ATLAS Q2 2014 Update
July 2014
The Arbor ATLAS Initiative: Internet Trends
§  290+	
  ISPs	
  sharing	
  real-­‐3me	
  data	
  -­‐	
  >	
  ATLAS	
  Inte...
The Arbor ATLAS Initiative: Internet Trends 2014
§  Key	
  Findings	
  :	
  
§  Q1	
  2014	
  saw	
  probably	
  the	
  ...
§  Second quarter of new ATLAS data-set
§  Focus on providing baseline data for future comparisons
§  Comparisons to Q1...
Large Attacks Drop Back in Q2
§  Only a half the number of events
over 20Gb/sec in Q2, as
compared to Q1 (still 1800+)
§...
0%	
  
10%	
  
20%	
  
30%	
  
40%	
  
50%	
  
60%	
  
70%	
  
80%	
  
90%	
  
100%	
  
Dec	
   Jan	
   Feb	
   March	
   ...
2014 ATLAS Initiative : Anonymous Stats, Worldwide
Other Protocols for Amplification
§  Given the huge storm of NTP
refle...
Duration Break-Out
§  Majority of attacks short-lived,
approx 90.6% less than 1 hour,
consistent with Q1.
§  Average att...
2014 ATLAS Initiative : Anonymous Stats, Worldwide
Dest Port Break-Out
§  NIF stays at number 1, with 23.8%
of events, po...
Event Source Break-Out
§  33.9% of monitored events cannot be
attributed due to data anonymisation /
distribution
§  Of ...
Event Destination Break-Out
§  7% of monitored events cannot be
attributed due to data anonymisation.
§  Of the remainin...
2014 ATLAS Initiative : Anonymous Stats, Worldwide
Largest Monitored Attack Sizes Year on Year
BPS	
  	
   PPS	
  
	
  
20...
§  100Gbps+ becoming increasingly common
§  Largest ATLAS monitored attack in Q2:
§  154.69Gb/sec, 25 mins, NTP Reflect...
§  Peak sizes have been over 50Mpps for last few months
§  Largest attack in Q2:
§  80Mpps, 11 minutes, SYN Flood -> po...
Thank You
Upcoming SlideShare
Loading in...5
×

ATLAS Q2 2014 Update

2,886

Published on

This presentation provides details into DDoS attack data for Q2 2014. It was gathered from Arbor Networks' ATLAS portal which is a truly innovative, one-of-a-kind Internet monitoring system. ATLAS is a collaborative effort with 290+ service providers who have agreed to share anonymous traffic data on an hourly basis, together with data from Arbor dark address monitoring probes, as well as third-party and other data feeds. The network and security intelligence delivered via ATLAS gives Arbor customers a considerable competitive advantage because of the powerful combination of the micro view of their own network (via Arbor products) together with the macro view of global Internet traffic (via ATLAS).

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
2,886
On Slideshare
0
From Embeds
0
Number of Embeds
18
Actions
Shares
0
Downloads
73
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

ATLAS Q2 2014 Update

  1. 1. ATLAS Q2 2014 Update July 2014
  2. 2. The Arbor ATLAS Initiative: Internet Trends §  290+  ISPs  sharing  real-­‐3me  data  -­‐  >  ATLAS  Internet  Trends   –  Automated  hourly  export  of  XML  file  to  Arbor  server  (HTTPS)   –  File  is  anonymous,  only  tagged  with   –  User  Specified  Region  e.g.  Europe   –  Provider  Type  (self  categorized)  e.g.  Tier  1       §  Data  derived  from  Flow  /  BGP  /  SNMP  correla3on   –  Arbor  Peakflow  SP  product   –  Correlates  Sampled  Flow  /  BGP  in  real-­‐3me   –  Distributed  in  nature   –  Network  /  Router  /  Interface  etc.  Traffic  Repor3ng   –  Threat  Detec3on  (DDoS  /  infected  sub)     –  Mul3ple  detec3on  mechanisms   §  ATLAS currently monitoring a peak of around 90Tbps of IPv4 traffic (peak) across all respondents. -  A significant proportion of Internet traffic
  3. 3. The Arbor ATLAS Initiative: Internet Trends 2014 §  Key  Findings  :   §  Q1  2014  saw  probably  the  most  concentrated  burst  of  large  volumetric   DDoS  a`acks  ever,  things  have  calmed  down  again  in  Q2.     §  NTP  reflec3on  a`acks  s3ll  significant,  but  reduced  numbers  /  size  compared   to  Q1.  NTP  traffic  volumes  falling  globally,  but  s3ll  not  back  to  ‘normal’.   §  Largest  a`ack  in  Q2  is  NTP  reflec3on,  but  ‘ONLY’  154Gbps,  target  in  Spain.     §  Already  seen  more  than  2x  the  number  of  events  over  20Gbps  compared  to   2013.     §  Already  seen  more  than  100  events  over  100Gb/sec  this  year.     §  Non  Ini3al  Fragment  a`acks  s3ll  the  most  common,  but  big  increase  in   propor3on  of  a`acks  targe3ng  DNS  (53)  in  Q2.    
  4. 4. §  Second quarter of new ATLAS data-set §  Focus on providing baseline data for future comparisons §  Comparisons to Q1 2014 §  2014 Q2 Summary : 2014 ATLAS Initiative : Anonymous Stats, Worldwide §  2014 Q2 Average: §  759.83 Mb/sec (- 47% from Q1) §  199.85 Kpps (- 36% from Q1) §  2014 Q2 Peak: §  154.69 Gb/sec (-101% from Q1) §  80 Mpps (-18% from Q1) World  2014  Q1  Size  Break-­‐Out,  BPS   <500Mbps   >500Mbps<1Gbps   >1<2Gbps   >2<5Gbps   >5<10Gbps   >10<20Gbps   World  2014  Q2  Size  Break-­‐Out,  BPS   <500Mbps   >500Mbps<1Gbps   >1<2Gbps   >2<5Gbps   >5<10Gbps   >10<20Gbps  
  5. 5. Large Attacks Drop Back in Q2 §  Only a half the number of events over 20Gb/sec in Q2, as compared to Q1 (still 1800+) §  And 39 over 100Gb/sec, down from 72 in Q1. §  Large attacks way up on last year, but Q2 was not as busy as Q1. 2014 ATLAS Initiative : Anonymous Stats, Worldwide §  Why? NTP reflection attacks still significant, but reduced: §  6% of events overall (down from 14% in Q1) §  34% of events over 10Gbps (down from 56%) §  48.7% of events over 100Gbps (down 84.7%) 2014  Large  Event  Break-­‐Out   0   50   100   150   200   250   300   350   400   Jan   Feb   March   April   May   June   Number  of  Events   >50Gbps   >100Gbps   0   1000   2000   3000   4000   5000   6000   Jan   Feb   March  April   May   June   Number  of  Events   >10Gbps   Number  of  Events   >20Gbps  
  6. 6. 0%   10%   20%   30%   40%   50%   60%   70%   80%   90%   100%   Dec   Jan   Feb   March   April     May   June   All   >10G   >100G   2014 ATLAS Initiative : Anonymous Stats, Worldwide NTP Reflection / Amplification §  NTP attacks clearly shown in ATLAS traffic data. §  Average of 1.29 Gbps NTP traffic globally in November 2013 §  Average of 351.64 Gbps in February 2014 §  Average of 32.3 Gbps in June 2014 §  NTP cooling off through the end of March and into Q2 §  Still significantly above 2013 levels Propor:on  of  Events   with  Source  Port  123   0   200   400   600   800   1000   1200   1400   11/01/2013  00:00   11/13/2013  00:00:00   11/25/2013  00:00:00   12/07/2013  00:00   12/19/2013  00:00:00   12/31/2013  00:00:00   01/12/2014  00:00   01/24/2014  00:00:00   02/05/2014  00:00   02/17/2014  00:00:00   03/01/2014  00:00   03/13/2014  00:00:00   03/25/2014  00:00:00   04/06/2014  00:00   04/18/2014  00:00:00   04/30/2014  00:00:00   05/12/2014  00:00   05/24/2014  00:00:00   06/05/2014  00:00   06/17/2014  00:00:00   06/29/2014  00:00:00   NTP  (Gbps)  
  7. 7. 2014 ATLAS Initiative : Anonymous Stats, Worldwide Other Protocols for Amplification §  Given the huge storm of NTP reflection activity, there has been some focus (in the media) on other protocols that can be used in this way. §  Only two protocols show any significant activity §  Virtually nothing on QOTD, SSDP, Quake3. §  NOTE: Some of these attacks make use of non-initial-fragments which are not accounted for below. Protocol   UDP  Port   Percentage   of  ANacks  in   Q2   Max  Size   Average  Size   SNMP   161   0.1%   18.61Gbps   765.6Mbps   Chargen   19   1.4%   54.4Gbps   1.18Gbps  
  8. 8. Duration Break-Out §  Majority of attacks short-lived, approx 90.6% less than 1 hour, consistent with Q1. §  Average attack duration 72 mins, up from 60 mins in Q1 2014 ATLAS Initiative : Anonymous Stats, Worldwide World  2014  Q1  Break-­‐Out  Dura:on   <30  Mins   >30<60  Mins   >1<3  Hours   >3<6  Hours   >6<12  Hours   >12<24  Hours   World  2014  Q2  Break-­‐Out  Dura:on   <30  Mins   >30<60  Mins   >1<3  Hours   >3<6  Hours   >6<12  Hours   >12<24  Hours   §  Average duration of attacks over 10G is 1 hour 38 minutes, up significantly from 54 minutes in Q1. §  Proportion of attacks lasting longer than 12 hours is 1.38%, roughly consistent with Q1
  9. 9. 2014 ATLAS Initiative : Anonymous Stats, Worldwide Dest Port Break-Out §  NIF stays at number 1, with 23.8% of events, ports 80 and 53 in second and third place. §  Jump in proportion of attacks hitting port 53: §  Up from 8% to 13.3% World  2014  Q2  Break-­‐Out  Ports   NIF   80   53   443   3074   25565   4500   Other     World  2014  Q1  Break-­‐Out  Ports   NIF   80   53   443   123   25   3074   Other   §  Port 443 (HTTPS) is the target in 2.25% of events, down from 2.7% in Q1. §  123 (NTP) drops out of top target ports §  But still being used a lot for reflection
  10. 10. Event Source Break-Out §  33.9% of monitored events cannot be attributed due to data anonymisation / distribution §  Of the remaining 56.1%, the top 3 sources are: §  South Korea : 15.1% (up from 12.5% in Q1) §  US : 14.8% (up from 11% in Q1) §  China : 6.7% (up from 3.9% in Q1) 2014 ATLAS Initiative : Anonymous Stats, Worldwide §  Much higher proportion of events cannot be attributed over 10G §  Ranking of sources for events larger than 10Gbps differs: §  US : 7.6% (up from 4.6% in Q1) §  China : 6.6% (up from 2% in Q1) §  South Korea : 1.26% (up from 0.22% in Q1) World  2014  Q1  ANack  Sources   FR   GB   NL   DE   MY   BR   CN   US   KR   Uknown   World  2014  Q2  ANack  Sources   RU   BR   NL   MY   DE   GB   CN   US   KR   Uknown  
  11. 11. Event Destination Break-Out §  7% of monitored events cannot be attributed due to data anonymisation. §  Of the remaining 93%, the top 3 destinations are: §  US : 18% (down from 21.2%) §  China : 15.9% (up from 8.5% in Q1) §  South Korea : 13.4% (up from 13% in Q1) 2014 ATLAS Initiative : Anonymous Stats §  France drops from 6.4% of attacks in Q1 to 3.8% in Q2. §  Ranking of destinations for events larger than 10Gbps differs: §  US : 15.5% (down from 21.7% in Q1) §  France : 8.2% (down from 15.7% in Q1) §  China : 7.18% (down from 9.4% in Q1) World  2014  Q1  ANack  Des:na:ons   AU   BR   GB   MY   FR   TW   CN   KR   US   Uknown   World  2014  Q2  ANack  Des:na:ons   CA   TW   GB   BR   FR   MY   KR   CN   US   Uknown  
  12. 12. 2014 ATLAS Initiative : Anonymous Stats, Worldwide Largest Monitored Attack Sizes Year on Year BPS     PPS     2012   •  100.84Gb/sec,  des3na3on   unknown   •  Lasted  20  mins   •  82.36Mpps,  des3na3on   unknown   •  Lasted  24  mins     2013   •  245Gb/sec  (TCP  SYN)   •  Lasted  16  mins   •  202Mpps  (UDP/9656)   •  Lasted  8  mins     2014   (so  far)   •  325Gb/sec  (NTP),  France   •  Lasted  4  h  22  mins   •  94.42Mpps,  port  80,  US   •  Lasted  7  mins  
  13. 13. §  100Gbps+ becoming increasingly common §  Largest ATLAS monitored attack in Q2: §  154.69Gb/sec, 25 mins, NTP Reflection -> port 80, target in Spain. 2014 ATLAS Initiative : Anonymous Stats, Worldwide Peak Attack Growth trend in Gbps 325.05   0   50   100   150   200   250   300   350   Peak  Monthly  Gbps  of  ANacks  
  14. 14. §  Peak sizes have been over 50Mpps for last few months §  Largest attack in Q2: §  80Mpps, 11 minutes, SYN Flood -> port 20480, unknown dest. 2014 ATLAS Initiative : Anonymous Stats, Worldwide Peak Attack Growth trend in Mpps 0   50   100   150   200   250   Peak  Monthly  Mpps  of  ANacks  
  15. 15. Thank You
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×