Arbor Networks ATLAS DDoS attack data for Q2 2013

  • Published on
    15-Jan-2015

  • View
    14.759

  • Download
    2

Embed Size (px)

DESCRIPTION

This presentation provides details into DDoS attack data for Q2 2013. It was gathered from Arbor Networks' ATLAS portal which is a truly innovative, one-of-a-kind Internet monitoring system. ATLAS is a collaborative effort with 270+ service providers who have agreed to share anonymous traffic data on an hourly basis, together with data from Arbor dark address monitoring probes, as well as third-party and other data feeds. The network and security intelligence delivered via ATLAS gives Arbor customers a considerable competitive advantage because of the powerful combination of the micro view of their own network (via Arbor products) together with the macro view of global Internet traffic (via ATLAS). The data for Q2 2013 shows that DDoS continues to be a global threat, with a clear increase in attack size, speed and complexity.

Transcript

<ul><li> 1. ATLAS Q2 2013 Update July 2013 </li></ul> <p> 2. The Arbor ATLAS Initiative: Internet Trends 275+ISPssharingreal-3medata-&gt;ATLASInternetTrends AutomatedhourlyexportofXMLletoArborserver(HTTPS) Fileisanonymous,onlytaggedwith UserSpeciedRegione.g.Europe ProviderType(selfcategorized)e.g.Tier1 DataderivedfromFlow/BGP/SNMPcorrela3on ArborPeakowSPproduct CorrelatesSampledFlow/BGPinreal-3me Distributedinnature Network/Router/Interfaceetc.TracRepor3ng ThreatDetec3on(DDoS/infectedsub) Mul3pledetec3onmechanisms ATLAS currently monitoring a peak of 47Tbps of IPv4 traffic (peak) across all respondents. - A significant proportion of Internet traffic 3. The Arbor ATLAS Initiative: Internet Trends 1H 2013 KeyFindings(comparing1H2013to2012): PPSa`ackssizesseemtobetrendingdownward,reversingthestrong growthtrendseeninlate2011andthrough2012. BPSa`acksizestrendingupwards,46.5%nowover1Gb/sec,ajumpof 13.5%from2012. Averagea`acksizesillustratetheabove.AverageBPSa`acksizeisup43% sofarthisyear,averagePPSsizedown35% Propor3onofa`acksinthe210Gbpsrangemorethandoubles,from 14.78%to29.8% Inthersthalfor2013wehaveseenmorethandoubletheTOTALnumber ofa`acksover20Gb/secwesawinthewholeof2012! 3.26%ofa`acksnowover10Gb/sec,propor3onallythisisanincreaseof 41.6%over2012. 4. The Arbor ATLAS Initiative: Internet Trends 1H 2013 KeyFindings(comparing1H2013to2012): Massiveincreaseinpropor3onofa`acksinvolvingfragments.24.5%sofar thisyear,upfrom10.2%lastyear. Propor3onofa`ackstarge3ngport443upslightlyfromlastyear,1.8%vs 1.45% Propor3onofa`ackstarge3ngport80dropsslightlyfrom36.8%lastyear to31%sofarthisyear. A`ackdura3onsaretrendingshorter,86%nowlastlessthan1hour. Topa`acksourcesin1HareUS(13.1%),China(12.5%)andFrance(3.3%) Note:52.4%ofa`acksourcesanonymisedbyATLAS. Topa`ackdes3na3onsin1HUS(29.7%),China(14.7%)andFrance(5.1%) Note:24%ofa`ackdes3na3onsanonymisedbyATLAS. 5. Proportion of attacks over 1Gb/sec continues to rise Upward trend over last four years from 21%&gt; 29.5% -&gt; 33.1%-&gt; 46.5% Proportion of attacks less than 1Mpps increases, reversing recent trends Reverses downward trend over last four years from 87% -&gt; 65.07% -&gt; 62.2% -&gt; 77% Average size of attacks increases year on year 2013 ATLAS Initiative : Anonymous Stats, World-Wide 2013 Q1/Q2: 2.12 Gb/sec (+43% from 2012) 967.8Kpps (-34.6% from 2012) 2012: 1.48Gb/sec (+20% from 2011) 1.48Mpps (+11% from 2011) World2012SizeBreak-Out,BPSWorld2011SizeBreak-Out,BPS World2013SizeBreak-Out,BPS 1251020Gbps Q1 Trend of Higher BPS Attack Rates Continues 6. 2013 ATLAS Initiative : Anonymous Stats, World-Wide BPS is Focus, as PPS Rates Shift Down Reverses trend toward higher PPS attacks seen since late 2011. Proportion of attacks over 10Mpps drops from 1.96% (2012) to 0.7% so far this year World2012SizeBreak-Out,PPSWorld2011SizeBreak-Out,PPS World2013SizeBreak-Out,PPS 1251020Mpps Proportion of attacks above 1Mpps falls back across the range: 2 5Mpps 12.7% in 2012, to 7.8% so far this year. 5 10Mpps 4% in 2012, to 1.77% so far this year 7. Already seen more than double the number of attacks over 20Gbps seen in whole of 2012! Growth in proportion of attacks in 2-10 Gbps range : 9.3% in 2011, 14.78% in 2012, 29.8% in 2013 so far 2013 ATLAS Initiative : Anonymous Stats, World-Wide Growth in Proportions Attacks Using High BPS Rate Continued growth in proportion of attacks over 10Gbps, up 69.4% from 2011 -&gt; 2012, up 41.6% so far in 2013. 3.26% of attacks now over 10Gbps Average attack size over 10Gbps = 18.94Gbps World2012SizeBreak-Out,BPS 1251020Gbps World2013SizeBreak-Out,BPS 1251020Gbps 8. Majority of attacks short-lived, approx 86% less than 1 hour Big rise from 2012, +9%. Average attack duration 2 hours 43 minutes (a decrease of 51 mins from 2012). 2013 ATLAS Initiative : Anonymous Stats, World-Wide Short Sharp Attacks More Common Average duration of attacks over 10G is 2 hours. Proportion of attacks lasting longer than 12 hours continues to drop 1.7% / 3.5% / 3.7% / 4.75% (2013 / 2012 / 2011 / 2010) World2012Break-OutDura9on 301361224Hours World2013Break-OutDura9on 301361224Hours 9. 31% of attacks targeting port 80, down from 36.8% in 2012 Percentage of attacks reported against port 0 (fragment) see massive increase - 10.2% in 2012, 24.5% in 2013 (so far) 2013 ATLAS Initiative : Anonymous Stats, World-Wide Massive Increase in Attacks Using Fragments 51% of attacks over 10Gb reported against port 0 (fragment) Attacks targeting port 443 continue to increase, 1.8% (up from 1.45%) Percentage of attacks targeting port 53 falls to 6.4%, from 10% last year World2012Break-OutPorts 80 22 443 20480 6005 0 53 Other World2013Break-OutPorts 6005 22 443 20480 53 0 80 Other 10. 52.4% of monitored attacks cannot be attributed due to data anonymisation / distribution Of the remaining 47.6%, the top 3 sources are: US : 13.1% (9.6% in 2012) China : 12.5% (21% in 2012) France : 3.3% (1.6% in 2012) 2013 ATLAS Initiative : Anonymous Stats Monitored Attack Sources Ranking of sources for attacks larger than 10Gbps differs: China : 10.6% (10% in 2012) US : 9% (10.4% in 2012) Germany : 2.3% (not in top 10 in 2012) Key Changes: France moves up to 3rd overall Germany now 3rd source of attacks over 10Gb/sec World2012A=ackSources CA TW FR BR CH DE US CN KR Uknown Other World2013A=ackSources IR ES GB CA DE KR FR CN US Uknown Other 11. 24% of monitored attacks cannot be attributed due to data anonymisation / distribution Of the remaining 76%, the top 3 destinations are: US : 29.7% (19% in 2012) China : 14.7% (6% in 2012) France : 5.1% (1% in 2012) 2013 ATLAS Initiative : Anonymous Stats Monitored Attack Destinations Ranking of destinations for attacks larger than 10Gbps differs: US : 30% (25% in 2012) China : 17.7% (10.3% n 2012) France: 5% (2.3% in 2012) Key Changes: France moves up to 3rd overall Brazil and GB at 4 and 5 as destination of attacks over 10Gb/sec World2012A=ackDes9na9ons DE CA SE FR TR KR US CN GB Uknown Other World2013A=ackDes9na9ons CA TR GB SE BR KR FR CN US Uknown Other 12. Average attack is 2.7Gbps, June 2013 Average attack size now significantly over 2Gb/sec Rapid growth in average attack size (Mbps) in 2013 2013 ATLAS Initiative : Anonymous Stats, World-Wide Average Attack Growth trend in Mbps 2716 0 500 1000 1500 2000 2500 3000 AverageMonthlyMbpsofA=acks 13. Average attack is 822Kpps, June 2013 Attack PPS rates seem to be waning in 2013 (so far) 2013 ATLAS Initiative : Anonymous Stats, World-Wide Average Attack trend in Kpps 822 0 500 1000 1500 2000 2500 AverageMonthlyKppsofA=acks 14. Peak attack in June 2013 is 95.4Gbps Continued spikes at 100Gbps+ 2013 ATLAS Initiative : Anonymous Stats, World-Wide Peak Attack Growth trend in Gbps 95.4 0 20 40 60 80 100 120 140 PeakMonthlyGbpsofA=acks 15. Spamhaus DDoS Attack March 2013 LargestDDoSa`ackseentodate Traclevelsveriedbyservice providercommunity. ATLASstatsnotprovidedby involvedoperators DNSReec3on/Amplica3onA`ack Notanewa`ackvector Responsibleforotherlarge(100Gb/ sec)a`acksinthepast EmphasizestheneedtorestrictopenDNS ResolversandimplementBCP38/84at networkedges. Keyconcernisthatothergroupswillstart genera3nglargera`acks,giventhemedia focusontheSpamhausa`acks. 16. Peak attack in June 2013 is 65.28Mpps Peak monthly attack sizes broadly similar to 2012 2013 ATLAS Initiative : Anonymous Stats, World-Wide Peak Attack Growth trend in Mpps 65.28 0 20 40 60 80 100 120 PeakMonthlyMppsofA=acks 17. Thank You </p>