ddos attack trends through 2009-2011 - nanog archive · page 3 key findings in the 2011 survey o...
TRANSCRIPT
Page 2
Data Sources
o Actual attack traffic – Arbor Peakflow systems reporting – Self-selected group, global
o ‘Bladerunner’ botnet tracking project – Botnet command, intended victims
o Worldwide Infrastructure Security Report – Survey data, dozens of participants, global
Page 3
Key Findings in the 2011 Survey
o Any Internet Operator Can Be a Target for DDoS – Ideologically-motivated ‘Hacktivism’ and On-line vandalism DDoS
attacks are the most commonly identified attack motivations
o Size and Scope of Attacks Continue to Grow at an Alarming Pace – High-bandwidth DDoS attacks are the ‘new normal’ as over 40% of
respondents report attacks greater than 1 Gbps and 13% report attacks greater than 10Gbps
– Increased sophistication and complexity of layer-7 DDoS attacks, multi-vector DDoS attacks becoming more common
o First-Ever Reports of IPv6 DDoS Attacks 'in the Wild' on Production Networks
Page 4
Key Findings in the 2011 Survey
o Attackers Are Going Where the Money Is – Rarity of IPv6-enabled attacks indicative of low IPv6 market penetration
and lack of critical mass
§ Continued Uncertainty Around Visibility & Security of
Mobile/Fixed Wireless Networks
§ Mobile Handsets and Devices Directly Impacted by DDoS Attacks
o Trust Issues Abound Across International Boundaries
Page 5
DDoS Attack Frequency over last 12 Months
o 91% of respondents see at least 1 DDoS attack per month up from 76% in 2010
o 44% of respondents see 10 or more attacks per month up from 35% in 2010
Page 6
Top DDoS Motivations
o Top two attack motivation categories are fueled by personal beliefs and inclinations of attackers
Page 7
Peak Attack Sizes Down in 2011
Page 8
Large Attacks are Now Commonplace
o Aggregate attack sizes have leveled off but remain at levels capable of overwhelming most Internet operators
o 13% of respondents report attacks above 10 Gbps
o 40% of respondents report attacks above 1 Gbps
o Largest pps attack reported is 35 Mpps keeping pace with 2010
Page 9
Measured Attacks in 2011 for US, Canada
o Data comes from Peakflow measurements
Inbound Outbound
0
1E+10
2E+10
3E+10
4E+10
5E+10
6E+10
7E+10
8E+10
9E+10
US Canada Global US Canada Global
Q4 2011 Q3 2011 Q2 2011
20Gbps
60Gbps
Page 10
Attack Sizes and Durations (2011)
1
10
100
1000
10000
100000
10Gps 8Gbps 4Gbps 2Gbps 1Gbps
8 hours 4 hours 2 hours 1 hour < 1 hour
Page 11
Average Attack Size Still Growing
Data from ATLAS via anonymous statistics
Page 12
Most Common Application Layer Attacks Seen
Page 13
IPv6 DDoS Attacks
o First report of an IPv6 DDoS attack in the history of the WISR
o Low frequency of attacks reflect low adoption of IPv6 for critical services
Page 14
Use of OPSEC Communities
o More than half of respondents do not actively participate in the Global OPSEC Community, yet 87% of them believe that the OPSEC Community is effective
Page 15
Summary
o IPv6 makes an appearance
o Peak bandwidth used in DDoS we see is down from 100Gbps (2010)
o HTTP GET floods becoming widely popular
o Ideological motivations now most prevalent