atlas q2 2015 global ddos attack trends
TRANSCRIPT
ATLAS Q2 2015 Update July 2015
The Arbor ATLAS Initiative: Internet Trends
§ 330+ ISPs sharing real-‐2me data -‐ > ATLAS Internet Trends – Automated hourly export of XML file to Arbor server (HTTPS) – File is anonymous, only tagged with
– User Specified Region e.g. Europe – Provider Type (self categorized) e.g. Tier 1
§ Data derived from Flow / BGP / SNMP correla2on – Arbor Peakflow SP product
– Correlates Sampled Flow / BGP in real-‐2me – Distributed in nature – Network / Router / Interface etc. Traffic Repor2ng – Threat Detec2on (DDoS / infected sub)
– Mul2ple detec2on mechanisms § ATLAS currently monitors between 25 and 30% of IPv4 traffic across
the Internet - ATLAS provides data to the Google Digital Attack Map.
The Arbor ATLAS Initiative: Internet Trends 2015
§ Key Findings : § Percentage of a]acks over 1Gbps is growing strongly, 16% in 2014, 17.7% in Q1 ‘15,
20.8% in Q2 ‘15.
§ A]ack PPS rates also on the rise, 8.7% of a]acks over 1Mpps in Q2 ‘15, up from 5.7% in Q1 and 5.4% in 2014.
§ Big jump in 50-‐100Gbps a]acks in June. 75% targe2ng US & CA, and 99.2% of these were SYN Floods
§ 51 a]acks over 100Gbps so far in 2015 (159 in 2014)
§ Q2 2015 shows number of SSDP a]acks star2ng to fallback. 84K in Q2 ‘15, 126K in Q1 ‘15, 83K in Q4 ’14.
§ Average a]ack sizes for DNS, NTP, SSDP and Chargen reflec2on amplifica2on all increase in Q2.
§ Propor2on of a]acks targe2ng TCP/80 (HTTP) is up, 17.8% vs 13.3% in Q1. Small increase in a]acks targe2ng UDP/53 (DNS), and small decrease for TCP/443(HTTPS)
§ France remains #1 target for a]acks over 10Gbps.
§ 2014 vs 2015 so far:
2015 ATLAS Initiative : Attack Size BPS
Period Average A,ack size (bps)
Change (Q / Q)
Peak A,ack Size (bps)
Change (Q / Q)
2014 Q1 1.12Gbps -‐ 325.06Gbps -‐
2014 Q2 759.83Mbps -‐32.2% 154.69Gbps -‐52.4%
2014 Q3 858.98Mbps +13.05% 264.61Gbps +71.1%
2014 Q4 830.37Mbps -‐3.3% 267.21Gbps +1%
2015 Q1 804.12Mbps -‐3.1% 334.22Gbps +25%
2015 Q2 1.04Gbps +29.4% 196.35Gbps -‐41%
World 2015 Q1 Size Break-‐Out, BPS
<500Mbps
>500Mbps<1Gbps
>1<2Gbps
>2<5Gbps
>5<10Gbps
>10<20Gbps
World 2015 Q2 Size Break-‐Out,BPS
<500Mbps
>500Mbps<1Gbps
>1<2Gbps
>2<5Gbps
>5<10Gbps
>10<20Gbps
§ 2014 vs 2015 so far:
2015 ATLAS Initiative : Attack Size PPS
Period Average A,ack size (pps)
Change (Q / Q)
Peak A,ack Size (pps)
Change (Q / Q)
2014 Q1 272.45Kpps -‐ 94.42Mpps -‐
2014 Q2 199.85Kpps -‐26.7% 80Mpps -‐15.3%
2014 Q3 238.35Kpps +19.3% 98.93Mpps +23.7%
2014 Q4 255.88Kpps +7.3% 112.5Mpps +13.7%
2015 Q1 272.38Kpps +6.4% 65.15Mpps -‐42.1%
2015 Q2 388.12Kpps +42.5% 119.25Mpps +83%
World 2015 Q1 Size Break-‐Out, PPS
<500Kpps
>500Kpps<1Mpps
>1<2Mpps
>2<5Mpps
>5<10Mpps
>10<20Mpps
World 2015 Q2 Size Break-‐Out, PPS
<500Kpps
>500Kpps<1Mpps
>1<2Mpps
>2<5Mpps
>5<10Mpps
>10<20Mpps
§ Percentage of attacks over 1Gbps is growing strongly
§ 16% in 2014, 17.7% in Q1 ‘15, 20.8% in Q2.
§ Most Growth in the 2 – 10Gbps range
§ Attack PPS rates also on the rise § 8.7% of attacks over 1Mpps in Q2,
up from 5.7% in Q1 and 5.4% in 2014
2015 ATLAS Initiative : Attack Size Analysis § Percentage of attacks over 10Gbps
resumes growth. § 1.26% in 2014, 0.9% in Q1 ’15,
1.41% in Q2 ’15. § Big jump in 50-100Gbps attacks in
June.
2014/2015 Event Size Break-‐Out Month-‐by-‐Month
0 100 200 300 400 500
Jan '14
Feb
March
April
May
June
July
August
Septem
ber
Octob
er
Novem
ber
Decembe
r Jan '15
February
March
April
May
June
>50Gbps
>100Gbps 0 1000 2000 3000 4000 5000 6000
Jan '14
Feb
March
April
May
June
July
August
Septem
ber
Octob
er
Novem
ber
Decembe
r Jan '15
February
March
April
May
June
>10Gbps
>20Gbps
§ 50-100 Gbps attack spike in June § 75% targeting US and CA
§ 97 and 180 attacks respectively § 99.2% of these attacks were SYN
floods § Spoofed source addresses § Random source ports § 88% lasting less than 30 mins § Longest at 15 hours 20 mins
2015 ATLAS Initiative : Attack Size Analysis
§ US & CA attacks could be against a small number of destinations. § IPs are anonymised to xx.xx.A.B § In CA there are two sets of A.B with
98 attacks and 58 attacks respectively
§ In US there is one set of A.B with 86 attacks
0 50 100 150 200 250 300 350 400 450
>50Gbps
>100Gbps
2015 ATLAS Initiative : Reflection Amplification Protocols
§ Looking at attacks with source-ports of services used for reflection.
§ Q2 2015 shows number of SSDP attacks starting to fall back.
§ 84K in Q2, 126K in Q1 2015, 83K in Q4 ’14
§ 50% of reflection attacks in Q2 targeting UDP port 80 (HTTP/U)
§ Average attack sizes increase for all vectors except SNMP.
§ Average duration of reflection attack 20 mins in Q2 (19 mins in Q1).
Protocol UDP Source Port
Max Size Q2 ‘15
Average Size
Q2 ‘15 SNMP 161 10.95bps 1.06Gbps
Chargen 19 44.9Gbps 2.2Gbps
DNS 53 120.3Gbps 2.78Gbps
SSDP 1900 144.91Gbps 2.42Gbps
NTP 123 185.94Gbps 2.75Gbps
Reflec[on Mechanism as % of Overall A,acks
0.00%
2.00%
4.00%
6.00%
8.00%
10.00%
12.00%
14.00%
16.00%
2014 Q1 2014 Q2 2014 Q3 2014 Q4 2015 Q1 2015 Q2
SSDP
NTP
DNS
Chargen
MSSQL
SNMP
2015 ATLAS Initiative : Reflection Attack Targets
§ Top targets for reflection attacks: § France : 13.7% (not ranked in Q1) § US : 12.5% (16.5% in Q1) § China : 8.9% (7.1% in Q1)
§ Top targets for reflection attacks > 10Gbps:
§ France : 21.5% (18.9% in Q1) § China : 11.6% (not ranked in Q1) § Denmark : 8.1% (9.5% in Q1)
World 2015 Q2 Reflec[on A,ack Des[na[ons
FR US CN AU DK CA SE DE ES Unknown Other
World 2015 Q2 Reflec[on A,ack Des[na[ons > 10Gbps
FR CN DK US CA AU SE Unknown GB PL Other
2015 ATLAS Initiative : Dest. Port, Duration Break-Out
Dest. Port Break-Out § Proportion of attacks targeting
TCP/80 (HTTP) grows § 17.8% in Q2, 13.3% in Q1.
§ Slight rise in proportion of attacks hitting UDP/53 (DNS), and slight decrease in proportion hitting TCP/443 (HTTPS).
Duration Break-Out § Majority of attacks short-lived,
approx 91% less than 1 hour. § Average attack duration 58 mins,
down from 1 hour and 14 mins in Q1 § Average attack duration over
10Gbps is 39 mins, down from 1 hour 2 mins, ongoing trend.
World 2015 Q2 Break-‐Out Dura[on
<30 Mins
>30<60 Mins
>1<3 Hours
>3<6 Hours
>6<12 Hours
>12<24 Hours
>24 Hours
World 2015 Q2 Break-‐Out Ports TCP/80
UDP/80
UDP/53
ICMP
TCP/443
UDP/443
TCP/53
Other
§ 34.9% of monitored events cannot be attributed due to data anonymisation / distribution
§ Of the remaining 65.1%, the top 3 sources are:
§ US : 14% (11.25% in Q1) § China : 9.7% (5.3% in Q1) § South Korea : 9.7% (8.5% in Q1)
2015 ATLAS Initiative : Event Source Break-Out
§ Much higher proportion of events cannot be attributed over 10G
§ Ranking of sources for events larger than 10Gbps differs:
§ China : 16.9% (9.4% in Q1) § US : 4.9% (5.3% in Q1) § Netherlands : 1% (not ranked in Q1)
World 2015 Q2 A,ack Sources
Unknown US CN KR BR NL DE IL FR ES Other
World 2015 Q2 A,ack Sources, > 10Gbps
Unknown CN US NL TR DE KR SE JP BR Other
§ 4.2% of monitored events cannot be attributed due to data anonymisation.
§ Of the remaining 95.8%, the top 3 destinations are:
§ China : 17.7% (16% in Q1) § US : 14.2% (16.2% in Q1) § France: 9.3% (7.5% in Q1)
2015 ATLAS Initiative : Event Destination Break-Out
§ Ranking of destinations for events larger than 10Gbps:
§ France : 16.9% (18% in Q1) § China : 16.4% (not ranked in Q1) § US : 12.9% (12.7% in Q1)
§ France remains #1 target for large attacks
World 2015 Q2 A,ack Des[na[ons, > 10Gbps
FR CN US CA DK AU Unknown DE KR SE Other
World 2015 Q2 A,ack Des[na[ons
CN US FR KR CH MY Unknown CA AU SE Other
2015 ATLAS Initiative : Anonymous Stats, World-Wide
Largest Monitored Attack Sizes Year on Year
BPS PPS
2012
• 100.84Gb/sec, des2na2on unknown
• Lasted 20 mins
• 82.36Mpps, des2na2on unknown
• Lasted 24 mins
2013
• 245Gb/sec (TCP SYN dest port 80)
• Lasted 16 mins
• 202Mpps (dest port UDP/9656)
• Lasted 8 mins
2014
• 325Gb/sec (NTP reflec2on, dest UDP 123), France
• Lasted 4 h 22 mins
• 112.5Mpps (dest UDP/80), Switzerland
• Lasted 2 hours 5 mins
2015 (so far)
• 334Gb/sec, India
• Lasted 6 mins
• 119.25Mpps (UDP Flood, src & dest 2302), US
• 8 mins
§ Peak attacks each month consistently well above 100Gbps
2015 ATLAS Initiative : Anonymous Stats, World-Wide
Peak Attack Growth trend in Gbps
325.05 264.61
334.22
0 50 100 150 200 250 300 350 400
Jan-‐09
March
May
July
Septem
ber
Novem
ber
Jan-‐10
March
May
July
Septem
ber
Novem
ber
Jan-‐11
March
May
July
Septem
ber
Novem
ber
Jan-‐12
March
May
July
Septem
ber
Novem
ber
Jan-‐13
March
May
July
Septem
ber
Novem
ber
Jan-‐14
March
May
July
Septem
ber
Novem
ber
Jan-‐15
March
May
Peak Monthly Gbps of A,acks
§ Peak sizes consistently over 60Mpps § As with peak BPS rates, peak PPS rates are trending up
2015 ATLAS Initiative : Anonymous Stats, World-Wide
Peak Attack Growth trend in Mpps
0
50
100
150
200
250
Jan-‐09
March
May
July
Septem
ber
Novem
ber
Jan-‐10
March
May
July
Septem
ber
Novem
ber
Jan-‐11
March
May
July
Septem
ber
Novem
ber
Jan-‐12
March
May
July
Septem
ber
Novem
ber
Jan-‐13
March
May
July
Septem
ber
Novem
ber
Jan-‐14
March
May
July
Septem
ber
Novem
ber
Jan-‐15
March
May
Peak Monthly Mpps of A,acks
Thank You