ATLAS Q2 2013 Update July 2013

The Arbor ATLAS Initiative: Internet Trends

§  275+  ISPs  sharing  real-­‐3me  data  -­‐  >  ATLAS  Internet  Trends  –  Automated  hourly  export  of  XML  file  to  Arbor  server  (HTTPS)  –  File  is  anonymous,  only  tagged  with  

–  User  Specified  Region  e.g.  Europe  –  Provider  Type  (self  categorized)  e.g.  Tier  1      

§  Data  derived  from  Flow  /  BGP  /  SNMP  correla3on  –  Arbor  Peakflow  SP  product  

–  Correlates  Sampled  Flow  /  BGP  in  real-­‐3me  –  Distributed  in  nature  –  Network  /  Router  /  Interface  etc.  Traffic  Repor3ng  –  Threat  Detec3on  (DDoS  /  infected  sub)    

–  Mul3ple  detec3on  mechanisms  

§  ATLAS currently monitoring a peak of 47Tbps of IPv4 traffic (peak) across all respondents. -  A significant proportion of Internet traffic

The Arbor ATLAS Initiative: Internet Trends 1H 2013

§  Key  Findings  (comparing  1H  2013  to  2012):  

§  PPS  a`acks  sizes  seem  to  be  trending  downward,  reversing  the  strong  growth  trend  seen  in  late  2011  and  through  2012.    

§  BPS  a`ack  sizes  trending  upwards,  46.5%  now  over  1Gb/sec,  a  jump  of  13.5%  from  2012.    

§  Average  a`ack  sizes  illustrate  the  above.  Average  BPS  a`ack  size  is  up  43%  so  far  this  year,  average  PPS  size  down  35%  

§  Propor3on  of  a`acks  in  the  2  –  10Gbps  range  more  than  doubles,    from  14.78%  to  29.8%  

§  In  the  first  half  or  2013  we  have  seen  more  than  double  the  TOTAL  number  of  a`acks  over  20Gb/sec  we  saw  in  the  whole  of  2012!  

§  3.26%  of  a`acks  now  over  10Gb/sec,  propor3onally  this  is  an  increase  of  41.6%  over  2012.      

 

The Arbor ATLAS Initiative: Internet Trends 1H 2013

§  Key  Findings  (comparing  1H  2013  to  2012):  

§  Massive  increase  in  propor3on  of  a`acks  involving  fragments.  24.5%  so  far  this  year,  up  from  10.2%  last  year.    

§  Propor3on  of  a`acks  targe3ng  port  443  up  slightly  from  last  year,  1.8%  vs  1.45%  

§  Propor3on  of  a`acks  targe3ng  port  80  drops  slightly  from  36.8%  last  year  to  31%  so  far  this  year.  

§  A`ack  dura3ons  are  trending  shorter,  86%  now  last  less  than  1  hour.    

§  Top  a`ack  sources  in  1H  are  US  (13.1%),  China  (12.5%)  and  France  (3.3%)  Note:  52.4%  of  a`ack  sources  anonymised  by  ATLAS.    

§  Top  a`ack  des3na3ons  in  1H  US  (29.7%),  China  (14.7%)  and  France  (5.1%)  Note:  24%  of  a`ack  des3na3ons  anonymised  by  ATLAS.    

 

 

§  Proportion of attacks over 1Gb/sec continues to rise §  Upward trend over last four years from 21%> 29.5% -> 33.1%-> 46.5%

§  Proportion of attacks less than 1Mpps increases, reversing recent trends §  Reverses downward trend over last four years from 87% -> 65.07% -> 62.2% -> 77%

§  Average size of attacks increases year on year

2013 ATLAS Initiative : Anonymous Stats, World-Wide

§  2013 Q1/Q2: §  2.12 Gb/sec (+43% from 2012) §  967.8Kpps (-34.6% from 2012)

§  2012: §  1.48Gb/sec (+20% from 2011) §  1.48Mpps (+11% from 2011)

World  2012  Size  Break-­‐Out,BPS  World  2011  Size  Break-­‐Out,BPS   World  2013  Size  Break-­‐Out,BPS  

<1Gbps  

>1<2Gbps  

>2<5Gbps  

>5<10Gbps  

>10<20Gbps  

>20Gbps  

Q1 Trend of Higher BPS Attack Rates Continues

2013 ATLAS Initiative : Anonymous Stats, World-Wide

BPS is Focus, as PPS Rates Shift Down §  Reverses trend toward higher

PPS attacks seen since late 2011. §  Proportion of attacks over

10Mpps drops from 1.96% (2012) to 0.7% so far this year

World  2012  Size  Break-­‐Out,  PPS  World  2011  Size  Break-­‐Out,  PPS   World  2013  Size  Break-­‐Out,  PPS  

<1Mpps  

>1<2Mpps  

>2<5Mpps  

>5<10Mpps  

>10<20Mpps  

>20Mpps  

§  Proportion of attacks above 1Mpps falls back across the range: §  2 – 5Mpps – 12.7% in 2012,

to 7.8% so far this year. §  5 – 10Mpps – 4% in 2012, to

1.77% so far this year

§  Already seen more than double the number of attacks over 20Gbps seen in whole of 2012!

§  Growth in proportion of attacks in 2-10 Gbps range :

§  9.3% in 2011, 14.78% in 2012, 29.8% in 2013 so far

2013 ATLAS Initiative : Anonymous Stats, World-Wide

Growth in Proportions Attacks Using High BPS Rate

§  Continued growth in proportion of attacks over 10Gbps, up 69.4% from 2011 -> 2012, up 41.6% so far in 2013. 3.26% of attacks now over 10Gbps

§  Average attack size over 10Gbps = 18.94Gbps

World  2012  Size  Break-­‐Out,BPS  

<1Gbps  

>1<2Gbps  

>2<5Gbps  

>5<10Gbps  

>10<20Gbps  

>20Gbps  

World  2013  Size  Break-­‐Out,BPS  

<1Gbps  

>1<2Gbps  

>2<5Gbps  

>5<10Gbps  

>10<20Gbps  

>20Gbps  

§  Majority of attacks short-lived, approx 86% less than 1 hour §  Big rise from 2012, +9%.

§  Average attack duration 2 hours 43 minutes (a decrease of 51 mins from 2012).

2013 ATLAS Initiative : Anonymous Stats, World-Wide

Short Sharp Attacks More Common

§  Average duration of attacks over 10G is 2 hours.

§  Proportion of attacks lasting longer than 12 hours continues to drop §  1.7% / 3.5% / 3.7% / 4.75% (2013 /

2012 / 2011 / 2010)

World  2012  Break-­‐Out  Dura9on  

<30  Mins  

>30<60  Mins  

>1<3  Hours  

>3<6  Hours  

>6<12  Hours  

>12<24  Hours  

>24  Hours  

World  2013  Break-­‐Out  Dura9on  

<30  Mins  

>30<60  Mins  

>1<3  Hours  

>3<6  Hours  

>6<12  Hours  

>12<24  Hours  

>24  Hours  

§  31% of attacks targeting port 80, down from 36.8% in 2012

§  Percentage of attacks reported against port 0 (fragment) see massive increase - 10.2% in 2012, 24.5% in 2013 (so far)

2013 ATLAS Initiative : Anonymous Stats, World-Wide

Massive Increase in Attacks Using Fragments §  51% of attacks over 10Gb reported

against port 0 (fragment) §  Attacks targeting port 443 continue to

increase, 1.8% (up from 1.45%) §  Percentage of attacks targeting port 53

falls to 6.4%, from 10% last year World  2012  Break-­‐Out  Ports  

80  

22  

443  

20480  

6005  

0  

53  

Other  

World  2013  Break-­‐Out  Ports  

6005  

22  

443  

20480  

53  

0  

80  

Other  

§  52.4% of monitored attacks cannot be attributed due to data anonymisation / distribution

§  Of the remaining 47.6%, the top 3 sources are:

§  US : 13.1% (9.6% in 2012) §  China : 12.5% (21% in 2012) §  France : 3.3% (1.6% in 2012)

2013 ATLAS Initiative : Anonymous Stats

Monitored Attack Sources §  Ranking of sources for attacks larger

than 10Gbps differs: §  China : 10.6% (10% in 2012) §  US : 9% (10.4% in 2012) §  Germany : 2.3% (not in top 10 in 2012)

§  Key Changes: §  France moves up to 3rd overall §  Germany now 3rd source of attacks over

10Gb/sec World  2012  A=ack  Sources  

CA  TW  FR    BR  CH  DE  US    CN  KR  Uknown  Other  

World  2013  A=ack  Sources  

IR  ES  GB  CA  DE  KR  FR  CN  US  Uknown  Other  

§  24% of monitored attacks cannot be attributed due to data anonymisation / distribution

§  Of the remaining 76%, the top 3 destinations are:

§  US : 29.7% (19% in 2012) §  China : 14.7% (6% in 2012) §  France : 5.1% (1% in 2012)

2013 ATLAS Initiative : Anonymous Stats

Monitored Attack Destinations

§  Ranking of destinations for attacks larger than 10Gbps differs:

§  US : 30% (25% in 2012) §  China : 17.7% (10.3% n 2012) §  France: 5% (2.3% in 2012)

§  Key Changes: §  France moves up to 3rd overall §  Brazil and GB at 4 and 5 as destination of

attacks over 10Gb/sec World  2012  A=ack  Des9na9ons  

DE  CA  SE  FR  TR  KR  US    CN  GB  Uknown  Other  

World  2013  A=ack  Des9na9ons  CA  TR  GB  SE  BR  KR  FR  CN  US  Uknown  Other  

§  Average attack is 2.7Gbps, June 2013 §  Average attack size now significantly over 2Gb/sec §  Rapid growth in average attack size (Mbps) in 2013

2013 ATLAS Initiative : Anonymous Stats, World-Wide

Average Attack Growth trend in Mbps

2716  

0  

500  

1000  

1500  

2000  

2500  

3000  Average  Monthly  Mbps  of  A=acks  

§  Average attack is 822Kpps, June 2013 §  Attack PPS rates seem to be waning in 2013 (so far)

2013 ATLAS Initiative : Anonymous Stats, World-Wide

Average Attack trend in Kpps

822  

0  

500  

1000  

1500  

2000  

2500  

Average  Monthly  Kpps  of  A=acks  

§  Peak attack in June 2013 is 95.4Gbps §  Continued spikes at 100Gbps+

2013 ATLAS Initiative : Anonymous Stats, World-Wide

Peak Attack Growth trend in Gbps

95.4  

0  20  40  60  80  100  120  140  

Peak  Monthly  Gbps  of  A=acks  

Spamhaus DDoS Attack March 2013

•  Largest  DDoS  a`ack  seen  to  date  •  Traffic  levels  verified  by  service  

provider  community.    •  ATLAS  stats  not  provided  by  

involved  operators  

•  DNS  Reflec3on/Amplifica3on  A`ack  •  Not  a  new  a`ack  vector  •  Responsible  for  other  large  (100Gb/

sec)  a`acks  in  the  past  

•  Emphasizes  the  need  to  restrict  open  DNS  Resolvers  and  implement  BCP  38/84  at  network  edges.  

•  Key  concern  is  that  other  groups  will  start  genera3ng  larger  a`acks,  given  the  media  focus  on  the  Spamhaus  a`acks.  

§  Peak attack in June 2013 is 65.28Mpps

§  Peak monthly attack sizes broadly similar to 2012

2013 ATLAS Initiative : Anonymous Stats, World-Wide

Peak Attack Growth trend in Mpps

65.28  

0  

20  

40  

60  

80  

100  

120  

Peak  Monthly  Mpps  of  A=acks  

Thank You