Embed Size (px)
DESCRIPTION
This presentation provides details into DDoS attack data for Q1 2014. It was gathered from Arbor Networks' ATLAS portal which is a truly innovative, one-of-a-kind Internet monitoring system. ATLAS is a collaborative effort with 280+ service providers who have agreed to share anonymous traffic data on an hourly basis, together with data from Arbor dark address monitoring probes, as well as third-party and other data feeds. The network and security intelligence delivered via ATLAS gives Arbor customers a considerable competitive advantage because of the powerful combination of the micro view of their own network (via Arbor products) together with the macro view of global Internet traffic (via ATLAS).
Citation preview
ATLAS Q1 2014 Update April 2014
The Arbor ATLAS Initiative: Internet Trends
§ 280+ ISPs sharing real-‐3me data -‐ > ATLAS Internet Trends – Automated hourly export of XML file to Arbor server (HTTPS) – File is anonymous, only tagged with
– User Specified Region e.g. Europe – Provider Type (self categorized) e.g. Tier 1
§ Data derived from Flow / BGP / SNMP correla3on – Arbor Peakflow SP product
– Correlates Sampled Flow / BGP in real-‐3me – Distributed in nature – Network / Router / Interface etc. Traffic Repor3ng – Threat Detec3on (DDoS / infected sub)
– Mul3ple detec3on mechanisms
§ ATLAS currently monitoring a peak of around 80Tbps of IPv4 traffic (peak) across all respondents. - A significant proportion of Internet traffic
The Arbor ATLAS Initiative: Internet Trends 2014Q1
§ ATLAS Update: § Arbor ATLAS reports have moved to using a new DDoS collec3on back-‐end
as of 1/1/2014
§ This update was brought about by the need for ATLAS to gather data on shorter dura3on / smaller size events (as well as large events). This required an order of magnitude jump in scale for processing capability.
§ The new infrastructure has been collec3ng data since mid 2013, and is also supplying data to the Google Digital Aaack Map.
§ Peak event sizes can be correlated across old and new ATLAS data, but average sizes cannot (given the much larger dataset being used by the new system)
§ Analysis s3ll focusing on Misuse events from par3cipant Peakflow SP systems
The Arbor ATLAS Initiative: Internet Trends 2014Q1
§ Key Findings :
§ Q1 2014 saw probably the most concentrated burst of large volumetric DDoS aaacks ever.
§ Already seen nearly 1.5x the number of events over 20Gb/sec as in the whole of 2013
§ 72 events over 100Gb/sec were tracked by ATLAS in Q1.
§ A new largest event, 325Gb/sec, was tracked by ATLAS in Q1.
§ NTP reflec3on / amplifica3on aaacks were the main culprit -‐ hap://www.arbornetworks.com/asert/2014/03/ntp-‐aaacks-‐con3nue-‐a-‐quick-‐look-‐at-‐traffic-‐over-‐the-‐past-‐few-‐months/
§ Targets in the USA and France saw the most large aaacks
§ First quarter of new ATLAS data-set
§ Focus on providing baseline data for future comparisons § Some interesting stats though…..
§ 2014 Q1 Summary :
2014 ATLAS Initiative : Anonymous Stats, World-Wide
§ 2014 Q1 Average: § 1.12 Gb/sec § 272.45 Kpps
§ 2014 Q1 Peak: § 325.06 Gb/sec § 94.42 Mpps
World 2014 Q1 Size Break-‐Out, BPS
<1Gbps
>1<2Gbps
>2<5Gbps
>5<10Gbps
>10<20Gbps
>20Gbps
World 2014 Q1 Size Break-‐Out, PPS
<1Mpps
>1<2Mpps
>2<5Mpps
>5<10Mpps
>10<20Mpps
>20Mpps
Large Attacks Multiply § Already seen nearly 1.5 times the
number of events over 20Gbps than seen in whole of 2013!
§ And 72 over 100Gb/sec!
§ Numbers of events are staggering, see below.
2014 ATLAS Initiative : Anonymous Stats, World-Wide
§ Predominantly down to proliferation of NTP reflection attacks
§ 14% of events overall § 56% of events over 10Gbps § 84.7% of events over 100Gbps
§ Average event size over 10Gbps = 20.42 Gbps
Q1 Cumula3ve Large Event Break-‐Out
0
1000
2000
3000
4000
5000
6000
Jan Feb March
Number of Events >10Gbps
Number of Events >20Gbps
0
50
100
150
200
250
300
350
400
Jan Feb March
Number of Events >50Gbps
>100Gbps
2014 ATLAS Initiative : Anonymous Stats, World-Wide NTP Reflection / Amplification § Growth of NTP attacks clearly
shown in ATLAS traffic data. § Average of 1.29 Gbps NTP traffic
globally in November 2013 § Average of 351.64 Gbps in
February 2014
0 100 200 300 400 500 600 700 800 900
11/01/2013 00:00
11/08/2013 00:00
11/15/2013
11/22/2013
11/29/2013
12/06/2013 00:00
12/13/2013
12/20/2013
12/27/2013
01/03/2014 00:00
01/10/2014 00:00
01/17/2014
01/24/2014
01/31/2014
02/07/2014 00:00
02/14/2014
02/21/2014
02/28/2014
03/07/2014 00:00
03/14/2014
03/21/2014
03/28/2014
World-‐Wide NTP Aggregate Traffic Level (Gbps)
§ Cooling off through the end of March § Still significantly above 2013
levels ProporGon of Events
with Source Port 123
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Dec Jan Feb March
All
>10G
>100G
NTP Attack Destinations § US, France and Australia the
most common targets overall. § US and France the most
common targets of large attacks.
2014 ATLAS Initiative : Anonymous Stats, World-Wide
World 2014 Q1 NTP ANack DesGnaGons
CA PL SE DE GB DK AU FR US Uknown
World 2014 Q1 NTP ANack DesGnaGons, > 10Gb/sec
PL AU SE RU GB DK DE FR US Uknown
World 2014 Q1 NTP ANack DesGnaGons, > 100Gb/sec
RU TR NL EU SE DK CH US FR Uknown
Duration Break-Out § Majority of attacks short-lived,
approx 90.1% less than 1 hour § Average attack duration 60
minutes. § Average duration of attacks over
10G is 54 minutes. § Proportion of attacks lasting
longer than 12 hours is 1.48%
2014 ATLAS Initiative : Anonymous Stats, World-Wide
Dest Port Break-Out § NIF at number 1, with 22% of
events, ports 80 and 53 in second and third place.
§ Port 443 (HTTPS) the target in 2.7% of events
World 2014 Q1 Break-‐Out DuraGon
<30 Mins
>30<60 Mins
>1<3 Hours
>3<6 Hours
>6<12 Hours
>12<24 Hours
World 2014 Q1 Break-‐Out Ports
Non Ini3al Fragment
80
53
443
123
25
Event Source Break-Out § 50.8% of monitored events cannot be
attributed due to data anonymisation / distribution
§ Of the remaining 49.2%, the top 3 sources are:
§ South Korea : 12.5% § US : 11% § China : 3.9%
2014 ATLAS Initiative : Anonymous Stats
§ Much higher proportion of events cannot be attributed over 10G
§ Ranking of sources for events larger than 10Gbps differs:
§ US : 4.6% § China : 2% § Netherlands : 1.1%
World 2014 Q1 ANack Sources
FR GB NL DE MY BR CN US KR Uknown
World 2014 Q1 ANack Sources, > 10Gbps
KR TH GB AU FR DE NL CN US Uknown
Event Destination Break-Out § 12.5% of monitored events cannot be
attributed due to data anonymisation. § Of the remaining 87.5%, the top 3
destinations are: § US : 21.2% § South Korea : 13% § China : 8.5%
2014 ATLAS Initiative : Anonymous Stats
§ Ranking of destinations for events larger than 10Gbps differs:
§ US : 21.7% § France : 15.7% § China : 9.4%
World 2014 ANack DesGnaGons, > 10Gbps
RO SE RU GB DK DE CN FR US Uknown
World 2014 Q1 ANack DesGnaGons
AU BR GB MY FR TW CN KR US Uknown
2014 ATLAS Initiative : Anonymous Stats, World-Wide
Largest Monitored Attack Sizes Year on Year
BPS PPS
2012
• 100.84Gb/sec, des3na3on unknown
• Lasted 20 mins
• 82.36Mpps, des3na3on unknown
• Lasted 24 mins
2013
• 245Gb/sec (TCP SYN)
• Lasted 16 mins
• 202Mpps (UDP/9656)
• Lasted 8 mins
2014 (so far)
• 325Gb/sec (NTP), France
• Lasted 4 h 22 mins
• 94.42Mpps, port 80, US
• Lasted 7 mins
§ 100Gbps+ becoming increasingly common § New largest ATLAS monitored attack – 325Gbps in February
2014 ATLAS Initiative : Anonymous Stats, World-Wide
Peak Attack Growth trend in Gbps
325.05
0 50
100 150 200 250 300 350
Peak Monthly Gbps of ANacks
§ Peak sizes have been over 50Mpps for last few months
§ Trending down from peaks in November and December 2013
2014 ATLAS Initiative : Anonymous Stats, World-Wide
Peak Attack Growth trend in Mpps
0
50
100
150
200
250
Peak Monthly Mpps of ANacks
Thank You
