ATLAS Q1 2014 Update April 2014
The Arbor ATLAS Initiative: Internet Trends
§ 280+ ISPs sharing real-‐3me data -‐ > ATLAS Internet Trends – Automated hourly export of XML file to Arbor server (HTTPS) – File is anonymous, only tagged with
– User Specified Region e.g. Europe – Provider Type (self categorized) e.g. Tier 1
§ Data derived from Flow / BGP / SNMP correla3on – Arbor Peakflow SP product
– Correlates Sampled Flow / BGP in real-‐3me – Distributed in nature – Network / Router / Interface etc. Traffic Repor3ng – Threat Detec3on (DDoS / infected sub)
– Mul3ple detec3on mechanisms
§ ATLAS currently monitoring a peak of around 80Tbps of IPv4 traffic (peak) across all respondents. - A significant proportion of Internet traffic
The Arbor ATLAS Initiative: Internet Trends 2014Q1
§ ATLAS Update: § Arbor ATLAS reports have moved to using a new DDoS collec3on back-‐end
as of 1/1/2014
§ This update was brought about by the need for ATLAS to gather data on shorter dura3on / smaller size events (as well as large events). This required an order of magnitude jump in scale for processing capability.
§ The new infrastructure has been collec3ng data since mid 2013, and is also supplying data to the Google Digital Aaack Map.
§ Peak event sizes can be correlated across old and new ATLAS data, but average sizes cannot (given the much larger dataset being used by the new system)
§ Analysis s3ll focusing on Misuse events from par3cipant Peakflow SP systems
The Arbor ATLAS Initiative: Internet Trends 2014Q1
§ Key Findings :
§ Q1 2014 saw probably the most concentrated burst of large volumetric DDoS aaacks ever.
§ Already seen nearly 1.5x the number of events over 20Gb/sec as in the whole of 2013
§ 72 events over 100Gb/sec were tracked by ATLAS in Q1.
§ A new largest event, 325Gb/sec, was tracked by ATLAS in Q1.
§ NTP reflec3on / amplifica3on aaacks were the main culprit -‐ hap://www.arbornetworks.com/asert/2014/03/ntp-‐aaacks-‐con3nue-‐a-‐quick-‐look-‐at-‐traffic-‐over-‐the-‐past-‐few-‐months/
§ Targets in the USA and France saw the most large aaacks
§ First quarter of new ATLAS data-set
§ Focus on providing baseline data for future comparisons § Some interesting stats though…..
§ 2014 Q1 Summary :
2014 ATLAS Initiative : Anonymous Stats, World-Wide
§ 2014 Q1 Average: § 1.12 Gb/sec § 272.45 Kpps
§ 2014 Q1 Peak: § 325.06 Gb/sec § 94.42 Mpps
World 2014 Q1 Size Break-‐Out, BPS
<1Gbps
>1<2Gbps
>2<5Gbps
>5<10Gbps
>10<20Gbps
>20Gbps
World 2014 Q1 Size Break-‐Out, PPS
<1Mpps
>1<2Mpps
>2<5Mpps
>5<10Mpps
>10<20Mpps
>20Mpps
Large Attacks Multiply § Already seen nearly 1.5 times the
number of events over 20Gbps than seen in whole of 2013!
§ And 72 over 100Gb/sec!
§ Numbers of events are staggering, see below.
2014 ATLAS Initiative : Anonymous Stats, World-Wide
§ Predominantly down to proliferation of NTP reflection attacks
§ 14% of events overall § 56% of events over 10Gbps § 84.7% of events over 100Gbps
§ Average event size over 10Gbps = 20.42 Gbps
Q1 Cumula3ve Large Event Break-‐Out
0
1000
2000
3000
4000
5000
6000
Jan Feb March
Number of Events >10Gbps
Number of Events >20Gbps
0
50
100
150
200
250
300
350
400
Jan Feb March
Number of Events >50Gbps
>100Gbps
2014 ATLAS Initiative : Anonymous Stats, World-Wide NTP Reflection / Amplification § Growth of NTP attacks clearly
shown in ATLAS traffic data. § Average of 1.29 Gbps NTP traffic
globally in November 2013 § Average of 351.64 Gbps in
February 2014
0 100 200 300 400 500 600 700 800 900
11/01/2013 00:00
11/08/2013 00:00
11/15/2013
11/22/2013
11/29/2013
12/06/2013 00:00
12/13/2013
12/20/2013
12/27/2013
01/03/2014 00:00
01/10/2014 00:00
01/17/2014
01/24/2014
01/31/2014
02/07/2014 00:00
02/14/2014
02/21/2014
02/28/2014
03/07/2014 00:00
03/14/2014
03/21/2014
03/28/2014
World-‐Wide NTP Aggregate Traffic Level (Gbps)
§ Cooling off through the end of March § Still significantly above 2013
levels ProporGon of Events
with Source Port 123
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Dec Jan Feb March
All
>10G
>100G
NTP Attack Destinations § US, France and Australia the
most common targets overall. § US and France the most
common targets of large attacks.
2014 ATLAS Initiative : Anonymous Stats, World-Wide
World 2014 Q1 NTP ANack DesGnaGons
CA PL SE DE GB DK AU FR US Uknown
World 2014 Q1 NTP ANack DesGnaGons, > 10Gb/sec
PL AU SE RU GB DK DE FR US Uknown
World 2014 Q1 NTP ANack DesGnaGons, > 100Gb/sec
RU TR NL EU SE DK CH US FR Uknown
Duration Break-Out § Majority of attacks short-lived,
approx 90.1% less than 1 hour § Average attack duration 60
minutes. § Average duration of attacks over
10G is 54 minutes. § Proportion of attacks lasting
longer than 12 hours is 1.48%
2014 ATLAS Initiative : Anonymous Stats, World-Wide
Dest Port Break-Out § NIF at number 1, with 22% of
events, ports 80 and 53 in second and third place.
§ Port 443 (HTTPS) the target in 2.7% of events
World 2014 Q1 Break-‐Out DuraGon
<30 Mins
>30<60 Mins
>1<3 Hours
>3<6 Hours
>6<12 Hours
>12<24 Hours
World 2014 Q1 Break-‐Out Ports
Non Ini3al Fragment
80
53
443
123
25
Event Source Break-Out § 50.8% of monitored events cannot be
attributed due to data anonymisation / distribution
§ Of the remaining 49.2%, the top 3 sources are:
§ South Korea : 12.5% § US : 11% § China : 3.9%
2014 ATLAS Initiative : Anonymous Stats
§ Much higher proportion of events cannot be attributed over 10G
§ Ranking of sources for events larger than 10Gbps differs:
§ US : 4.6% § China : 2% § Netherlands : 1.1%
World 2014 Q1 ANack Sources
FR GB NL DE MY BR CN US KR Uknown
World 2014 Q1 ANack Sources, > 10Gbps
KR TH GB AU FR DE NL CN US Uknown
Event Destination Break-Out § 12.5% of monitored events cannot be
attributed due to data anonymisation. § Of the remaining 87.5%, the top 3
destinations are: § US : 21.2% § South Korea : 13% § China : 8.5%
2014 ATLAS Initiative : Anonymous Stats
§ Ranking of destinations for events larger than 10Gbps differs:
§ US : 21.7% § France : 15.7% § China : 9.4%
World 2014 ANack DesGnaGons, > 10Gbps
RO SE RU GB DK DE CN FR US Uknown
World 2014 Q1 ANack DesGnaGons
AU BR GB MY FR TW CN KR US Uknown
2014 ATLAS Initiative : Anonymous Stats, World-Wide
Largest Monitored Attack Sizes Year on Year
BPS PPS
2012
• 100.84Gb/sec, des3na3on unknown
• Lasted 20 mins
• 82.36Mpps, des3na3on unknown
• Lasted 24 mins
2013
• 245Gb/sec (TCP SYN)
• Lasted 16 mins
• 202Mpps (UDP/9656)
• Lasted 8 mins
2014 (so far)
• 325Gb/sec (NTP), France
• Lasted 4 h 22 mins
• 94.42Mpps, port 80, US
• Lasted 7 mins
§ 100Gbps+ becoming increasingly common § New largest ATLAS monitored attack – 325Gbps in February
2014 ATLAS Initiative : Anonymous Stats, World-Wide
Peak Attack Growth trend in Gbps
325.05
0 50
100 150 200 250 300 350
Peak Monthly Gbps of ANacks
§ Peak sizes have been over 50Mpps for last few months
§ Trending down from peaks in November and December 2013
2014 ATLAS Initiative : Anonymous Stats, World-Wide
Peak Attack Growth trend in Mpps
0
50
100
150
200
250
Peak Monthly Mpps of ANacks
Thank You