@arbornetworks!

DDoS Attack Trends Through 2009-2011

Jose Nazario, Ph.D. jose@arbor.net

Page 2

Data Sources

o Actual attack traffic – Arbor Peakflow systems reporting – Self-selected group, global

o  ‘Bladerunner’ botnet tracking project – Botnet command, intended victims

o Worldwide Infrastructure Security Report – Survey data, dozens of participants, global

Page 3

Key Findings in the 2011 Survey

o  Any Internet Operator Can Be a Target for DDoS –  Ideologically-motivated ‘Hacktivism’ and On-line vandalism DDoS

attacks are the most commonly identified attack motivations

o  Size and Scope of Attacks Continue to Grow at an Alarming Pace –  High-bandwidth DDoS attacks are the ‘new normal’ as over 40% of

respondents report attacks greater than 1 Gbps and 13% report attacks greater than 10Gbps

–  Increased sophistication and complexity of layer-7 DDoS attacks, multi-vector DDoS attacks becoming more common

o  First-Ever Reports of IPv6 DDoS Attacks 'in the Wild' on Production Networks

Page 4

Key Findings in the 2011 Survey

o  Attackers Are Going Where the Money Is –  Rarity of IPv6-enabled attacks indicative of low IPv6 market penetration

and lack of critical mass

§  Continued Uncertainty Around Visibility & Security of

Mobile/Fixed Wireless Networks

§  Mobile Handsets and Devices Directly Impacted by DDoS Attacks

o  Trust Issues Abound Across International Boundaries

Page 5

DDoS Attack Frequency over last 12 Months

o  91% of respondents see at least 1 DDoS attack per month up from 76% in 2010

o  44% of respondents see 10 or more attacks per month up from 35% in 2010

Page 6

Top DDoS Motivations

o  Top two attack motivation categories are fueled by personal beliefs and inclinations of attackers

Page 7

Peak Attack Sizes Down in 2011

Page 8

Large Attacks are Now Commonplace

o  Aggregate attack sizes have leveled off but remain at levels capable of overwhelming most Internet operators

o  13% of respondents report attacks above 10 Gbps

o  40% of respondents report attacks above 1 Gbps

o  Largest pps attack reported is 35 Mpps keeping pace with 2010

Page 9

Measured Attacks in 2011 for US, Canada

o  Data comes from Peakflow measurements

Inbound Outbound

0

1E+10

2E+10

3E+10

4E+10

5E+10

6E+10

7E+10

8E+10

9E+10

US Canada Global US Canada Global

Q4 2011 Q3 2011 Q2 2011

20Gbps

60Gbps

Page 10

Attack Sizes and Durations (2011)

1

10

100

1000

10000

100000

10Gps 8Gbps 4Gbps 2Gbps 1Gbps

8 hours 4 hours 2 hours 1 hour < 1 hour

Page 11

Average Attack Size Still Growing

Data from ATLAS via anonymous statistics

Page 12

Most Common Application Layer Attacks Seen

Page 13

IPv6 DDoS Attacks

o  First report of an IPv6 DDoS attack in the history of the WISR

o  Low frequency of attacks reflect low adoption of IPv6 for critical services

Page 14

Use of OPSEC Communities

o  More than half of respondents do not actively participate in the Global OPSEC Community, yet 87% of them believe that the OPSEC Community is effective

Page 15

Summary

o  IPv6 makes an appearance

o  Peak bandwidth used in DDoS we see is down from 100Gbps (2010)

o  HTTP GET floods becoming widely popular

o  Ideological motivations now most prevalent