Arbor Networks: Security to the Core

Yesterday morning was a busy time for Internet security.

As an illustration of this activity, the graph below shows a summary of attack traffic across the 77 Observatory ISPs reporting anonymized attack statistics.

Each line or rectangle represents a distinct attack (we saw over 770 attacks Thursday covering a wide variety of scale and targets). Each color represents a different ISP under attack.

Though most of the press and blogosphere focused on Twitter, Facebook and LiveJournal, from an Observatory perspective those weren’t even the biggest attacks (at least in terms of traffic rate / volume). Turns out that the 30 Gbps spike in the above graph represents a withering attack against the web portal of a 3G mobile operator in Asia.

The press and various public / private mailing lists have generated a lot of discussion (and quite a bit of speculation) on the execution and motives behind the Twitter / Facebook / LiveJournal attacks (including this Slashot overview). I don’t have much new to add to this part of the discussion, but I can share a few anecdotal bits of data the Observatory saw on these attacks.

First, some background: the Observatory monitors both coarse grain Internet traffic and attack DDoS statistics. The DDoS portion of the Observatory is designed to provide visibility into broad trends, i.e. what are the new types of attacks, how are attacks growing against specific services (and ports / protocols), etc. As part of the data data sharing arrangement with Observatory participants, the system goes to great lengths to protect the commercial privacy and anonymity of the actual companies and ISPs under attack.

So, for example, we generally have visibility into, say the growth of “Christmas Tree” attacks against web servers in Asia, but the actual victims are anonymous. In particular, this means we cannot correlate most of the attack traffic yesterday with specific sites like Twitter / Facebook / etc. (though we can monitor aggregate traffic levels to these sites using the traffic portion of the Observatory as in our previous post).

The one exception to this anonymity is outbound attacks. In other words, the Observatory does monitor the destination of an attack if the provider has explicitly configured their DDoS detection to alert when machines within their network or customer base attack services in another ISP.

Since each individual ISP in a well-distributed DDoS attack may originate relatively little traffic (i.e. the attack does not impact their infrastructure, many providers only focus detection on inbound attacks (i.e. when the attack does impact their customers or infrastructure).

The data below is an example snippet of a dozen or so such outgoing attacks yesterday (all times are EDT). Note that destinations of outgoing attacks are not anonymized but specific source addresses have the first two octets replaced with “XX”.

The first two DDoS look like small run of the mill TCP Syn attacks against a Twitter IP from both randomized sources and an individual host. The two attacks originate in an anonymous North American tier1 and MSO, respectively. The third attack example occurred later in the day (5:30pm EDT) and consisted of a 80 Kpps UDP flood.

While “Joe Job” SPAM links may have comprised a significant portion of the attacks yesterday (as others have reported), the Observatory saw a range of additional attack vectors including TCP Syn, UDP flood, and Christmas Tree attacks.

This entry was posted on Friday, August 7th, 2009 at 1:20 pm and is filed under Arbor Networks, Twitter. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.