Your SlideShare is downloading. ×
Arbor Networks ATLAS Q1 2014 DDoS Attack Data
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Arbor Networks ATLAS Q1 2014 DDoS Attack Data

2,227
views

Published on

This presentation provides details into DDoS attack data for Q1 2014. It was gathered from Arbor Networks' ATLAS portal which is a truly innovative, one-of-a-kind Internet monitoring system. ATLAS is …

This presentation provides details into DDoS attack data for Q1 2014. It was gathered from Arbor Networks' ATLAS portal which is a truly innovative, one-of-a-kind Internet monitoring system. ATLAS is a collaborative effort with 280+ service providers who have agreed to share anonymous traffic data on an hourly basis, together with data from Arbor dark address monitoring probes, as well as third-party and other data feeds. The network and security intelligence delivered via ATLAS gives Arbor customers a considerable competitive advantage because of the powerful combination of the micro view of their own network (via Arbor products) together with the macro view of global Internet traffic (via ATLAS).

Published in: Technology, News & Politics

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,227
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
85
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. ATLAS Q1 2014 Update April 2014
  • 2. The Arbor ATLAS Initiative: Internet Trends §  280+  ISPs  sharing  real-­‐3me  data  -­‐  >  ATLAS  Internet  Trends   –  Automated  hourly  export  of  XML  file  to  Arbor  server  (HTTPS)   –  File  is  anonymous,  only  tagged  with   –  User  Specified  Region  e.g.  Europe   –  Provider  Type  (self  categorized)  e.g.  Tier  1       §  Data  derived  from  Flow  /  BGP  /  SNMP  correla3on   –  Arbor  Peakflow  SP  product   –  Correlates  Sampled  Flow  /  BGP  in  real-­‐3me   –  Distributed  in  nature   –  Network  /  Router  /  Interface  etc.  Traffic  Repor3ng   –  Threat  Detec3on  (DDoS  /  infected  sub)     –  Mul3ple  detec3on  mechanisms   §  ATLAS currently monitoring a peak of around 80Tbps of IPv4 traffic (peak) across all respondents. -  A significant proportion of Internet traffic
  • 3. The Arbor ATLAS Initiative: Internet Trends 2014Q1 §  ATLAS  Update:   §  Arbor  ATLAS  reports  have  moved  to  using  a  new  DDoS  collec3on  back-­‐end   as  of  1/1/2014   §  This  update  was  brought  about  by  the  need  for  ATLAS  to  gather  data  on   shorter  dura3on  /  smaller  size  events  (as  well  as  large  events).  This  required   an  order  of  magnitude  jump  in  scale  for  processing  capability.     §  The  new  infrastructure  has  been  collec3ng  data  since  mid  2013,  and  is  also   supplying  data  to  the  Google  Digital  Aaack  Map.   §  Peak  event  sizes  can  be  correlated  across  old  and  new  ATLAS  data,  but   average  sizes  cannot  (given  the  much  larger  dataset  being  used  by  the  new   system)   §  Analysis  s3ll  focusing  on  Misuse  events  from  par3cipant  Peakflow  SP   systems  
  • 4. The Arbor ATLAS Initiative: Internet Trends 2014Q1 §  Key  Findings  :   §  Q1  2014  saw  probably  the  most  concentrated  burst  of  large  volumetric   DDoS  aaacks  ever.     §  Already  seen  nearly  1.5x  the  number  of  events  over  20Gb/sec  as  in  the   whole  of  2013   §  72  events  over  100Gb/sec  were  tracked  by  ATLAS  in  Q1.     §  A  new  largest  event,  325Gb/sec,  was  tracked  by  ATLAS  in  Q1.     §   NTP  reflec3on  /  amplifica3on  aaacks  were  the  main  culprit  -­‐   hap://www.arbornetworks.com/asert/2014/03/ntp-­‐aaacks-­‐con3nue-­‐ a-­‐quick-­‐look-­‐at-­‐traffic-­‐over-­‐the-­‐past-­‐few-­‐months/   §  Targets  in  the  USA  and  France  saw  the  most  large  aaacks  
  • 5. §  First quarter of new ATLAS data-set §  Focus on providing baseline data for future comparisons §  Some interesting stats though….. §  2014 Q1 Summary : 2014 ATLAS Initiative : Anonymous Stats, World-Wide §  2014 Q1 Average: §  1.12 Gb/sec §  272.45 Kpps §  2014 Q1 Peak: §  325.06 Gb/sec §  94.42 Mpps World  2014  Q1  Size  Break-­‐Out,  BPS   <1Gbps   >1<2Gbps   >2<5Gbps   >5<10Gbps   >10<20Gbps   >20Gbps   World  2014  Q1  Size  Break-­‐Out,  PPS   <1Mpps   >1<2Mpps   >2<5Mpps   >5<10Mpps   >10<20Mpps   >20Mpps  
  • 6. Large Attacks Multiply §  Already seen nearly 1.5 times the number of events over 20Gbps than seen in whole of 2013! §  And 72 over 100Gb/sec! §  Numbers of events are staggering, see below. 2014 ATLAS Initiative : Anonymous Stats, World-Wide §  Predominantly down to proliferation of NTP reflection attacks §  14% of events overall §  56% of events over 10Gbps §  84.7% of events over 100Gbps §  Average event size over 10Gbps = 20.42 Gbps Q1  Cumula3ve  Large  Event  Break-­‐Out   0   1000   2000   3000   4000   5000   6000   Jan   Feb   March   Number  of  Events   >10Gbps   Number  of  Events   >20Gbps   0   50   100   150   200   250   300   350   400   Jan   Feb   March   Number  of  Events   >50Gbps   >100Gbps  
  • 7. 2014 ATLAS Initiative : Anonymous Stats, World-Wide NTP Reflection / Amplification §  Growth of NTP attacks clearly shown in ATLAS traffic data. §  Average of 1.29 Gbps NTP traffic globally in November 2013 §  Average of 351.64 Gbps in February 2014 0   100   200   300   400   500   600   700   800   900   11/01/2013  00:00   11/08/2013  00:00   11/15/2013   11/22/2013   11/29/2013   12/06/2013  00:00   12/13/2013   12/20/2013   12/27/2013   01/03/2014  00:00   01/10/2014  00:00   01/17/2014   01/24/2014   01/31/2014   02/07/2014  00:00   02/14/2014   02/21/2014   02/28/2014   03/07/2014  00:00   03/14/2014   03/21/2014   03/28/2014   World-­‐Wide  NTP    Aggregate  Traffic   Level  (Gbps)   §  Cooling off through the end of March §  Still significantly above 2013 levels ProporGon  of  Events   with  Source  Port  123   0%   10%   20%   30%   40%   50%   60%   70%   80%   90%   100%   Dec   Jan   Feb   March   All   >10G   >100G  
  • 8. NTP Attack Destinations §  US, France and Australia the most common targets overall. §  US and France the most common targets of large attacks. 2014 ATLAS Initiative : Anonymous Stats, World-Wide World  2014  Q1  NTP  ANack  DesGnaGons   CA   PL   SE   DE   GB   DK   AU   FR   US   Uknown   World  2014  Q1  NTP  ANack   DesGnaGons,  >  10Gb/sec   PL   AU   SE   RU   GB   DK   DE   FR   US   Uknown   World  2014  Q1  NTP  ANack   DesGnaGons,  >  100Gb/sec   RU   TR   NL   EU   SE   DK   CH   US   FR   Uknown  
  • 9. Duration Break-Out §  Majority of attacks short-lived, approx 90.1% less than 1 hour §  Average attack duration 60 minutes. §  Average duration of attacks over 10G is 54 minutes. §  Proportion of attacks lasting longer than 12 hours is 1.48% 2014 ATLAS Initiative : Anonymous Stats, World-Wide Dest Port Break-Out §  NIF at number 1, with 22% of events, ports 80 and 53 in second and third place. §  Port 443 (HTTPS) the target in 2.7% of events World  2014  Q1  Break-­‐Out  DuraGon   <30  Mins   >30<60  Mins   >1<3  Hours   >3<6  Hours   >6<12  Hours   >12<24  Hours   World  2014  Q1  Break-­‐Out  Ports   Non  Ini3al  Fragment   80   53   443   123   25  
  • 10. Event Source Break-Out §  50.8% of monitored events cannot be attributed due to data anonymisation / distribution §  Of the remaining 49.2%, the top 3 sources are: §  South Korea : 12.5% §  US : 11% §  China : 3.9% 2014 ATLAS Initiative : Anonymous Stats §  Much higher proportion of events cannot be attributed over 10G §  Ranking of sources for events larger than 10Gbps differs: §  US : 4.6% §  China : 2% §  Netherlands : 1.1% World  2014  Q1  ANack  Sources   FR   GB   NL   DE   MY   BR   CN   US   KR   Uknown   World  2014  Q1  ANack  Sources,  >  10Gbps   KR   TH   GB   AU   FR   DE   NL   CN   US   Uknown  
  • 11. Event Destination Break-Out §  12.5% of monitored events cannot be attributed due to data anonymisation. §  Of the remaining 87.5%, the top 3 destinations are: §  US : 21.2% §  South Korea : 13% §  China : 8.5% 2014 ATLAS Initiative : Anonymous Stats §  Ranking of destinations for events larger than 10Gbps differs: §  US : 21.7% §  France : 15.7% §  China : 9.4% World  2014  ANack  DesGnaGons,  >   10Gbps   RO   SE   RU   GB   DK   DE   CN   FR   US   Uknown   World  2014  Q1  ANack  DesGnaGons   AU   BR   GB   MY   FR   TW   CN   KR   US   Uknown  
  • 12. 2014 ATLAS Initiative : Anonymous Stats, World-Wide Largest Monitored Attack Sizes Year on Year BPS     PPS     2012   •  100.84Gb/sec,  des3na3on   unknown   •  Lasted  20  mins   •  82.36Mpps,  des3na3on   unknown   •  Lasted  24  mins     2013   •  245Gb/sec  (TCP  SYN)   •  Lasted  16  mins   •  202Mpps  (UDP/9656)   •  Lasted  8  mins     2014   (so  far)   •  325Gb/sec  (NTP),  France   •  Lasted  4  h  22  mins   •  94.42Mpps,  port  80,  US   •  Lasted  7  mins  
  • 13. §  100Gbps+ becoming increasingly common §  New largest ATLAS monitored attack – 325Gbps in February 2014 ATLAS Initiative : Anonymous Stats, World-Wide Peak Attack Growth trend in Gbps 325.05   0   50   100   150   200   250   300   350   Peak  Monthly  Gbps  of  ANacks  
  • 14. §  Peak sizes have been over 50Mpps for last few months §  Trending down from peaks in November and December 2013 2014 ATLAS Initiative : Anonymous Stats, World-Wide Peak Attack Growth trend in Mpps 0   50   100   150   200   250   Peak  Monthly  Mpps  of  ANacks  
  • 15. Thank You