Quick Stats Around the US-KR DDoS Attacks
by Jose NazarioIt’s been a busy week here in the office, between investigating, helping customers and the operator community, investigating some more, and of course talking to the press. Here’s some quick stats I have been running this afternoon on the attack using ATLAS data. This data comes from our monitors used in the backbone monitoring live traffic rates and actual DDoS attacks. We didn’t see all of the attacks against all of the victims (some 47 unique victims counted by ShadowServer by analyzing all of the configuration files) but this, we think, may be representative of the attacks.
The peak attack size we measured was about 182Mbps, or about 428Kpps. The average size of an attack was about 39Mbps. Earlier investigations a couple of days ago showed smaller attacks but I would still classify these as “garden variety” in their intensity (most things below a couple hundred Mbps are pretty easily filtered).
The attacks lasted between a few minutes and 10 hours, with an average duration of about 3 hours.
In almost all cases these were low level anomalies to the devices monitoring the traffic. The bps and pps (packet per second) rates were barely above threshholds in many cases.
As such our original analysis made a couple of days ago that this was a pretty modest sized attack stands.
No comment on attribution at this point, it’s way too early to tell. Today is the self destruct day, too, for the bots. The “flash.gif” EXE they may have downloaded will gzip up their files and delete the MBR: poof.
Still no definitive idea on how this thing infected its userbase so quickly. 200,000 bots or so according to researchers.
Around the net:
- An analysis by an independent security lab: 77DDoS.pdf
- Korean/U.S. DDoS Attacks – Perplexing, Disruptive, and Destructive from the ShadowServer foundation
Better to measure DDoS power in PPS, than in Mbit/sec.