Quick Stats Around the US-KR DDoS Attacks

It’s been a busy week here in the office, between investigating, helping customers and the operator community, investigating some more, and of course talking to the press. Here’s some quick stats I have been running this afternoon on the attack using ATLAS data. This data comes from our monitors used in the backbone monitoring live traffic rates and actual DDoS attacks. We didn’t see all of the attacks against all of the victims (some 47 unique victims counted by ShadowServer by analyzing all of the configuration files) but this, we think, may be representative of the attacks.

The peak attack size we measured was about 182Mbps, or about 428Kpps. The average size of an attack was about 39Mbps. Earlier investigations a couple of days ago showed smaller attacks but I would still classify these as “garden variety” in their intensity (most things below a couple hundred Mbps are pretty easily filtered).

The attacks lasted between a few minutes and 10 hours, with an average duration of about 3 hours.

In almost all cases these were low level anomalies to the devices monitoring the traffic. The bps and pps (packet per second) rates were barely above threshholds in many cases.

As such our original analysis made a couple of days ago that this was a pretty modest sized attack stands.

No comment on attribution at this point, it’s way too early to tell. Today is the self destruct day, too, for the bots. The “flash.gif” EXE they may have downloaded will gzip up their files and delete the MBR: poof.

Still no definitive idea on how this thing infected its userbase so quickly. 200,000 bots or so according to researchers.

Around the net:

6 Responses to “Quick Stats Around the US-KR DDoS Attacks”

July 10, 2009 at 5:50 pm, Konstantin said:

Better to measure DDoS power in PPS, than in Mbit/sec.

July 12, 2009 at 3:43 am, Jorge Orchilles said:

Following the July 4th DDOS from the start: http://jorgeorchilles.blogspot.com/2009/07/july-us-and-south-korea-ddos-attacks.html

July 13, 2009 at 11:24 am, Random bits « Equilibrium Networks said:

[…] Random bits Data from Arbor regarding the recent Korean network attacks […]

July 20, 2009 at 8:50 am, Korea Held a Cyber War, But Nobody Came : Information Security Resources said:

[…] 1) This was an amateurish attack using old (therefore un-sexy) malware. (See Ariel Silverstone’s blog) 2) There is not a shred of evidence that North Korea had anything to do with it. (See Alex Eckelberry’s blog) 3) The attacks were really wimpy. Only 35 Mbps of floods. Yawn. (See Jose Nazario’s blog) […]

July 27, 2009 at 11:56 am, Overheid heeft geen idee over schade cybercrime « De Koopman said:

[…] nog waren de VS en Korea digitaal het slachtoffer van cyberaanvallen. Dat gebeurde zoals zo vaak via DDOS-aanvallen, zoiets als massaal belletje lellen via gehackte […]

July 27, 2009 at 11:57 am, Overheid heeft geen idee van schade cybercrime « De Koopman said:

[…] nog waren de VS en Korea digitaal het slachtoffer van cyberaanvallen. Dat gebeurde zoals zo vaak via DDOS-aanvallen, zoiets als massaal belletje lellen via gehackte […]

Comments are closed.