Download pdf - Arbor Networks ATLAS DDoS attack data for Q2 2013

ATLAS Q2 2013 Update July 2013

The Arbor ATLAS Initiative: Internet Trends

§  275+ ISPs sharing real-‐3me data -‐ > ATLAS Internet Trends –  Automated hourly export of XML file to Arbor server (HTTPS) –  File is anonymous, only tagged with

–  User Specified Region e.g. Europe –  Provider Type (self categorized) e.g. Tier 1

§  Data derived from Flow / BGP / SNMP correla3on –  Arbor Peakflow SP product

–  Correlates Sampled Flow / BGP in real-‐3me –  Distributed in nature –  Network / Router / Interface etc. Traffic Repor3ng –  Threat Detec3on (DDoS / infected sub)

–  Mul3ple detec3on mechanisms

§  ATLAS currently monitoring a peak of 47Tbps of IPv4 traffic (peak) across all respondents. -  A significant proportion of Internet traffic

The Arbor ATLAS Initiative: Internet Trends 1H 2013

§  Key Findings (comparing 1H 2013 to 2012):

§  PPS aàcks sizes seem to be trending downward, reversing the strong growth trend seen in late 2011 and through 2012.

§  BPS aàck sizes trending upwards, 46.5% now over 1Gb/sec, a jump of 13.5% from 2012.

§  Average aàck sizes illustrate the above. Average BPS aàck size is up 43% so far this year, average PPS size down 35%

§  Propor3on of aàcks in the 2 – 10Gbps range more than doubles, from 14.78% to 29.8%

§  In the first half or 2013 we have seen more than double the TOTAL number of aàcks over 20Gb/sec we saw in the whole of 2012!

§  3.26% of aàcks now over 10Gb/sec, propor3onally this is an increase of 41.6% over 2012.

The Arbor ATLAS Initiative: Internet Trends 1H 2013

§  Key Findings (comparing 1H 2013 to 2012):

§  Massive increase in propor3on of aàcks involving fragments. 24.5% so far this year, up from 10.2% last year.

§  Propor3on of aàcks targe3ng port 443 up slightly from last year, 1.8% vs 1.45%

§  Propor3on of aàcks targe3ng port 80 drops slightly from 36.8% last year to 31% so far this year.

§  Aàck dura3ons are trending shorter, 86% now last less than 1 hour.

§  Top aàck sources in 1H are US (13.1%), China (12.5%) and France (3.3%) Note: 52.4% of aàck sources anonymised by ATLAS.

§  Top aàck des3na3ons in 1H US (29.7%), China (14.7%) and France (5.1%) Note: 24% of aàck des3na3ons anonymised by ATLAS.

§  Proportion of attacks over 1Gb/sec continues to rise §  Upward trend over last four years from 21%> 29.5% -> 33.1%-> 46.5%

§  Proportion of attacks less than 1Mpps increases, reversing recent trends §  Reverses downward trend over last four years from 87% -> 65.07% -> 62.2% -> 77%

§  Average size of attacks increases year on year

2013 ATLAS Initiative : Anonymous Stats, World-Wide

§  2013 Q1/Q2: §  2.12 Gb/sec (+43% from 2012) §  967.8Kpps (-34.6% from 2012)

§  2012: §  1.48Gb/sec (+20% from 2011) §  1.48Mpps (+11% from 2011)

World 2012 Size Break-‐Out,BPS World 2011 Size Break-‐Out,BPS World 2013 Size Break-‐Out,BPS

<1Gbps

>1<2Gbps

>2<5Gbps

>5<10Gbps

>10<20Gbps

>20Gbps

Q1 Trend of Higher BPS Attack Rates Continues


BPS is Focus, as PPS Rates Shift Down §  Reverses trend toward higher

PPS attacks seen since late 2011. §  Proportion of attacks over

10Mpps drops from 1.96% (2012) to 0.7% so far this year

World 2012 Size Break-‐Out, PPS World 2011 Size Break-‐Out, PPS World 2013 Size Break-‐Out, PPS

<1Mpps

>1<2Mpps

>2<5Mpps

>5<10Mpps

>10<20Mpps

>20Mpps

§  Proportion of attacks above 1Mpps falls back across the range: §  2 – 5Mpps – 12.7% in 2012,

to 7.8% so far this year. §  5 – 10Mpps – 4% in 2012, to

1.77% so far this year

§  Already seen more than double the number of attacks over 20Gbps seen in whole of 2012!

§  Growth in proportion of attacks in 2-10 Gbps range :

§  9.3% in 2011, 14.78% in 2012, 29.8% in 2013 so far


Growth in Proportions Attacks Using High BPS Rate

§  Continued growth in proportion of attacks over 10Gbps, up 69.4% from 2011 -> 2012, up 41.6% so far in 2013. 3.26% of attacks now over 10Gbps

§  Average attack size over 10Gbps = 18.94Gbps

World 2012 Size Break-‐Out,BPS

<1Gbps

>1<2Gbps

>2<5Gbps

>5<10Gbps

>10<20Gbps

>20Gbps

World 2013 Size Break-‐Out,BPS

<1Gbps

>1<2Gbps

>2<5Gbps

>5<10Gbps

>10<20Gbps

>20Gbps

§  Majority of attacks short-lived, approx 86% less than 1 hour §  Big rise from 2012, +9%.

§  Average attack duration 2 hours 43 minutes (a decrease of 51 mins from 2012).


Short Sharp Attacks More Common

§  Average duration of attacks over 10G is 2 hours.

§  Proportion of attacks lasting longer than 12 hours continues to drop §  1.7% / 3.5% / 3.7% / 4.75% (2013 /

2012 / 2011 / 2010)

World 2012 Break-‐Out Dura9on

<30 Mins

>30<60 Mins

>1<3 Hours

>3<6 Hours

>6<12 Hours

>12<24 Hours

>24 Hours

World 2013 Break-‐Out Dura9on

<30 Mins

>30<60 Mins

>1<3 Hours

>3<6 Hours

>6<12 Hours

>12<24 Hours

>24 Hours

§  31% of attacks targeting port 80, down from 36.8% in 2012

§  Percentage of attacks reported against port 0 (fragment) see massive increase - 10.2% in 2012, 24.5% in 2013 (so far)


Massive Increase in Attacks Using Fragments §  51% of attacks over 10Gb reported

against port 0 (fragment) §  Attacks targeting port 443 continue to

increase, 1.8% (up from 1.45%) §  Percentage of attacks targeting port 53

falls to 6.4%, from 10% last year World 2012 Break-‐Out Ports

80

22

443

20480

6005

0

53

Other

World 2013 Break-‐Out Ports

6005

22

443

20480

53

0

80

Other

§  52.4% of monitored attacks cannot be attributed due to data anonymisation / distribution

§  Of the remaining 47.6%, the top 3 sources are:

§  US : 13.1% (9.6% in 2012) §  China : 12.5% (21% in 2012) §  France : 3.3% (1.6% in 2012)

2013 ATLAS Initiative : Anonymous Stats

Monitored Attack Sources §  Ranking of sources for attacks larger

than 10Gbps differs: §  China : 10.6% (10% in 2012) §  US : 9% (10.4% in 2012) §  Germany : 2.3% (not in top 10 in 2012)

§  Key Changes: §  France moves up to 3rd overall §  Germany now 3rd source of attacks over

10Gb/sec World 2012 A=ack Sources

CA TW FR BR CH DE US CN KR Uknown Other

World 2013 A=ack Sources

IR ES GB CA DE KR FR CN US Uknown Other

§  24% of monitored attacks cannot be attributed due to data anonymisation / distribution

§  Of the remaining 76%, the top 3 destinations are:

§  US : 29.7% (19% in 2012) §  China : 14.7% (6% in 2012) §  France : 5.1% (1% in 2012)

2013 ATLAS Initiative : Anonymous Stats

Monitored Attack Destinations

§  Ranking of destinations for attacks larger than 10Gbps differs:

§  US : 30% (25% in 2012) §  China : 17.7% (10.3% n 2012) §  France: 5% (2.3% in 2012)

§  Key Changes: §  France moves up to 3rd overall §  Brazil and GB at 4 and 5 as destination of

attacks over 10Gb/sec World 2012 A=ack Des9na9ons

DE CA SE FR TR KR US CN GB Uknown Other

World 2013 A=ack Des9na9ons CA TR GB SE BR KR FR CN US Uknown Other

§  Average attack is 2.7Gbps, June 2013 §  Average attack size now significantly over 2Gb/sec §  Rapid growth in average attack size (Mbps) in 2013


Average Attack Growth trend in Mbps

2716

0

500

1000

1500

2000

2500

3000 Average Monthly Mbps of A=acks

§  Average attack is 822Kpps, June 2013 §  Attack PPS rates seem to be waning in 2013 (so far)


Average Attack trend in Kpps

822

0

500

1000

1500

2000

2500

Average Monthly Kpps of A=acks

§  Peak attack in June 2013 is 95.4Gbps §  Continued spikes at 100Gbps+


Peak Attack Growth trend in Gbps

95.4

0 20 40 60 80 100 120 140

Peak Monthly Gbps of A=acks

Spamhaus DDoS Attack March 2013

•  Largest DDoS aàck seen to date •  Traffic levels verified by service

provider community. •  ATLAS stats not provided by

involved operators

•  DNS Reflec3on/Amplifica3on Aàck •  Not a new aàck vector •  Responsible for other large (100Gb/

sec) aàcks in the past

•  Emphasizes the need to restrict open DNS Resolvers and implement BCP 38/84 at network edges.

•  Key concern is that other groups will start genera3ng larger aàcks, given the media focus on the Spamhaus aàcks.

§  Peak attack in June 2013 is 65.28Mpps

§  Peak monthly attack sizes broadly similar to 2012


Peak Attack Growth trend in Mpps

65.28

0

20

40

60

80

100

120

Peak Monthly Mpps of A=acks

Thank You