ATLAS Q1 2014 Update April 2014

The Arbor ATLAS Initiative: Internet Trends

§  280+  ISPs  sharing  real-­‐3me  data  -­‐  >  ATLAS  Internet  Trends  –  Automated  hourly  export  of  XML  file  to  Arbor  server  (HTTPS)  –  File  is  anonymous,  only  tagged  with  

–  User  Specified  Region  e.g.  Europe  –  Provider  Type  (self  categorized)  e.g.  Tier  1      

§  Data  derived  from  Flow  /  BGP  /  SNMP  correla3on  –  Arbor  Peakflow  SP  product  

–  Correlates  Sampled  Flow  /  BGP  in  real-­‐3me  –  Distributed  in  nature  –  Network  /  Router  /  Interface  etc.  Traffic  Repor3ng  –  Threat  Detec3on  (DDoS  /  infected  sub)    

–  Mul3ple  detec3on  mechanisms  

§  ATLAS currently monitoring a peak of around 80Tbps of IPv4 traffic (peak) across all respondents. -  A significant proportion of Internet traffic

The Arbor ATLAS Initiative: Internet Trends 2014Q1

§  ATLAS  Update:  §  Arbor  ATLAS  reports  have  moved  to  using  a  new  DDoS  collec3on  back-­‐end  

as  of  1/1/2014  

§  This  update  was  brought  about  by  the  need  for  ATLAS  to  gather  data  on  shorter  dura3on  /  smaller  size  events  (as  well  as  large  events).  This  required  an  order  of  magnitude  jump  in  scale  for  processing  capability.    

§  The  new  infrastructure  has  been  collec3ng  data  since  mid  2013,  and  is  also  supplying  data  to  the  Google  Digital  Aaack  Map.  

§  Peak  event  sizes  can  be  correlated  across  old  and  new  ATLAS  data,  but  average  sizes  cannot  (given  the  much  larger  dataset  being  used  by  the  new  system)  

§  Analysis  s3ll  focusing  on  Misuse  events  from  par3cipant  Peakflow  SP  systems  

 

The Arbor ATLAS Initiative: Internet Trends 2014Q1

§  Key  Findings  :  

§  Q1  2014  saw  probably  the  most  concentrated  burst  of  large  volumetric  DDoS  aaacks  ever.    

§  Already  seen  nearly  1.5x  the  number  of  events  over  20Gb/sec  as  in  the  whole  of  2013  

§  72  events  over  100Gb/sec  were  tracked  by  ATLAS  in  Q1.    

§  A  new  largest  event,  325Gb/sec,  was  tracked  by  ATLAS  in  Q1.    

§   NTP  reflec3on  /  amplifica3on  aaacks  were  the  main  culprit  -­‐  hap://www.arbornetworks.com/asert/2014/03/ntp-­‐aaacks-­‐con3nue-­‐a-­‐quick-­‐look-­‐at-­‐traffic-­‐over-­‐the-­‐past-­‐few-­‐months/  

§  Targets  in  the  USA  and  France  saw  the  most  large  aaacks  

 

§  First quarter of new ATLAS data-set

§  Focus on providing baseline data for future comparisons §  Some interesting stats though…..

§  2014 Q1 Summary :

2014 ATLAS Initiative : Anonymous Stats, World-Wide

§  2014 Q1 Average: §  1.12 Gb/sec §  272.45 Kpps

§  2014 Q1 Peak: §  325.06 Gb/sec §  94.42 Mpps

World  2014  Q1  Size  Break-­‐Out,  BPS  

<1Gbps  

>1<2Gbps  

>2<5Gbps  

>5<10Gbps  

>10<20Gbps  

>20Gbps  

World  2014  Q1  Size  Break-­‐Out,  PPS  

<1Mpps  

>1<2Mpps  

>2<5Mpps  

>5<10Mpps  

>10<20Mpps  

>20Mpps  

Large Attacks Multiply §  Already seen nearly 1.5 times the

number of events over 20Gbps than seen in whole of 2013!

§  And 72 over 100Gb/sec!

§  Numbers of events are staggering, see below.

2014 ATLAS Initiative : Anonymous Stats, World-Wide

§  Predominantly down to proliferation of NTP reflection attacks

§  14% of events overall §  56% of events over 10Gbps §  84.7% of events over 100Gbps

§  Average event size over 10Gbps = 20.42 Gbps

Q1  Cumula3ve  Large  Event  Break-­‐Out  

0  

1000  

2000  

3000  

4000  

5000  

6000  

Jan   Feb   March  

Number  of  Events  >10Gbps  

Number  of  Events  >20Gbps  

0  

50  

100  

150  

200  

250  

300  

350  

400  

Jan   Feb   March  

Number  of  Events  >50Gbps  

>100Gbps  

2014 ATLAS Initiative : Anonymous Stats, World-Wide NTP Reflection / Amplification §  Growth of NTP attacks clearly

shown in ATLAS traffic data. §  Average of 1.29 Gbps NTP traffic

globally in November 2013 §  Average of 351.64 Gbps in

February 2014

0  100  200  300  400  500  600  700  800  900  

11/01/2013  00:00  

11/08/2013  00:00  

11/15/2013  

11/22/2013  

11/29/2013  

12/06/2013  00:00  

12/13/2013  

12/20/2013  

12/27/2013  

01/03/2014  00:00  

01/10/2014  00:00  

01/17/2014  

01/24/2014  

01/31/2014  

02/07/2014  00:00  

02/14/2014  

02/21/2014  

02/28/2014  

03/07/2014  00:00  

03/14/2014  

03/21/2014  

03/28/2014  

World-­‐Wide  NTP    Aggregate  Traffic  Level  (Gbps)  

§  Cooling off through the end of March §  Still significantly above 2013

levels ProporGon  of  Events  

with  Source  Port  123  

0%  

10%  

20%  

30%  

40%  

50%  

60%  

70%  

80%  

90%  

100%  

Dec   Jan   Feb   March  

All  

>10G  

>100G  

NTP Attack Destinations §  US, France and Australia the

most common targets overall. §  US and France the most

common targets of large attacks.

2014 ATLAS Initiative : Anonymous Stats, World-Wide

World  2014  Q1  NTP  ANack  DesGnaGons  

CA  PL  SE  DE  GB  DK  AU  FR  US  Uknown  

World  2014  Q1  NTP  ANack  DesGnaGons,  >  10Gb/sec  

PL  AU  SE  RU  GB  DK  DE  FR  US  Uknown  

World  2014  Q1  NTP  ANack  DesGnaGons,  >  100Gb/sec  

RU  TR  NL  EU  SE  DK  CH  US  FR  Uknown  

Duration Break-Out §  Majority of attacks short-lived,

approx 90.1% less than 1 hour §  Average attack duration 60

minutes. §  Average duration of attacks over

10G is 54 minutes. §  Proportion of attacks lasting

longer than 12 hours is 1.48%

2014 ATLAS Initiative : Anonymous Stats, World-Wide

Dest Port Break-Out §  NIF at number 1, with 22% of

events, ports 80 and 53 in second and third place.

§  Port 443 (HTTPS) the target in 2.7% of events

World  2014  Q1  Break-­‐Out  DuraGon  

<30  Mins  

>30<60  Mins  

>1<3  Hours  

>3<6  Hours  

>6<12  Hours  

>12<24  Hours  

World  2014  Q1  Break-­‐Out  Ports  

Non  Ini3al  Fragment  

80  

53  

443  

123  

25  

Event Source Break-Out §  50.8% of monitored events cannot be

attributed due to data anonymisation / distribution

§  Of the remaining 49.2%, the top 3 sources are:

§  South Korea : 12.5% §  US : 11% §  China : 3.9%

2014 ATLAS Initiative : Anonymous Stats

§  Much higher proportion of events cannot be attributed over 10G

§  Ranking of sources for events larger than 10Gbps differs:

§  US : 4.6% §  China : 2% §  Netherlands : 1.1%

World  2014  Q1  ANack  Sources  

FR  GB  NL  DE  MY  BR  CN  US  KR  Uknown  

World  2014  Q1  ANack  Sources,  >  10Gbps  

KR  TH  GB  AU  FR  DE  NL  CN  US  Uknown  

Event Destination Break-Out §  12.5% of monitored events cannot be

attributed due to data anonymisation. §  Of the remaining 87.5%, the top 3

destinations are: §  US : 21.2% §  South Korea : 13% §  China : 8.5%

2014 ATLAS Initiative : Anonymous Stats

§  Ranking of destinations for events larger than 10Gbps differs:

§  US : 21.7% §  France : 15.7% §  China : 9.4%

World  2014  ANack  DesGnaGons,  >  10Gbps  

RO  SE  RU  GB  DK  DE  CN  FR  US  Uknown  

World  2014  Q1  ANack  DesGnaGons  

AU  BR  GB  MY  FR  TW  CN  KR  US  Uknown  

2014 ATLAS Initiative : Anonymous Stats, World-Wide

Largest Monitored Attack Sizes Year on Year

BPS     PPS  

 2012  

•  100.84Gb/sec,  des3na3on  unknown  

•  Lasted  20  mins  

•  82.36Mpps,  des3na3on  unknown  

•  Lasted  24  mins  

 2013  

•  245Gb/sec  (TCP  SYN)  

•  Lasted  16  mins  

•  202Mpps  (UDP/9656)  

•  Lasted  8  mins  

 2014  (so  far)  

•  325Gb/sec  (NTP),  France  

•  Lasted  4  h  22  mins  

•  94.42Mpps,  port  80,  US  

•  Lasted  7  mins  

§  100Gbps+ becoming increasingly common §  New largest ATLAS monitored attack – 325Gbps in February

2014 ATLAS Initiative : Anonymous Stats, World-Wide

Peak Attack Growth trend in Gbps

325.05  

0  50  

100  150  200  250  300  350  

Peak  Monthly  Gbps  of  ANacks  

§  Peak sizes have been over 50Mpps for last few months

§  Trending down from peaks in November and December 2013

2014 ATLAS Initiative : Anonymous Stats, World-Wide

Peak Attack Growth trend in Mpps

0  

50  

100  

150  

200  

250  

Peak  Monthly  Mpps  of  ANacks  

Thank You