atlas q2 2014 update
DESCRIPTION
This presentation provides details into DDoS attack data for Q2 2014. It was gathered from Arbor Networks' ATLAS portal which is a truly innovative, one-of-a-kind Internet monitoring system. ATLAS is a collaborative effort with 290+ service providers who have agreed to share anonymous traffic data on an hourly basis, together with data from Arbor dark address monitoring probes, as well as third-party and other data feeds. The network and security intelligence delivered via ATLAS gives Arbor customers a considerable competitive advantage because of the powerful combination of the micro view of their own network (via Arbor products) together with the macro view of global Internet traffic (via ATLAS).TRANSCRIPT
ATLAS Q2 2014 Update July 2014
The Arbor ATLAS Initiative: Internet Trends
§ 290+ ISPs sharing real-‐3me data -‐ > ATLAS Internet Trends – Automated hourly export of XML file to Arbor server (HTTPS) – File is anonymous, only tagged with
– User Specified Region e.g. Europe – Provider Type (self categorized) e.g. Tier 1
§ Data derived from Flow / BGP / SNMP correla3on – Arbor Peakflow SP product
– Correlates Sampled Flow / BGP in real-‐3me – Distributed in nature – Network / Router / Interface etc. Traffic Repor3ng – Threat Detec3on (DDoS / infected sub)
– Mul3ple detec3on mechanisms
§ ATLAS currently monitoring a peak of around 90Tbps of IPv4 traffic (peak) across all respondents. - A significant proportion of Internet traffic
The Arbor ATLAS Initiative: Internet Trends 2014
§ Key Findings :
§ Q1 2014 saw probably the most concentrated burst of large volumetric DDoS a`acks ever, things have calmed down again in Q2.
§ NTP reflec3on a`acks s3ll significant, but reduced numbers / size compared to Q1. NTP traffic volumes falling globally, but s3ll not back to ‘normal’.
§ Largest a`ack in Q2 is NTP reflec3on, but ‘ONLY’ 154Gbps, target in Spain.
§ Already seen more than 2x the number of events over 20Gbps compared to 2013.
§ Already seen more than 100 events over 100Gb/sec this year.
§ Non Ini3al Fragment a`acks s3ll the most common, but big increase in propor3on of a`acks targe3ng DNS (53) in Q2.
§ Second quarter of new ATLAS data-set
§ Focus on providing baseline data for future comparisons § Comparisons to Q1 2014
§ 2014 Q2 Summary :
2014 ATLAS Initiative : Anonymous Stats, Worldwide
§ 2014 Q2 Average: § 759.83 Mb/sec (- 47% from Q1) § 199.85 Kpps (- 36% from Q1)
§ 2014 Q2 Peak: § 154.69 Gb/sec (-101% from Q1) § 80 Mpps (-18% from Q1)
World 2014 Q1 Size Break-‐Out, BPS
<500Mbps
>500Mbps<1Gbps
>1<2Gbps
>2<5Gbps
>5<10Gbps
>10<20Gbps
World 2014 Q2 Size Break-‐Out, BPS
<500Mbps
>500Mbps<1Gbps
>1<2Gbps
>2<5Gbps
>5<10Gbps
>10<20Gbps
Large Attacks Drop Back in Q2 § Only a half the number of events
over 20Gb/sec in Q2, as compared to Q1 (still 1800+)
§ And 39 over 100Gb/sec, down from 72 in Q1.
§ Large attacks way up on last year, but Q2 was not as busy as Q1.
2014 ATLAS Initiative : Anonymous Stats, Worldwide
§ Why? NTP reflection attacks still significant, but reduced:
§ 6% of events overall (down from 14% in Q1)
§ 34% of events over 10Gbps (down from 56%)
§ 48.7% of events over 100Gbps (down 84.7%)
2014 Large Event Break-‐Out
0 50 100 150 200 250 300 350 400
Jan Feb March April May June
Number of Events >50Gbps
>100Gbps
0
1000
2000
3000
4000
5000
6000
Jan Feb March April May June
Number of Events >10Gbps
Number of Events >20Gbps
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
100%
Dec Jan Feb March April May June
All
>10G
>100G
2014 ATLAS Initiative : Anonymous Stats, Worldwide NTP Reflection / Amplification § NTP attacks clearly shown in
ATLAS traffic data. § Average of 1.29 Gbps NTP traffic
globally in November 2013 § Average of 351.64 Gbps in February
2014 § Average of 32.3 Gbps in June 2014
§ NTP cooling off through the end of March and into Q2
§ Still significantly above 2013 levels
Propor:on of Events with Source Port 123
0 200 400 600 800 1000 1200 1400
11/01/2013 00:00
11/13/2013 00:00:00
11/25/2013 00:00:00
12/07/2013 00:00
12/19/2013 00:00:00
12/31/2013 00:00:00
01/12/2014 00:00
01/24/2014 00:00:00
02/05/2014 00:00
02/17/2014 00:00:00
03/01/2014 00:00
03/13/2014 00:00:00
03/25/2014 00:00:00
04/06/2014 00:00
04/18/2014 00:00:00
04/30/2014 00:00:00
05/12/2014 00:00
05/24/2014 00:00:00
06/05/2014 00:00
06/17/2014 00:00:00
06/29/2014 00:00:00
NTP (Gbps)
2014 ATLAS Initiative : Anonymous Stats, Worldwide Other Protocols for Amplification § Given the huge storm of NTP
reflection activity, there has been some focus (in the media) on other protocols that can be used in this way.
§ Only two protocols show any significant activity
§ Virtually nothing on QOTD, SSDP, Quake3.
§ NOTE: Some of these attacks make use of non-initial-fragments which are not accounted for below.
Protocol UDP Port Percentage
of ANacks in Q2
Max Size Average Size
SNMP 161 0.1% 18.61Gbps 765.6Mbps
Chargen 19 1.4% 54.4Gbps 1.18Gbps
Duration Break-Out § Majority of attacks short-lived,
approx 90.6% less than 1 hour, consistent with Q1.
§ Average attack duration 72 mins, up from 60 mins in Q1
2014 ATLAS Initiative : Anonymous Stats, Worldwide
World 2014 Q1 Break-‐Out Dura:on
<30 Mins
>30<60 Mins
>1<3 Hours
>3<6 Hours
>6<12 Hours
>12<24 Hours
World 2014 Q2 Break-‐Out Dura:on
<30 Mins
>30<60 Mins
>1<3 Hours
>3<6 Hours
>6<12 Hours
>12<24 Hours
§ Average duration of attacks over 10G is 1 hour 38 minutes, up significantly from 54 minutes in Q1.
§ Proportion of attacks lasting longer than 12 hours is 1.38%, roughly consistent with Q1
2014 ATLAS Initiative : Anonymous Stats, Worldwide
Dest Port Break-Out § NIF stays at number 1, with 23.8%
of events, ports 80 and 53 in second and third place.
§ Jump in proportion of attacks hitting port 53: § Up from 8% to 13.3%
World 2014 Q2 Break-‐Out Ports NIF
80
53
443
3074
25565
4500
Other
World 2014 Q1 Break-‐Out Ports NIF
80
53
443
123
25
3074
Other
§ Port 443 (HTTPS) is the target in
2.25% of events, down from 2.7% in Q1.
§ 123 (NTP) drops out of top target ports § But still being used a lot for
reflection
Event Source Break-Out § 33.9% of monitored events cannot be
attributed due to data anonymisation / distribution
§ Of the remaining 56.1%, the top 3 sources are:
§ South Korea : 15.1% (up from 12.5% in Q1)
§ US : 14.8% (up from 11% in Q1) § China : 6.7% (up from 3.9% in Q1)
2014 ATLAS Initiative : Anonymous Stats, Worldwide
§ Much higher proportion of events cannot be attributed over 10G
§ Ranking of sources for events larger than 10Gbps differs:
§ US : 7.6% (up from 4.6% in Q1) § China : 6.6% (up from 2% in Q1) § South Korea : 1.26% (up from 0.22% in Q1)
World 2014 Q1 ANack Sources
FR GB NL DE MY BR CN US KR Uknown
World 2014 Q2 ANack Sources
RU BR NL MY DE GB CN US KR Uknown
Event Destination Break-Out § 7% of monitored events cannot be
attributed due to data anonymisation. § Of the remaining 93%, the top 3
destinations are: § US : 18% (down from 21.2%) § China : 15.9% (up from 8.5% in Q1) § South Korea : 13.4% (up from 13% in Q1)
2014 ATLAS Initiative : Anonymous Stats
§ France drops from 6.4% of attacks in Q1 to 3.8% in Q2.
§ Ranking of destinations for events larger than 10Gbps differs:
§ US : 15.5% (down from 21.7% in Q1) § France : 8.2% (down from 15.7% in Q1) § China : 7.18% (down from 9.4% in Q1)
World 2014 Q1 ANack Des:na:ons
AU BR GB MY FR TW CN KR US Uknown
World 2014 Q2 ANack Des:na:ons
CA TW GB BR FR MY KR CN US Uknown
2014 ATLAS Initiative : Anonymous Stats, Worldwide
Largest Monitored Attack Sizes Year on Year
BPS PPS
2012
• 100.84Gb/sec, des3na3on unknown
• Lasted 20 mins
• 82.36Mpps, des3na3on unknown
• Lasted 24 mins
2013
• 245Gb/sec (TCP SYN)
• Lasted 16 mins
• 202Mpps (UDP/9656)
• Lasted 8 mins
2014 (so far)
• 325Gb/sec (NTP), France
• Lasted 4 h 22 mins
• 94.42Mpps, port 80, US
• Lasted 7 mins
§ 100Gbps+ becoming increasingly common § Largest ATLAS monitored attack in Q2:
§ 154.69Gb/sec, 25 mins, NTP Reflection -> port 80, target in Spain.
2014 ATLAS Initiative : Anonymous Stats, Worldwide
Peak Attack Growth trend in Gbps
325.05
0 50
100 150 200 250 300 350
Peak Monthly Gbps of ANacks
§ Peak sizes have been over 50Mpps for last few months
§ Largest attack in Q2: § 80Mpps, 11 minutes, SYN Flood -> port 20480, unknown
dest.
2014 ATLAS Initiative : Anonymous Stats, Worldwide
Peak Attack Growth trend in Mpps
0
50
100
150
200
250
Peak Monthly Mpps of ANacks
Thank You