atlas q3 2014 ddos attack trends
DESCRIPTION
This presentation provides details into DDoS attack data for Q3 2014. It was gathered from Arbor Networks' ATLAS portal which is a truly innovative, one-of-a-kind Internet monitoring system. ATLAS is a collaborative effort with 290+ service providers who have agreed to share anonymous traffic data on an hourly basis, together with data from Arbor dark address monitoring probes, as well as third-party and other data feeds. The network and security intelligence delivered via ATLAS gives Arbor customers a considerable competitive advantage because of the powerful combination of the micro view of their own network (via Arbor products) together with the macro view of global Internet traffic (via ATLAS).TRANSCRIPT
ATLAS Q3 2014 Update October 2014
The Arbor ATLAS Initiative: Internet Trends
§ 290+ ISPs sharing real-‐3me data -‐ > ATLAS Internet Trends – Automated hourly export of XML file to Arbor server (HTTPS) – File is anonymous, only tagged with
– User Specified Region e.g. Europe – Provider Type (self categorized) e.g. Tier 1
§ Data derived from Flow / BGP / SNMP correla3on – Arbor Peakflow SP product
– Correlates Sampled Flow / BGP in real-‐3me – Distributed in nature – Network / Router / Interface etc. Traffic Repor3ng – Threat Detec3on (DDoS / infected sub)
– Mul3ple detec3on mechanisms
§ ATLAS currently monitoring a peak of around 90Tbps of IPv4 traffic (peak) across all respondents. - A significant proportion of Internet traffic
The Arbor ATLAS Initiative: Internet Trends 2014
§ Key Findings :
§ Significant growth in use of SSDP for reflec3on in Q3. 4% of events in Q3, peak aback at 124Gbps.
§ SSDP reflec3on responsible for 42% of events over 10Gbps in September.
§ NTP reflec3on abacks s3ll significant, but con3nuing to decrease propor3onally (post the Q1 storm).
§ Already seen 133 events over 100Gb/sec this year. Abacks over 100Gb/sec in every month except one this year.
§ Largest aback in Q3, 264Gbps UDP Flood – unknown des3na3on.
§ Propor3on of events las3ng less than 1 hour is gradually increasing, now at 91.2%.
§ Jump in propor3on of abacks hifng port 53 (DNS) in Q2 reverses in Q3, back to Q1 levels. Propor3on of abacks targe3ng port 443 (HTTPS) resumes growth.
§ Australia 4th most popular aback target in Q3 (not usually in top 10) with 4.4% of abacks.
§ Third quarter of new ATLAS data-set
§ Focus on providing baseline data for future comparisons § Comparisons to Q1 and Q2 2014
§ 2014 Summary :
2014 ATLAS Initiative : Anonymous Stats, Worldwide
Period Average A,ack size (bps)
% Change Peak A,ack Size (bps)
% Change
Q1 1.12Gbps -‐ 325.06Gbps -‐
Q2 759.83Mbps -‐32.2% 154.69Gbps -‐52.4%
Q3 858.98Mbps +13.05% 264.61Gbps +71.1%
World 2014 Q1 Size Break-‐Out, BPS
<500Mbps
>500Mbps<1Gbps
>1<2Gbps
>2<5Gbps
>5<10Gbps
>10<20Gbps
>20Gbps
World 2014 Q2 Size Break-‐Out, BPS
<500Mbps
>500Mbps<1Gbps
>1<2Gbps
>2<5Gbps
>5<10Gbps
>10<20Gbps
>20Gbps
World 2014 Q3 Size Break-‐Out,BPS
<500Mbps >500Mbps<1Gbps >1<2Gbps >2<5Gbps >5<10Gbps >10<20Gbps >20Gbps
§ Peak Attacks in Q3:
§ BPS / PPS : 264.61Gbps / 98.93Mpps, UDP Flood (all ports), 1 hour 4 mins.
§ 2014 Summary :
2014 ATLAS Initiative : Anonymous Stats, Worldwide
Period Average A,ack size (pps)
Change (Q / Q)
Peak A,ack Size (pps)
Change (Q / Q)
Q1 272.45Kpps -‐ 94.42Mpps -‐
Q2 199.85Kpps -‐26.7% 80Mpps -‐15.3%
Q3 238.35Kpps +19.3% 98.93Mpps +23.7%
World 2014 Q1 Size Break-‐Out, PPS
<500Kpps >500Kpps<1Mpps >1<2Mpps >2<5Mpps >5<10Mpps >10<20Mpps >20Mpps
World 2014 Q2 Size Break-‐Out, PPS
<500Kpps >500Kpps<1Mpps >1<2Mpps >2<5Mpps >5<10Mpps >10<20Mpps >20Mpps
World 2014 Q3 Size Break-‐Out, PPS
<500Kpps >500Kpps<1Mpps >1<2Mpps >2<5Mpps >5<10Mpps >10<20Mpps >20Mpps
Large Attacks Analysis § 22 events over 100Gb/sec in Q3,
this gives 133 year-to-date. § Q3 saw numbers of larger events
trend up from Q2. § 16.5% above 1Gbps, compared
to 15.3% in Q2 § 1.25% above 10Gbps,
compared to 0.9% in Q2
2014 ATLAS Initiative : Anonymous Stats, Worldwide
§ NTP reflection attacks still trending down over the quarter proportionally
§ 5% of events overall (6% in Q2, 14% in Q1)
§ 28% of events over 10Gbps (34% in Q2 and 56% in Q1)
§ 54.5% of events over 100Gbps (48.7% in Q2 and 84.7% in Q1)
2014 Event Size Break-‐Out Month-‐by-‐Month
0 50
100 150 200 250 300 350 400
Number of Events >50Gbps
>100Gbps
0 1000 2000 3000 4000 5000 6000
Number of Events >10Gbps
Number of Events >20Gbps
2014 ATLAS Initiative : Anonymous Stats, Worldwide Other Protocols for Amplification § Given the huge storm of NTP reflection
activity, there has been some focus on other protocols that can be used in this way.
§ Looking at attacks with source-ports of services used for reflection.
§ DNS has been used by attackers for several years.
§ Lower proportion of events for SNMP reflection this quarter compared to last. Chargen grows slightly.
§ Significant growth in attacks with source port 1900 (SSDP)
§ Almost no attacks in Q2 § 29506 in Q3
Protocol UDP Source
Port Percentage of A,acks in Q3
Max Size Q3
Average Size Q3
SNMP 161 0.03% 14.46Gbps 856Mbps
Chargen 19 2% 24.8Gbps 1.05Gbps
DNS 53 4% 83.9Gbps 1.7Gbps
SSDP 1900 4% 124Gbps 4.04Gbps
NTP 123 5% 156.3Gbps 2.99Gbps
2014 ATLAS Initiative : Anonymous Stats, Worldwide SSDP Reflection § Attacks with source port 1900 (SSDP)
appear to be growing rapidly. § Only 3 events tracked in the whole of Q2,
29506 tracked in Q3.
§ Top Target countries are: § US : 19.3% § France : 10% § Denmark : 7.4%
§ Most popular target ports: § 80 (HTTP) : 58.7% § 53 (DNS) : 4.1% § 27015 (Steam) : 3.4%
§ 3 events over 100Gb/sec so far, one in combination with NTP reflection.
§ Two of which target port 1337 (Leet, hacker term)
Percentage of events, Source Port 1900 (SSDP)
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
July August September
All
>10G
>100G
Duration Break-Out § Majority of attacks short-lived,
approx 91.2% less than 1 hour. § 90.1% and 90.6% in Q1 and Q2,
trend of increasing proportion less than 60 mins.
§ Average attack duration 66 mins, half way between Q1 and Q2
§ 60 mins and 72 mins respectively
2014 ATLAS Initiative : Anonymous Stats, Worldwide
World 2014 Q1 Break-‐Out DuraWon
<30 Mins >30<60 Mins >1<3 Hours >3<6 Hours >6<12 Hours >12<24 Hours >24 Hours
World 2014 Q2 Break-‐Out DuraWon
<30 Mins >30<60 Mins >1<3 Hours >3<6 Hours >6<12 Hours >12<24 Hours >24 Hours
§ Average duration of attacks over 10G is 1hour 13 mins, down from 1 hour 38 minutes in Q2.
§ Proportion of attacks lasting longer than 12 hours is 1.23%.
§ Falling gradually through the year, 1.48% in Q1 and 1.38% in Q2
World 2014 Q3 Break-‐Out DuraWon
<30 Mins
>30<60 Mins
>1<3 Hours
>3<6 Hours
>6<12 Hours
>12<24 Hours
>24 Hours
2014 ATLAS Initiative : Anonymous Stats, Worldwide
Dest Port Break-Out § Fragments stays at number 1, with
25.8% of events § Gradual increase so far this year
– 21.8% Q1, 23.8% Q2 § Port 80 (HTTP) stays at number 2
with 18.7%. § Again gradual increase over the
year – 14% Q1, 15.6% Q2
§ Jump in proportion of attacks
targeting port 53 (DNS) in Q2 eases back to Q1 levels.
§ 7.7% Q1, 13.3% Q2, 8.7% Q3 § Port 443 (HTTPS) is the target in
3.4% of events, up from Q1/Q2 levels.
§ 3074 (xbox) stays at 5th most popular target port.
World 2014 Q1 Break-‐Out Ports
Fragment 80 53 443 123 25 3074 Other
World 2014 Q2 Break-‐Out Ports
Fragment 80 53 443 3074 25565 4500 Other
World 2014 Q3 Break-‐Out Ports
Fragment 80 53 443 3074 22 2001 Other
Event Source Break-Out § 35.4% of monitored events cannot be
attributed due to data anonymisation / distribution
§ Of the remaining 64.6%, the top 3 sources are:
§ US : 15.7% (up from 14.7% Q2, 11% Q1) § South Korea : 11.7% (down from 15.1%
Q2, 12.5% Q1) § China : 6% (6.7% Q2 and 3.9% in Q1)
2014 ATLAS Initiative : Anonymous Stats, Worldwide
§ Much higher proportion of events cannot be attributed over 10G
§ Ranking of sources for events larger than 10Gbps differs:
§ US : 6% (7.6% Q2, 4.6% in Q1) § China : 5.9% (6.6% Q2, 2% in Q1) § Brazil : 1.1% (up from 0.6% in Q2)
World 2014 Q2 A,ack Sources RU
BR NL MY DE GB CN US KR Uknown Other
World 2014 Q1 A,ack Sources FR
GB NL DE MY BR CN US KR Uknown Other
World 2014 Q3 A,ack Sources NL
TR DE AU MY GB CN KR US Uknown Other
Event Destination Break-Out § 4.7% of monitored events cannot be
attributed due to data anonymisation. § Of the remaining 95.3%, the top 3
destinations are: § US : 20.2 (18% in Q2, 21.2% in Q1) § China : 13.4% (15.9% in Q2, 8.5% in Q1) § South Korea : 10% (13.4% Q2, 13% Q1)
2014 ATLAS Initiative : Anonymous Stats, Worldwide
§ Australia jumps into 4th place with 4.4% of attacks in Q4.
§ Ranking of destinations for events larger than 10Gbps differs:
§ US : 17.6% (15.5% in Q2, 21.7% in Q1) § France : 10.8% (8.2% in Q2, 15.7% in Q1) § Denmark : 8.4% (5.9% in Q2, 3.7% in Q1)
World 2014 Q2 A,ack DesWnaWons CA
TW GB BR FR MY KR CN US Uknown Other
World 2014 Q1 A,ack DesWnaWons AU
BR GB MY FR TW CN KR US Uknown Other
World 2014 Q3 A,ack DesWnaWons BR
GB TR FR MY AU KR CN US Uknown Other
2014 ATLAS Initiative : Anonymous Stats, Worldwide
Largest Monitored Attack Sizes Year on Year
BPS PPS
2012
• 100.84Gb/sec, des3na3on unknown
• Lasted 20 mins
• 82.36Mpps, des3na3on unknown
• Lasted 24 mins
2013
• 245Gb/sec (TCP SYN)
• Lasted 16 mins
• 202Mpps (UDP/9656)
• Lasted 8 mins
2014 (so far)
• 325Gb/sec (NTP), France
• Lasted 4 h 22 mins
• 98.93Mpps, All UDP Ports
• Lasted 1 hour 4 mins
§ 100Gbps+ attacks in every month this year bar one. § Peak attack sizes clearly higher this year.
2014 ATLAS Initiative : Anonymous Stats, Worldwide
Peak Attack Growth trend in Gbps
325.05
264.61
0
50
100
150
200
250
300
350
Peak Monthly Gbps of A,acks
§ Peak sizes have been over 50Mpps every month this year § As with peak BPS rates, peak PPS rates are trending up
this year.
2014 ATLAS Initiative : Anonymous Stats, Worldwide
Peak Attack Growth trend in Mpps
0
50
100
150
200
250
Peak Monthly Mpps of A,acks
Thank You