ATLAS Q2 2014 Update
-
Upload
arbor-networks -
Category
Technology
-
view
2.476 -
download
4
description
Transcript of ATLAS Q2 2014 Update
![Page 1: ATLAS Q2 2014 Update](https://reader034.fdocument.pub/reader034/viewer/2022051323/54b6f4114a7959fd608b45ea/html5/thumbnails/1.jpg)
ATLAS Q2 2014 Update July 2014
![Page 2: ATLAS Q2 2014 Update](https://reader034.fdocument.pub/reader034/viewer/2022051323/54b6f4114a7959fd608b45ea/html5/thumbnails/2.jpg)
The Arbor ATLAS Initiative: Internet Trends
§ 290+ ISPs sharing real-‐3me data -‐ > ATLAS Internet Trends – Automated hourly export of XML file to Arbor server (HTTPS) – File is anonymous, only tagged with
– User Specified Region e.g. Europe – Provider Type (self categorized) e.g. Tier 1
§ Data derived from Flow / BGP / SNMP correla3on – Arbor Peakflow SP product
– Correlates Sampled Flow / BGP in real-‐3me – Distributed in nature – Network / Router / Interface etc. Traffic Repor3ng – Threat Detec3on (DDoS / infected sub)
– Mul3ple detec3on mechanisms
§ ATLAS currently monitoring a peak of around 90Tbps of IPv4 traffic (peak) across all respondents. - A significant proportion of Internet traffic
![Page 3: ATLAS Q2 2014 Update](https://reader034.fdocument.pub/reader034/viewer/2022051323/54b6f4114a7959fd608b45ea/html5/thumbnails/3.jpg)
The Arbor ATLAS Initiative: Internet Trends 2014
§ Key Findings :
§ Q1 2014 saw probably the most concentrated burst of large volumetric DDoS a`acks ever, things have calmed down again in Q2.
§ NTP reflec3on a`acks s3ll significant, but reduced numbers / size compared to Q1. NTP traffic volumes falling globally, but s3ll not back to ‘normal’.
§ Largest a`ack in Q2 is NTP reflec3on, but ‘ONLY’ 154Gbps, target in Spain.
§ Already seen more than 2x the number of events over 20Gbps compared to 2013.
§ Already seen more than 100 events over 100Gb/sec this year.
§ Non Ini3al Fragment a`acks s3ll the most common, but big increase in propor3on of a`acks targe3ng DNS (53) in Q2.
![Page 4: ATLAS Q2 2014 Update](https://reader034.fdocument.pub/reader034/viewer/2022051323/54b6f4114a7959fd608b45ea/html5/thumbnails/4.jpg)
§ Second quarter of new ATLAS data-set
§ Focus on providing baseline data for future comparisons § Comparisons to Q1 2014
§ 2014 Q2 Summary :
2014 ATLAS Initiative : Anonymous Stats, Worldwide
§ 2014 Q2 Average: § 759.83 Mb/sec (- 47% from Q1) § 199.85 Kpps (- 36% from Q1)
§ 2014 Q2 Peak: § 154.69 Gb/sec (-101% from Q1) § 80 Mpps (-18% from Q1)
World 2014 Q1 Size Break-‐Out, BPS
<500Mbps
>500Mbps<1Gbps
>1<2Gbps
>2<5Gbps
>5<10Gbps
>10<20Gbps
World 2014 Q2 Size Break-‐Out, BPS
<500Mbps
>500Mbps<1Gbps
>1<2Gbps
>2<5Gbps
>5<10Gbps
>10<20Gbps
![Page 5: ATLAS Q2 2014 Update](https://reader034.fdocument.pub/reader034/viewer/2022051323/54b6f4114a7959fd608b45ea/html5/thumbnails/5.jpg)
Large Attacks Drop Back in Q2 § Only a half the number of events
over 20Gb/sec in Q2, as compared to Q1 (still 1800+)
§ And 39 over 100Gb/sec, down from 72 in Q1.
§ Large attacks way up on last year, but Q2 was not as busy as Q1.
2014 ATLAS Initiative : Anonymous Stats, Worldwide
§ Why? NTP reflection attacks still significant, but reduced:
§ 6% of events overall (down from 14% in Q1)
§ 34% of events over 10Gbps (down from 56%)
§ 48.7% of events over 100Gbps (down 84.7%)
2014 Large Event Break-‐Out
0 50 100 150 200 250 300 350 400
Jan Feb March April May June
Number of Events >50Gbps
>100Gbps
0
1000
2000
3000
4000
5000
6000
Jan Feb March April May June
Number of Events >10Gbps
Number of Events >20Gbps
![Page 6: ATLAS Q2 2014 Update](https://reader034.fdocument.pub/reader034/viewer/2022051323/54b6f4114a7959fd608b45ea/html5/thumbnails/6.jpg)
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
100%
Dec Jan Feb March April May June
All
>10G
>100G
2014 ATLAS Initiative : Anonymous Stats, Worldwide NTP Reflection / Amplification § NTP attacks clearly shown in
ATLAS traffic data. § Average of 1.29 Gbps NTP traffic
globally in November 2013 § Average of 351.64 Gbps in February
2014 § Average of 32.3 Gbps in June 2014
§ NTP cooling off through the end of March and into Q2
§ Still significantly above 2013 levels
Propor:on of Events with Source Port 123
0 200 400 600 800 1000 1200 1400
11/01/2013 00:00
11/13/2013 00:00:00
11/25/2013 00:00:00
12/07/2013 00:00
12/19/2013 00:00:00
12/31/2013 00:00:00
01/12/2014 00:00
01/24/2014 00:00:00
02/05/2014 00:00
02/17/2014 00:00:00
03/01/2014 00:00
03/13/2014 00:00:00
03/25/2014 00:00:00
04/06/2014 00:00
04/18/2014 00:00:00
04/30/2014 00:00:00
05/12/2014 00:00
05/24/2014 00:00:00
06/05/2014 00:00
06/17/2014 00:00:00
06/29/2014 00:00:00
NTP (Gbps)
![Page 7: ATLAS Q2 2014 Update](https://reader034.fdocument.pub/reader034/viewer/2022051323/54b6f4114a7959fd608b45ea/html5/thumbnails/7.jpg)
2014 ATLAS Initiative : Anonymous Stats, Worldwide Other Protocols for Amplification § Given the huge storm of NTP
reflection activity, there has been some focus (in the media) on other protocols that can be used in this way.
§ Only two protocols show any significant activity
§ Virtually nothing on QOTD, SSDP, Quake3.
§ NOTE: Some of these attacks make use of non-initial-fragments which are not accounted for below.
Protocol UDP Port Percentage
of ANacks in Q2
Max Size Average Size
SNMP 161 0.1% 18.61Gbps 765.6Mbps
Chargen 19 1.4% 54.4Gbps 1.18Gbps
![Page 8: ATLAS Q2 2014 Update](https://reader034.fdocument.pub/reader034/viewer/2022051323/54b6f4114a7959fd608b45ea/html5/thumbnails/8.jpg)
Duration Break-Out § Majority of attacks short-lived,
approx 90.6% less than 1 hour, consistent with Q1.
§ Average attack duration 72 mins, up from 60 mins in Q1
2014 ATLAS Initiative : Anonymous Stats, Worldwide
World 2014 Q1 Break-‐Out Dura:on
<30 Mins
>30<60 Mins
>1<3 Hours
>3<6 Hours
>6<12 Hours
>12<24 Hours
World 2014 Q2 Break-‐Out Dura:on
<30 Mins
>30<60 Mins
>1<3 Hours
>3<6 Hours
>6<12 Hours
>12<24 Hours
§ Average duration of attacks over 10G is 1 hour 38 minutes, up significantly from 54 minutes in Q1.
§ Proportion of attacks lasting longer than 12 hours is 1.38%, roughly consistent with Q1
![Page 9: ATLAS Q2 2014 Update](https://reader034.fdocument.pub/reader034/viewer/2022051323/54b6f4114a7959fd608b45ea/html5/thumbnails/9.jpg)
2014 ATLAS Initiative : Anonymous Stats, Worldwide
Dest Port Break-Out § NIF stays at number 1, with 23.8%
of events, ports 80 and 53 in second and third place.
§ Jump in proportion of attacks hitting port 53: § Up from 8% to 13.3%
World 2014 Q2 Break-‐Out Ports NIF
80
53
443
3074
25565
4500
Other
World 2014 Q1 Break-‐Out Ports NIF
80
53
443
123
25
3074
Other
§ Port 443 (HTTPS) is the target in
2.25% of events, down from 2.7% in Q1.
§ 123 (NTP) drops out of top target ports § But still being used a lot for
reflection
![Page 10: ATLAS Q2 2014 Update](https://reader034.fdocument.pub/reader034/viewer/2022051323/54b6f4114a7959fd608b45ea/html5/thumbnails/10.jpg)
Event Source Break-Out § 33.9% of monitored events cannot be
attributed due to data anonymisation / distribution
§ Of the remaining 56.1%, the top 3 sources are:
§ South Korea : 15.1% (up from 12.5% in Q1)
§ US : 14.8% (up from 11% in Q1) § China : 6.7% (up from 3.9% in Q1)
2014 ATLAS Initiative : Anonymous Stats, Worldwide
§ Much higher proportion of events cannot be attributed over 10G
§ Ranking of sources for events larger than 10Gbps differs:
§ US : 7.6% (up from 4.6% in Q1) § China : 6.6% (up from 2% in Q1) § South Korea : 1.26% (up from 0.22% in Q1)
World 2014 Q1 ANack Sources
FR GB NL DE MY BR CN US KR Uknown
World 2014 Q2 ANack Sources
RU BR NL MY DE GB CN US KR Uknown
![Page 11: ATLAS Q2 2014 Update](https://reader034.fdocument.pub/reader034/viewer/2022051323/54b6f4114a7959fd608b45ea/html5/thumbnails/11.jpg)
Event Destination Break-Out § 7% of monitored events cannot be
attributed due to data anonymisation. § Of the remaining 93%, the top 3
destinations are: § US : 18% (down from 21.2%) § China : 15.9% (up from 8.5% in Q1) § South Korea : 13.4% (up from 13% in Q1)
2014 ATLAS Initiative : Anonymous Stats
§ France drops from 6.4% of attacks in Q1 to 3.8% in Q2.
§ Ranking of destinations for events larger than 10Gbps differs:
§ US : 15.5% (down from 21.7% in Q1) § France : 8.2% (down from 15.7% in Q1) § China : 7.18% (down from 9.4% in Q1)
World 2014 Q1 ANack Des:na:ons
AU BR GB MY FR TW CN KR US Uknown
World 2014 Q2 ANack Des:na:ons
CA TW GB BR FR MY KR CN US Uknown
![Page 12: ATLAS Q2 2014 Update](https://reader034.fdocument.pub/reader034/viewer/2022051323/54b6f4114a7959fd608b45ea/html5/thumbnails/12.jpg)
2014 ATLAS Initiative : Anonymous Stats, Worldwide
Largest Monitored Attack Sizes Year on Year
BPS PPS
2012
• 100.84Gb/sec, des3na3on unknown
• Lasted 20 mins
• 82.36Mpps, des3na3on unknown
• Lasted 24 mins
2013
• 245Gb/sec (TCP SYN)
• Lasted 16 mins
• 202Mpps (UDP/9656)
• Lasted 8 mins
2014 (so far)
• 325Gb/sec (NTP), France
• Lasted 4 h 22 mins
• 94.42Mpps, port 80, US
• Lasted 7 mins
![Page 13: ATLAS Q2 2014 Update](https://reader034.fdocument.pub/reader034/viewer/2022051323/54b6f4114a7959fd608b45ea/html5/thumbnails/13.jpg)
§ 100Gbps+ becoming increasingly common § Largest ATLAS monitored attack in Q2:
§ 154.69Gb/sec, 25 mins, NTP Reflection -> port 80, target in Spain.
2014 ATLAS Initiative : Anonymous Stats, Worldwide
Peak Attack Growth trend in Gbps
325.05
0 50
100 150 200 250 300 350
Peak Monthly Gbps of ANacks
![Page 14: ATLAS Q2 2014 Update](https://reader034.fdocument.pub/reader034/viewer/2022051323/54b6f4114a7959fd608b45ea/html5/thumbnails/14.jpg)
§ Peak sizes have been over 50Mpps for last few months
§ Largest attack in Q2: § 80Mpps, 11 minutes, SYN Flood -> port 20480, unknown
dest.
2014 ATLAS Initiative : Anonymous Stats, Worldwide
Peak Attack Growth trend in Mpps
0
50
100
150
200
250
Peak Monthly Mpps of ANacks
![Page 15: ATLAS Q2 2014 Update](https://reader034.fdocument.pub/reader034/viewer/2022051323/54b6f4114a7959fd608b45ea/html5/thumbnails/15.jpg)
Thank You