6%  over  2012.      
  4. 4. The Arbor ATLAS Initiative: Internet Trends 1H 2013 §  Key  Findings  (comparing  1H  2013  to  2012):   §  Massive  increase  in  propor3on  of  a`acks  involving  fragments.  24.5%  so  far   this  year,  up  from  10.2%  last  year.     §  Propor3on  of  a`acks  targe3ng  port  443  up  slightly  from  last  year,  1.8%  vs   1.45%   §  Propor3on  of  a`acks  targe3ng  port  80  drops  slightly  from  36.8%  last  year   to  31%  so  far  this  year.   §  A`ack  dura3ons  are  trending  shorter,  86%  now  last  less  than  1  hour.     §  Top  a`ack  sources  in  1H  are  US  (13.1%),  China  (12.5%)  and  France  (3.3%)   Note:  52.4%  of  a`ack  sources  anonymised  by  ATLAS.     §  Top  a`ack  des3na3ons  in  1H  US  (29.7%),  China  (14.7%)  and  France  (5.1%)   Note:  24%  of  a`ack  des3na3ons  anonymised  by  ATLAS.      
  5. 5. §  Proportion of attacks over 1Gb/sec continues to rise §  Upward trend over last four years from 21%> 29.5% -> 33.1%-> 46.5% §  Proportion of attacks less than 1Mpps increases, reversing recent trends §  Reverses downward trend over last four years from 87% -> 65.07% -> 62.2% -> 77% §  Average size of attacks increases year on year 2013 ATLAS Initiative : Anonymous Stats, World-Wide §  2013 Q1/Q2: §  2.12 Gb/sec (+43% from 2012) §  967.8Kpps (-34.6% from 2012) §  2012: §  1.48Gb/sec (+20% from 2011) §  1.48Mpps (+11% from 2011) World  2012  Size  Break-­‐Out,BPS  World  2011  Size  Break-­‐Out,BPS   World  2013  Size  Break-­‐Out,BPS   <1Gbps   >1<2Gbps   >2<5Gbps   >5<10Gbps   >10<20Gbps   >20Gbps   Q1 Trend of Higher BPS Attack Rates Continues
  6. 6. 2013 ATLAS Initiative : Anonymous Stats, World-Wide BPS is Focus, as PPS Rates Shift Down §  Reverses trend toward higher PPS attacks seen since late 2011. §  Proportion of attacks over 10Mpps drops from 1.96% (2012) to 0.7% so far this year World  2012  Size  Break-­‐Out,  PPS  World  2011  Size  Break-­‐Out,  PPS   World  2013  Size  Break-­‐Out,  PPS   <1Mpps   >1<2Mpps   >2<5Mpps   >5<10Mpps   >10<20Mpps   >20Mpps   §  Proportion of attacks above 1Mpps falls back across the range: §  2 – 5Mpps – 12.7% in 2012, to 7.8% so far this year. §  5 – 10Mpps – 4% in 2012, to 1.77% so far this year
  7. 7. §  Already seen more than double the number of attacks over 20Gbps seen in whole of 2012! §  Growth in proportion of attacks in 2-10 Gbps range : §  9.3% in 2011, 14.78% in 2012, 29.8% in 2013 so far 2013 ATLAS Initiative : Anonymous Stats, World-Wide Growth in Proportions Attacks Using High BPS Rate §  Continued growth in proportion of attacks over 10Gbps, up 69.4% from 2011 -> 2012, up 41.6% so far in 2013. 3.26% of attacks now over 10Gbps §  Average attack size over 10Gbps = 18.94Gbps World  2012  Size  Break-­‐Out,BPS   <1Gbps   >1<2Gbps   >2<5Gbps   >5<10Gbps   >10<20Gbps   >20Gbps   World  2013  Size  Break-­‐Out,BPS   <1Gbps   >1<2Gbps   >2<5Gbps   >5<10Gbps   >10<20Gbps   >20Gbps  
  8. 8. §  Majority of attacks short-lived, approx 86% less than 1 hour §  Big rise from 2012, +9%. §  Average attack duration 2 hours 43 minutes (a decrease of 51 mins from 2012). 2013 ATLAS Initiative : Anonymous Stats, World-Wide Short Sharp Attacks More Common §  Average duration of attacks over 10G is 2 hours. §  Proportion of attacks lasting longer than 12 hours continues to drop §  1.7% / 3.5% / 3.7% / 4.75% (2013 / 2012 / 2011 / 2010) World  2012  Break-­‐Out  Dura9on   <30  Mins   >30<60  Mins   >1<3  Hours   >3<6  Hours   >6<12  Hours   >12<24  Hours   >24  Hours   World  2013  Break-­‐Out  Dura9on   <30  Mins   >30<60  Mins   >1<3  Hours   >3<6  Hours   >6<12  Hours   >12<24  Hours   >24  Hours  
  9. 9. §  31% of attacks targeting port 80, down from 36.8% in 2012 §  Percentage of attacks reported against port 0 (fragment) see massive increase - 10.2% in 2012, 24.5% in 2013 (so far) 2013 ATLAS Initiative : Anonymous Stats, World-Wide Massive Increase in Attacks Using Fragments §  51% of attacks over 10Gb reported against port 0 (fragment) §  Attacks targeting port 443 continue to increase, 1.8% (up from 1.45%) §  Percentage of attacks targeting port 53 falls to 6.4%, from 10% last year World  2012  Break-­‐Out  Ports   80   22   443   20480   6005   0   53   Other   World  2013  Break-­‐Out  Ports   6005   22   443   20480   53   0   80   Other  
  10. 10. §  52.4% of monitored attacks cannot be attributed due to data anonymisation / distribution §  Of the remaining 47.6%, the top 3 sources are: §  US : 13.1% (9.6% in 2012) §  China : 12.5% (21% in 2012) §  France : 3.3% (1.6% in 2012) 2013 ATLAS Initiative : Anonymous Stats Monitored Attack Sources §  Ranking of sources for attacks larger than 10Gbps differs: §  China : 10.6% (10% in 2012) §  US : 9% (10.4% in 2012) §  Germany : 2.3% (not in top 10 in 2012) §  Key Changes: §  France moves up to 3rd overall §  Germany now 3rd source of attacks over 10Gb/sec World  2012  A=ack  Sources   CA   TW   FR     BR   CH   DE   US     CN   KR   Uknown   Other   World  2013  A=ack  Sources   IR   ES   GB   CA   DE   KR   FR   CN   US   Uknown   Other  
  11. 11. §  24% of monitored attacks cannot be attributed due to data anonymisation / distribution §  Of the remaining 76%, the top 3 destinations are: §  US : 29.7% (19% in 2012) §  China : 14.7% (6% in 2012) §  France : 5.1% (1% in 2012) 2013 ATLAS Initiative : Anonymous Stats Monitored Attack Destinations §  Ranking of destinations for attacks larger than 10Gbps differs: §  US : 30% (25% in 2012) §  China : 17.7% (10.3% n 2012) §  France: 5% (2.3% in 2012) §  Key Changes: §  France moves up to 3rd overall §  Brazil and GB at 4 and 5 as destination of attacks over 10Gb/sec World  2012  A=ack  Des9na9ons   DE   CA   SE   FR   TR   KR   US     CN   GB   Uknown   Other   World  2013  A=ack  Des9na9ons   CA   TR   GB   SE   BR   KR   FR   CN   US   Uknown   Other  
  12. 12. §  Average attack is 2.7Gbps, June 2013 §  Average attack size now significantly over 2Gb/sec §  Rapid growth in average attack size (Mbps) in 2013 2013 ATLAS Initiative : Anonymous Stats, World-Wide Average Attack Growth trend in Mbps 2716   0   500   1000   1500   2000   2500   3000   Average  Monthly  Mbps  of  A=acks  
  13. 13. §  Average attack is 822Kpps, June 2013 §  Attack PPS rates seem to be waning in 2013 (so far) 2013 ATLAS Initiative : Anonymous Stats, World-Wide Average Attack trend in Kpps 822   0   500   1000   1500   2000   2500   Average  Monthly  Kpps  of  A=acks  
  14. 14. §  Peak attack in June 2013 is 95.4Gbps §  Continued spikes at 100Gbps+ 2013 ATLAS Initiative : Anonymous Stats, World-Wide Peak Attack Growth trend in Gbps 95.4   0   20   40   60   80   100   120   140   Peak  Monthly  Gbps  of  A=acks  
  15. 15. Spamhaus DDoS Attack March 2013 •  Largest  DDoS  a`ack  seen  to  date   •  Traffic  levels  verified  by  service   provider  community.     •  ATLAS  stats  not  provided  by   involved  operators   •  DNS  Reflec3on/Amplifica3on  A`ack   •  Not  a  new  a`ack  vector   •  Responsible  for  other  large  (100Gb/ sec)  a`acks  in  the  past   •  Emphasizes  the  need  to  restrict  open  DNS   Resolvers  and  implement  BCP  38/84  at   network  edges.   •  Key  concern  is  that  other  groups  will  start   genera3ng  larger  a`acks,  given  the  media   focus  on  the  Spamhaus  a`acks.  
  16. 16. §  Peak attack in June 2013 is 65.28Mpps §  Peak monthly attack sizes broadly similar to 2012 2013 ATLAS Initiative : Anonymous Stats, World-Wide Peak Attack Growth trend in Mpps 65.28   0   20   40   60   80   100   120   Peak  Monthly  Mpps  of  A=acks  
  17. 17. Thank You

×