ATLAS Q2 2013 Update July 2013
The Arbor ATLAS Initiative: Internet Trends
§ 275+ ISPs sharing real-‐3me data -‐ > ATLAS Internet Trends – Automated hourly export of XML file to Arbor server (HTTPS) – File is anonymous, only tagged with
– User Specified Region e.g. Europe – Provider Type (self categorized) e.g. Tier 1
§ Data derived from Flow / BGP / SNMP correla3on – Arbor Peakflow SP product
– Correlates Sampled Flow / BGP in real-‐3me – Distributed in nature – Network / Router / Interface etc. Traffic Repor3ng – Threat Detec3on (DDoS / infected sub)
– Mul3ple detec3on mechanisms
§ ATLAS currently monitoring a peak of 47Tbps of IPv4 traffic (peak) across all respondents. - A significant proportion of Internet traffic
The Arbor ATLAS Initiative: Internet Trends 1H 2013
§ Key Findings (comparing 1H 2013 to 2012):
§ PPS a`acks sizes seem to be trending downward, reversing the strong growth trend seen in late 2011 and through 2012.
§ BPS a`ack sizes trending upwards, 46.5% now over 1Gb/sec, a jump of 13.5% from 2012.
§ Average a`ack sizes illustrate the above. Average BPS a`ack size is up 43% so far this year, average PPS size down 35%
§ Propor3on of a`acks in the 2 – 10Gbps range more than doubles, from 14.78% to 29.8%
§ In the first half or 2013 we have seen more than double the TOTAL number of a`acks over 20Gb/sec we saw in the whole of 2012!
§ 3.26% of a`acks now over 10Gb/sec, propor3onally this is an increase of 41.6% over 2012.
The Arbor ATLAS Initiative: Internet Trends 1H 2013
§ Key Findings (comparing 1H 2013 to 2012):
§ Massive increase in propor3on of a`acks involving fragments. 24.5% so far this year, up from 10.2% last year.
§ Propor3on of a`acks targe3ng port 443 up slightly from last year, 1.8% vs 1.45%
§ Propor3on of a`acks targe3ng port 80 drops slightly from 36.8% last year to 31% so far this year.
§ A`ack dura3ons are trending shorter, 86% now last less than 1 hour.
§ Top a`ack sources in 1H are US (13.1%), China (12.5%) and France (3.3%) Note: 52.4% of a`ack sources anonymised by ATLAS.
§ Top a`ack des3na3ons in 1H US (29.7%), China (14.7%) and France (5.1%) Note: 24% of a`ack des3na3ons anonymised by ATLAS.
§ Proportion of attacks over 1Gb/sec continues to rise § Upward trend over last four years from 21%> 29.5% -> 33.1%-> 46.5%
§ Proportion of attacks less than 1Mpps increases, reversing recent trends § Reverses downward trend over last four years from 87% -> 65.07% -> 62.2% -> 77%
§ Average size of attacks increases year on year
2013 ATLAS Initiative : Anonymous Stats, World-Wide
§ 2013 Q1/Q2: § 2.12 Gb/sec (+43% from 2012) § 967.8Kpps (-34.6% from 2012)
§ 2012: § 1.48Gb/sec (+20% from 2011) § 1.48Mpps (+11% from 2011)
World 2012 Size Break-‐Out,BPS World 2011 Size Break-‐Out,BPS World 2013 Size Break-‐Out,BPS
<1Gbps
>1<2Gbps
>2<5Gbps
>5<10Gbps
>10<20Gbps
>20Gbps
Q1 Trend of Higher BPS Attack Rates Continues
2013 ATLAS Initiative : Anonymous Stats, World-Wide
BPS is Focus, as PPS Rates Shift Down § Reverses trend toward higher
PPS attacks seen since late 2011. § Proportion of attacks over
10Mpps drops from 1.96% (2012) to 0.7% so far this year
World 2012 Size Break-‐Out, PPS World 2011 Size Break-‐Out, PPS World 2013 Size Break-‐Out, PPS
<1Mpps
>1<2Mpps
>2<5Mpps
>5<10Mpps
>10<20Mpps
>20Mpps
§ Proportion of attacks above 1Mpps falls back across the range: § 2 – 5Mpps – 12.7% in 2012,
to 7.8% so far this year. § 5 – 10Mpps – 4% in 2012, to
1.77% so far this year
§ Already seen more than double the number of attacks over 20Gbps seen in whole of 2012!
§ Growth in proportion of attacks in 2-10 Gbps range :
§ 9.3% in 2011, 14.78% in 2012, 29.8% in 2013 so far
2013 ATLAS Initiative : Anonymous Stats, World-Wide
Growth in Proportions Attacks Using High BPS Rate
§ Continued growth in proportion of attacks over 10Gbps, up 69.4% from 2011 -> 2012, up 41.6% so far in 2013. 3.26% of attacks now over 10Gbps
§ Average attack size over 10Gbps = 18.94Gbps
World 2012 Size Break-‐Out,BPS
<1Gbps
>1<2Gbps
>2<5Gbps
>5<10Gbps
>10<20Gbps
>20Gbps
World 2013 Size Break-‐Out,BPS
<1Gbps
>1<2Gbps
>2<5Gbps
>5<10Gbps
>10<20Gbps
>20Gbps
§ Majority of attacks short-lived, approx 86% less than 1 hour § Big rise from 2012, +9%.
§ Average attack duration 2 hours 43 minutes (a decrease of 51 mins from 2012).
2013 ATLAS Initiative : Anonymous Stats, World-Wide
Short Sharp Attacks More Common
§ Average duration of attacks over 10G is 2 hours.
§ Proportion of attacks lasting longer than 12 hours continues to drop § 1.7% / 3.5% / 3.7% / 4.75% (2013 /
2012 / 2011 / 2010)
World 2012 Break-‐Out Dura9on
<30 Mins
>30<60 Mins
>1<3 Hours
>3<6 Hours
>6<12 Hours
>12<24 Hours
>24 Hours
World 2013 Break-‐Out Dura9on
<30 Mins
>30<60 Mins
>1<3 Hours
>3<6 Hours
>6<12 Hours
>12<24 Hours
>24 Hours
§ 31% of attacks targeting port 80, down from 36.8% in 2012
§ Percentage of attacks reported against port 0 (fragment) see massive increase - 10.2% in 2012, 24.5% in 2013 (so far)
2013 ATLAS Initiative : Anonymous Stats, World-Wide
Massive Increase in Attacks Using Fragments § 51% of attacks over 10Gb reported
against port 0 (fragment) § Attacks targeting port 443 continue to
increase, 1.8% (up from 1.45%) § Percentage of attacks targeting port 53
falls to 6.4%, from 10% last year World 2012 Break-‐Out Ports
80
22
443
20480
6005
0
53
Other
World 2013 Break-‐Out Ports
6005
22
443
20480
53
0
80
Other
§ 52.4% of monitored attacks cannot be attributed due to data anonymisation / distribution
§ Of the remaining 47.6%, the top 3 sources are:
§ US : 13.1% (9.6% in 2012) § China : 12.5% (21% in 2012) § France : 3.3% (1.6% in 2012)
2013 ATLAS Initiative : Anonymous Stats
Monitored Attack Sources § Ranking of sources for attacks larger
than 10Gbps differs: § China : 10.6% (10% in 2012) § US : 9% (10.4% in 2012) § Germany : 2.3% (not in top 10 in 2012)
§ Key Changes: § France moves up to 3rd overall § Germany now 3rd source of attacks over
10Gb/sec World 2012 A=ack Sources
CA TW FR BR CH DE US CN KR Uknown Other
World 2013 A=ack Sources
IR ES GB CA DE KR FR CN US Uknown Other
§ 24% of monitored attacks cannot be attributed due to data anonymisation / distribution
§ Of the remaining 76%, the top 3 destinations are:
§ US : 29.7% (19% in 2012) § China : 14.7% (6% in 2012) § France : 5.1% (1% in 2012)
2013 ATLAS Initiative : Anonymous Stats
Monitored Attack Destinations
§ Ranking of destinations for attacks larger than 10Gbps differs:
§ US : 30% (25% in 2012) § China : 17.7% (10.3% n 2012) § France: 5% (2.3% in 2012)
§ Key Changes: § France moves up to 3rd overall § Brazil and GB at 4 and 5 as destination of
attacks over 10Gb/sec World 2012 A=ack Des9na9ons
DE CA SE FR TR KR US CN GB Uknown Other
World 2013 A=ack Des9na9ons CA TR GB SE BR KR FR CN US Uknown Other
§ Average attack is 2.7Gbps, June 2013 § Average attack size now significantly over 2Gb/sec § Rapid growth in average attack size (Mbps) in 2013
2013 ATLAS Initiative : Anonymous Stats, World-Wide
Average Attack Growth trend in Mbps
2716
0
500
1000
1500
2000
2500
3000 Average Monthly Mbps of A=acks
§ Average attack is 822Kpps, June 2013 § Attack PPS rates seem to be waning in 2013 (so far)
2013 ATLAS Initiative : Anonymous Stats, World-Wide
Average Attack trend in Kpps
822
0
500
1000
1500
2000
2500
Average Monthly Kpps of A=acks
§ Peak attack in June 2013 is 95.4Gbps § Continued spikes at 100Gbps+
2013 ATLAS Initiative : Anonymous Stats, World-Wide
Peak Attack Growth trend in Gbps
95.4
0 20 40 60 80 100 120 140
Peak Monthly Gbps of A=acks
Spamhaus DDoS Attack March 2013
• Largest DDoS a`ack seen to date • Traffic levels verified by service
provider community. • ATLAS stats not provided by
involved operators
• DNS Reflec3on/Amplifica3on A`ack • Not a new a`ack vector • Responsible for other large (100Gb/
sec) a`acks in the past
• Emphasizes the need to restrict open DNS Resolvers and implement BCP 38/84 at network edges.
• Key concern is that other groups will start genera3ng larger a`acks, given the media focus on the Spamhaus a`acks.
§ Peak attack in June 2013 is 65.28Mpps
§ Peak monthly attack sizes broadly similar to 2012
2013 ATLAS Initiative : Anonymous Stats, World-Wide
Peak Attack Growth trend in Mpps
65.28
0
20
40
60
80
100
120
Peak Monthly Mpps of A=acks
Thank You