ATLAS Q2 2014 Update

ATLAS Q2 2014 Update July 2014

The Arbor ATLAS Initiative: Internet Trends

§  290+ ISPs sharing real-‐3me data -‐ > ATLAS Internet Trends –  Automated hourly export of XML file to Arbor server (HTTPS) –  File is anonymous, only tagged with

–  User Specified Region e.g. Europe –  Provider Type (self categorized) e.g. Tier 1

§  Data derived from Flow / BGP / SNMP correla3on –  Arbor Peakflow SP product

–  Correlates Sampled Flow / BGP in real-‐3me –  Distributed in nature –  Network / Router / Interface etc. Traffic Repor3ng –  Threat Detec3on (DDoS / infected sub)

–  Mul3ple detec3on mechanisms

§  ATLAS currently monitoring a peak of around 90Tbps of IPv4 traffic (peak) across all respondents. -  A significant proportion of Internet traffic

The Arbor ATLAS Initiative: Internet Trends 2014

§  Key Findings :

§  Q1 2014 saw probably the most concentrated burst of large volumetric DDoS aàcks ever, things have calmed down again in Q2.

§  NTP reflec3on aàcks s3ll significant, but reduced numbers / size compared to Q1. NTP traffic volumes falling globally, but s3ll not back to ‘normal’.

§  Largest aàck in Q2 is NTP reflec3on, but ‘ONLY’ 154Gbps, target in Spain.

§  Already seen more than 2x the number of events over 20Gbps compared to 2013.

§  Already seen more than 100 events over 100Gb/sec this year.

§  Non Ini3al Fragment aàcks s3ll the most common, but big increase in propor3on of aàcks targe3ng DNS (53) in Q2.

§  Second quarter of new ATLAS data-set

§  Focus on providing baseline data for future comparisons §  Comparisons to Q1 2014

§  2014 Q2 Summary :

2014 ATLAS Initiative : Anonymous Stats, Worldwide

§  2014 Q2 Average: §  759.83 Mb/sec (- 47% from Q1) §  199.85 Kpps (- 36% from Q1)

§  2014 Q2 Peak: §  154.69 Gb/sec (-101% from Q1) §  80 Mpps (-18% from Q1)

World 2014 Q1 Size Break-‐Out, BPS

<500Mbps

>500Mbps<1Gbps

>1<2Gbps

>2<5Gbps

>5<10Gbps

>10<20Gbps

World 2014 Q2 Size Break-‐Out, BPS

<500Mbps

>500Mbps<1Gbps

>1<2Gbps

>2<5Gbps

>5<10Gbps

>10<20Gbps

Large Attacks Drop Back in Q2 §  Only a half the number of events

over 20Gb/sec in Q2, as compared to Q1 (still 1800+)

§  And 39 over 100Gb/sec, down from 72 in Q1.

§  Large attacks way up on last year, but Q2 was not as busy as Q1.


§  Why? NTP reflection attacks still significant, but reduced:

§  6% of events overall (down from 14% in Q1)

§  34% of events over 10Gbps (down from 56%)

§  48.7% of events over 100Gbps (down 84.7%)

2014 Large Event Break-‐Out

0 50 100 150 200 250 300 350 400

Jan Feb March April May June

Number of Events >50Gbps

>100Gbps

0

1000

2000

3000

4000

5000

6000

Jan Feb March April May June



0% 10% 20% 30% 40% 50% 60% 70% 80% 90%

100%

Dec Jan Feb March April May June

All

>10G

>100G

2014 ATLAS Initiative : Anonymous Stats, Worldwide NTP Reflection / Amplification §  NTP attacks clearly shown in

ATLAS traffic data. §  Average of 1.29 Gbps NTP traffic

globally in November 2013 §  Average of 351.64 Gbps in February

2014 §  Average of 32.3 Gbps in June 2014

§  NTP cooling off through the end of March and into Q2

§  Still significantly above 2013 levels

Propor:on of Events with Source Port 123

0 200 400 600 800 1000 1200 1400

11/01/2013 00:00

11/13/2013 00:00:00

11/25/2013 00:00:00

12/07/2013 00:00

12/19/2013 00:00:00

12/31/2013 00:00:00

01/12/2014 00:00

01/24/2014 00:00:00

02/05/2014 00:00

02/17/2014 00:00:00

03/01/2014 00:00

03/13/2014 00:00:00

03/25/2014 00:00:00

04/06/2014 00:00

04/18/2014 00:00:00

04/30/2014 00:00:00

05/12/2014 00:00

05/24/2014 00:00:00

06/05/2014 00:00

06/17/2014 00:00:00

06/29/2014 00:00:00

NTP (Gbps)

2014 ATLAS Initiative : Anonymous Stats, Worldwide Other Protocols for Amplification §  Given the huge storm of NTP

reflection activity, there has been some focus (in the media) on other protocols that can be used in this way.

§  Only two protocols show any significant activity

§  Virtually nothing on QOTD, SSDP, Quake3.

§  NOTE: Some of these attacks make use of non-initial-fragments which are not accounted for below.

Protocol UDP Port Percentage

of ANacks in Q2

Max Size Average Size

SNMP 161 0.1% 18.61Gbps 765.6Mbps

Chargen 19 1.4% 54.4Gbps 1.18Gbps

Duration Break-Out §  Majority of attacks short-lived,

approx 90.6% less than 1 hour, consistent with Q1.

§  Average attack duration 72 mins, up from 60 mins in Q1


World 2014 Q1 Break-‐Out Dura:on

<30 Mins

>30<60 Mins

>1<3 Hours

>3<6 Hours

>6<12 Hours

>12<24 Hours

World 2014 Q2 Break-‐Out Dura:on

<30 Mins

>30<60 Mins

>1<3 Hours

>3<6 Hours

>6<12 Hours

>12<24 Hours

§  Average duration of attacks over 10G is 1 hour 38 minutes, up significantly from 54 minutes in Q1.

§  Proportion of attacks lasting longer than 12 hours is 1.38%, roughly consistent with Q1


Dest Port Break-Out §  NIF stays at number 1, with 23.8%

of events, ports 80 and 53 in second and third place.

§  Jump in proportion of attacks hitting port 53: §  Up from 8% to 13.3%

World 2014 Q2 Break-‐Out Ports NIF

80

53

443

3074

25565

4500

Other

World 2014 Q1 Break-‐Out Ports NIF

80

53

443

123

25

3074

Other

§  Port 443 (HTTPS) is the target in

2.25% of events, down from 2.7% in Q1.

§  123 (NTP) drops out of top target ports §  But still being used a lot for

reflection

Event Source Break-Out §  33.9% of monitored events cannot be

attributed due to data anonymisation / distribution

§  Of the remaining 56.1%, the top 3 sources are:

§  South Korea : 15.1% (up from 12.5% in Q1)

§  US : 14.8% (up from 11% in Q1) §  China : 6.7% (up from 3.9% in Q1)


§  Much higher proportion of events cannot be attributed over 10G

§  Ranking of sources for events larger than 10Gbps differs:

§  US : 7.6% (up from 4.6% in Q1) §  China : 6.6% (up from 2% in Q1) §  South Korea : 1.26% (up from 0.22% in Q1)

World 2014 Q1 ANack Sources

FR GB NL DE MY BR CN US KR Uknown

World 2014 Q2 ANack Sources

RU BR NL MY DE GB CN US KR Uknown

Event Destination Break-Out §  7% of monitored events cannot be

attributed due to data anonymisation. §  Of the remaining 93%, the top 3

destinations are: §  US : 18% (down from 21.2%) §  China : 15.9% (up from 8.5% in Q1) §  South Korea : 13.4% (up from 13% in Q1)

2014 ATLAS Initiative : Anonymous Stats

§  France drops from 6.4% of attacks in Q1 to 3.8% in Q2.

§  Ranking of destinations for events larger than 10Gbps differs:

§  US : 15.5% (down from 21.7% in Q1) §  France : 8.2% (down from 15.7% in Q1) §  China : 7.18% (down from 9.4% in Q1)

World 2014 Q1 ANack Des:na:ons

AU BR GB MY FR TW CN KR US Uknown

World 2014 Q2 ANack Des:na:ons

CA TW GB BR FR MY KR CN US Uknown


Largest Monitored Attack Sizes Year on Year

BPS PPS

2012

•  100.84Gb/sec, des3na3on unknown

•  Lasted 20 mins

•  82.36Mpps, des3na3on unknown


2013

•  245Gb/sec (TCP SYN)


•  202Mpps (UDP/9656)


2014 (so far)

•  325Gb/sec (NTP), France

•  Lasted 4 h 22 mins

•  94.42Mpps, port 80, US


§  100Gbps+ becoming increasingly common §  Largest ATLAS monitored attack in Q2:

§  154.69Gb/sec, 25 mins, NTP Reflection -> port 80, target in Spain.


Peak Attack Growth trend in Gbps

325.05

0 50

100 150 200 250 300 350

Peak Monthly Gbps of ANacks

§  Peak sizes have been over 50Mpps for last few months

§  Largest attack in Q2: §  80Mpps, 11 minutes, SYN Flood -> port 20480, unknown

dest.


Peak Attack Growth trend in Mpps

0

50

100

150

200

250

Peak Monthly Mpps of ANacks

Thank You

Technology

ATLAS Q2 2014 Update