Posted on Friday, May 25th, 2007 | Bookmark on del.icio.us

ddos de da: Internet attacks still considerable

by Danny McPherson

Here at Arbor we’re working with many of our service provider partners on trying to qualify and quantify denial of service attacks and other network threats. Here are a few data points relative to DDoS attacks we’ve observed over the past 255 days of data collection:

  • 255 days of data collection
  • 39 ISPs participation average
  • ~1 Tbps of monitored inter-domain traffic
  • ~143k rate-based attacks (~278k total attacks)
  • 58% of attacks were TCP-based (80, 25, 6667, 22 leader ports)
  • 36% were ICMP
  • 5% were UDP (fragments well over majority)
  • 15% of attacks were TCP SYN (>94% had constant source sets and were likely NOT spoofed)

As for scale and frequency of attacks, of the 255 days of collection the following number of days had at least one attack exceeding the indicated threshold:

  • 6 Mpps - 1
  • 5 Mpps - 12
  • 4 Mpps - 33
  • 3 Mpps - 53
  • 2 Mpps - 91
  • 1 Mpps - 151

Total attacks over 255 days exceeding a given threshold:

  • 6 Mpps - 1
  • 5 Mpps - 17
  • 4 Mpps - 82
  • 3 Mpps - 135
  • 2 Mpps - 352
  • 1 Mpps - 823

Note that the above million packet per second (Mpps) attacks are from the perspective of a single participating ISP, an ISP which could be ingress, transit or edge network for the attack target. As such, it’s extremely likey that upon performing cross-ISP correlation (which is done but not fully analyzed) of the attack target data sets a much larger number of attacks will exceed the one million packets per second mark, and manual inspection already reveals that the aggregate of some of these attacks is far greater than even 10 Mpps!

To put this in perspective, the most crippling of the Estonian attacks had peak rates averaged over a 24 hour period of about 4 Mpps. 4 Mpps is a very large attack, and while less than 1% of the attacks we see exceed the Mpps mark, these attacks are nothing to ignore, pretty much regardless of who you are or what’s motivating an attacker.

We hope to release some formal analysis on the attack and traffic statistics we’ve been collecting, look for something here sometime soon. Volume III of the Infrastructure Security Survey is currently being compiled as well. With any luck, between these data sets we’ll be able to provide qualitative information on denial of service and Internet attack trends.

This entry was posted on Friday, May 25th, 2007 at 8:34 pm and is filed under Arbor Networks, Botnets, Interesting Research, Malware, Netflow, Other, Vulnerabilities. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Comment