Upload
arbor-networks
View
14.762
Download
2
Embed Size (px)
DESCRIPTION
This presentation provides details into DDoS attack data for Q2 2013. It was gathered from Arbor Networks' ATLAS portal which is a truly innovative, one-of-a-kind Internet monitoring system. ATLAS is a collaborative effort with 270+ service providers who have agreed to share anonymous traffic data on an hourly basis, together with data from Arbor dark address monitoring probes, as well as third-party and other data feeds. The network and security intelligence delivered via ATLAS gives Arbor customers a considerable competitive advantage because of the powerful combination of the micro view of their own network (via Arbor products) together with the macro view of global Internet traffic (via ATLAS). The data for Q2 2013 shows that DDoS continues to be a global threat, with a clear increase in attack size, speed and complexity.
Citation preview
ATLAS Q2 2013 Update July 2013
The Arbor ATLAS Initiative: Internet Trends
§ 275+ ISPs sharing real-‐3me data -‐ > ATLAS Internet Trends – Automated hourly export of XML file to Arbor server (HTTPS) – File is anonymous, only tagged with
– User Specified Region e.g. Europe – Provider Type (self categorized) e.g. Tier 1
§ Data derived from Flow / BGP / SNMP correla3on – Arbor Peakflow SP product
– Correlates Sampled Flow / BGP in real-‐3me – Distributed in nature – Network / Router / Interface etc. Traffic Repor3ng – Threat Detec3on (DDoS / infected sub)
– Mul3ple detec3on mechanisms
§ ATLAS currently monitoring a peak of 47Tbps of IPv4 traffic (peak) across all respondents. - A significant proportion of Internet traffic
The Arbor ATLAS Initiative: Internet Trends 1H 2013
§ Key Findings (comparing 1H 2013 to 2012):
§ PPS a`acks sizes seem to be trending downward, reversing the strong growth trend seen in late 2011 and through 2012.
§ BPS a`ack sizes trending upwards, 46.5% now over 1Gb/sec, a jump of 13.5% from 2012.
§ Average a`ack sizes illustrate the above. Average BPS a`ack size is up 43% so far this year, average PPS size down 35%
§ Propor3on of a`acks in the 2 – 10Gbps range more than doubles, from 14.78% to 29.8%
§ In the first half or 2013 we have seen more than double the TOTAL number of a`acks over 20Gb/sec we saw in the whole of 2012!
§ 3.26% of a`acks now over 10Gb/sec, propor3onally this is an increase of 41.6% over 2012.
The Arbor ATLAS Initiative: Internet Trends 1H 2013
§ Key Findings (comparing 1H 2013 to 2012):
§ Massive increase in propor3on of a`acks involving fragments. 24.5% so far this year, up from 10.2% last year.
§ Propor3on of a`acks targe3ng port 443 up slightly from last year, 1.8% vs 1.45%
§ Propor3on of a`acks targe3ng port 80 drops slightly from 36.8% last year to 31% so far this year.
§ A`ack dura3ons are trending shorter, 86% now last less than 1 hour.
§ Top a`ack sources in 1H are US (13.1%), China (12.5%) and France (3.3%) Note: 52.4% of a`ack sources anonymised by ATLAS.
§ Top a`ack des3na3ons in 1H US (29.7%), China (14.7%) and France (5.1%) Note: 24% of a`ack des3na3ons anonymised by ATLAS.
§ Proportion of attacks over 1Gb/sec continues to rise § Upward trend over last four years from 21%> 29.5% -> 33.1%-> 46.5%
§ Proportion of attacks less than 1Mpps increases, reversing recent trends § Reverses downward trend over last four years from 87% -> 65.07% -> 62.2% -> 77%
§ Average size of attacks increases year on year
2013 ATLAS Initiative : Anonymous Stats, World-Wide
§ 2013 Q1/Q2: § 2.12 Gb/sec (+43% from 2012) § 967.8Kpps (-34.6% from 2012)
§ 2012: § 1.48Gb/sec (+20% from 2011) § 1.48Mpps (+11% from 2011)
World 2012 Size Break-‐Out,BPS World 2011 Size Break-‐Out,BPS World 2013 Size Break-‐Out,BPS
<1Gbps
>1<2Gbps
>2<5Gbps
>5<10Gbps
>10<20Gbps
>20Gbps
Q1 Trend of Higher BPS Attack Rates Continues
2013 ATLAS Initiative : Anonymous Stats, World-Wide
BPS is Focus, as PPS Rates Shift Down § Reverses trend toward higher
PPS attacks seen since late 2011. § Proportion of attacks over
10Mpps drops from 1.96% (2012) to 0.7% so far this year
World 2012 Size Break-‐Out, PPS World 2011 Size Break-‐Out, PPS World 2013 Size Break-‐Out, PPS
<1Mpps
>1<2Mpps
>2<5Mpps
>5<10Mpps
>10<20Mpps
>20Mpps
§ Proportion of attacks above 1Mpps falls back across the range: § 2 – 5Mpps – 12.7% in 2012,
to 7.8% so far this year. § 5 – 10Mpps – 4% in 2012, to
1.77% so far this year
§ Already seen more than double the number of attacks over 20Gbps seen in whole of 2012!
§ Growth in proportion of attacks in 2-10 Gbps range :
§ 9.3% in 2011, 14.78% in 2012, 29.8% in 2013 so far
2013 ATLAS Initiative : Anonymous Stats, World-Wide
Growth in Proportions Attacks Using High BPS Rate
§ Continued growth in proportion of attacks over 10Gbps, up 69.4% from 2011 -> 2012, up 41.6% so far in 2013. 3.26% of attacks now over 10Gbps
§ Average attack size over 10Gbps = 18.94Gbps
World 2012 Size Break-‐Out,BPS
<1Gbps
>1<2Gbps
>2<5Gbps
>5<10Gbps
>10<20Gbps
>20Gbps
World 2013 Size Break-‐Out,BPS
<1Gbps
>1<2Gbps
>2<5Gbps
>5<10Gbps
>10<20Gbps
>20Gbps
§ Majority of attacks short-lived, approx 86% less than 1 hour § Big rise from 2012, +9%.
§ Average attack duration 2 hours 43 minutes (a decrease of 51 mins from 2012).
2013 ATLAS Initiative : Anonymous Stats, World-Wide
Short Sharp Attacks More Common
§ Average duration of attacks over 10G is 2 hours.
§ Proportion of attacks lasting longer than 12 hours continues to drop § 1.7% / 3.5% / 3.7% / 4.75% (2013 /
2012 / 2011 / 2010)
World 2012 Break-‐Out Dura9on
<30 Mins
>30<60 Mins
>1<3 Hours
>3<6 Hours
>6<12 Hours
>12<24 Hours
>24 Hours
World 2013 Break-‐Out Dura9on
<30 Mins
>30<60 Mins
>1<3 Hours
>3<6 Hours
>6<12 Hours
>12<24 Hours
>24 Hours
§ 31% of attacks targeting port 80, down from 36.8% in 2012
§ Percentage of attacks reported against port 0 (fragment) see massive increase - 10.2% in 2012, 24.5% in 2013 (so far)
2013 ATLAS Initiative : Anonymous Stats, World-Wide
Massive Increase in Attacks Using Fragments § 51% of attacks over 10Gb reported
against port 0 (fragment) § Attacks targeting port 443 continue to
increase, 1.8% (up from 1.45%) § Percentage of attacks targeting port 53
falls to 6.4%, from 10% last year World 2012 Break-‐Out Ports
80
22
443
20480
6005
0
53
Other
World 2013 Break-‐Out Ports
6005
22
443
20480
53
0
80
Other
§ 52.4% of monitored attacks cannot be attributed due to data anonymisation / distribution
§ Of the remaining 47.6%, the top 3 sources are:
§ US : 13.1% (9.6% in 2012) § China : 12.5% (21% in 2012) § France : 3.3% (1.6% in 2012)
2013 ATLAS Initiative : Anonymous Stats
Monitored Attack Sources § Ranking of sources for attacks larger
than 10Gbps differs: § China : 10.6% (10% in 2012) § US : 9% (10.4% in 2012) § Germany : 2.3% (not in top 10 in 2012)
§ Key Changes: § France moves up to 3rd overall § Germany now 3rd source of attacks over
10Gb/sec World 2012 A=ack Sources
CA TW FR BR CH DE US CN KR Uknown Other
World 2013 A=ack Sources
IR ES GB CA DE KR FR CN US Uknown Other
§ 24% of monitored attacks cannot be attributed due to data anonymisation / distribution
§ Of the remaining 76%, the top 3 destinations are:
§ US : 29.7% (19% in 2012) § China : 14.7% (6% in 2012) § France : 5.1% (1% in 2012)
2013 ATLAS Initiative : Anonymous Stats
Monitored Attack Destinations
§ Ranking of destinations for attacks larger than 10Gbps differs:
§ US : 30% (25% in 2012) § China : 17.7% (10.3% n 2012) § France: 5% (2.3% in 2012)
§ Key Changes: § France moves up to 3rd overall § Brazil and GB at 4 and 5 as destination of
attacks over 10Gb/sec World 2012 A=ack Des9na9ons
DE CA SE FR TR KR US CN GB Uknown Other
World 2013 A=ack Des9na9ons CA TR GB SE BR KR FR CN US Uknown Other
§ Average attack is 2.7Gbps, June 2013 § Average attack size now significantly over 2Gb/sec § Rapid growth in average attack size (Mbps) in 2013
2013 ATLAS Initiative : Anonymous Stats, World-Wide
Average Attack Growth trend in Mbps
2716
0
500
1000
1500
2000
2500
3000 Average Monthly Mbps of A=acks
§ Average attack is 822Kpps, June 2013 § Attack PPS rates seem to be waning in 2013 (so far)
2013 ATLAS Initiative : Anonymous Stats, World-Wide
Average Attack trend in Kpps
822
0
500
1000
1500
2000
2500
Average Monthly Kpps of A=acks
§ Peak attack in June 2013 is 95.4Gbps § Continued spikes at 100Gbps+
2013 ATLAS Initiative : Anonymous Stats, World-Wide
Peak Attack Growth trend in Gbps
95.4
0 20 40 60 80 100 120 140
Peak Monthly Gbps of A=acks
Spamhaus DDoS Attack March 2013
• Largest DDoS a`ack seen to date • Traffic levels verified by service
provider community. • ATLAS stats not provided by
involved operators
• DNS Reflec3on/Amplifica3on A`ack • Not a new a`ack vector • Responsible for other large (100Gb/
sec) a`acks in the past
• Emphasizes the need to restrict open DNS Resolvers and implement BCP 38/84 at network edges.
• Key concern is that other groups will start genera3ng larger a`acks, given the media focus on the Spamhaus a`acks.
§ Peak attack in June 2013 is 65.28Mpps
§ Peak monthly attack sizes broadly similar to 2012
2013 ATLAS Initiative : Anonymous Stats, World-Wide
Peak Attack Growth trend in Mpps
65.28
0
20
40
60
80
100
120
Peak Monthly Mpps of A=acks
Thank You