DDoS Attack Trends Through 2009-2011 - NANOG Archive · Page 3 Key Findings in the 2011 Survey o...
Transcript of DDoS Attack Trends Through 2009-2011 - NANOG Archive · Page 3 Key Findings in the 2011 Survey o...
![Page 2: DDoS Attack Trends Through 2009-2011 - NANOG Archive · Page 3 Key Findings in the 2011 Survey o Any Internet Operator Can Be a Target for DDoS – Ideologically-motivated ‘Hacktivism’](https://reader035.fdocuments.net/reader035/viewer/2022071213/60418dfbc88e8f65030ea504/html5/thumbnails/2.jpg)
Page 2
Data Sources
o Actual attack traffic – Arbor Peakflow systems reporting – Self-selected group, global
o ‘Bladerunner’ botnet tracking project – Botnet command, intended victims
o Worldwide Infrastructure Security Report – Survey data, dozens of participants, global
![Page 3: DDoS Attack Trends Through 2009-2011 - NANOG Archive · Page 3 Key Findings in the 2011 Survey o Any Internet Operator Can Be a Target for DDoS – Ideologically-motivated ‘Hacktivism’](https://reader035.fdocuments.net/reader035/viewer/2022071213/60418dfbc88e8f65030ea504/html5/thumbnails/3.jpg)
Page 3
Key Findings in the 2011 Survey
o Any Internet Operator Can Be a Target for DDoS – Ideologically-motivated ‘Hacktivism’ and On-line vandalism DDoS
attacks are the most commonly identified attack motivations
o Size and Scope of Attacks Continue to Grow at an Alarming Pace – High-bandwidth DDoS attacks are the ‘new normal’ as over 40% of
respondents report attacks greater than 1 Gbps and 13% report attacks greater than 10Gbps
– Increased sophistication and complexity of layer-7 DDoS attacks, multi-vector DDoS attacks becoming more common
o First-Ever Reports of IPv6 DDoS Attacks 'in the Wild' on Production Networks
![Page 4: DDoS Attack Trends Through 2009-2011 - NANOG Archive · Page 3 Key Findings in the 2011 Survey o Any Internet Operator Can Be a Target for DDoS – Ideologically-motivated ‘Hacktivism’](https://reader035.fdocuments.net/reader035/viewer/2022071213/60418dfbc88e8f65030ea504/html5/thumbnails/4.jpg)
Page 4
Key Findings in the 2011 Survey
o Attackers Are Going Where the Money Is – Rarity of IPv6-enabled attacks indicative of low IPv6 market penetration
and lack of critical mass
§ Continued Uncertainty Around Visibility & Security of
Mobile/Fixed Wireless Networks
§ Mobile Handsets and Devices Directly Impacted by DDoS Attacks
o Trust Issues Abound Across International Boundaries
![Page 5: DDoS Attack Trends Through 2009-2011 - NANOG Archive · Page 3 Key Findings in the 2011 Survey o Any Internet Operator Can Be a Target for DDoS – Ideologically-motivated ‘Hacktivism’](https://reader035.fdocuments.net/reader035/viewer/2022071213/60418dfbc88e8f65030ea504/html5/thumbnails/5.jpg)
Page 5
DDoS Attack Frequency over last 12 Months
o 91% of respondents see at least 1 DDoS attack per month up from 76% in 2010
o 44% of respondents see 10 or more attacks per month up from 35% in 2010
![Page 6: DDoS Attack Trends Through 2009-2011 - NANOG Archive · Page 3 Key Findings in the 2011 Survey o Any Internet Operator Can Be a Target for DDoS – Ideologically-motivated ‘Hacktivism’](https://reader035.fdocuments.net/reader035/viewer/2022071213/60418dfbc88e8f65030ea504/html5/thumbnails/6.jpg)
Page 6
Top DDoS Motivations
o Top two attack motivation categories are fueled by personal beliefs and inclinations of attackers
![Page 7: DDoS Attack Trends Through 2009-2011 - NANOG Archive · Page 3 Key Findings in the 2011 Survey o Any Internet Operator Can Be a Target for DDoS – Ideologically-motivated ‘Hacktivism’](https://reader035.fdocuments.net/reader035/viewer/2022071213/60418dfbc88e8f65030ea504/html5/thumbnails/7.jpg)
Page 7
Peak Attack Sizes Down in 2011
![Page 8: DDoS Attack Trends Through 2009-2011 - NANOG Archive · Page 3 Key Findings in the 2011 Survey o Any Internet Operator Can Be a Target for DDoS – Ideologically-motivated ‘Hacktivism’](https://reader035.fdocuments.net/reader035/viewer/2022071213/60418dfbc88e8f65030ea504/html5/thumbnails/8.jpg)
Page 8
Large Attacks are Now Commonplace
o Aggregate attack sizes have leveled off but remain at levels capable of overwhelming most Internet operators
o 13% of respondents report attacks above 10 Gbps
o 40% of respondents report attacks above 1 Gbps
o Largest pps attack reported is 35 Mpps keeping pace with 2010
![Page 9: DDoS Attack Trends Through 2009-2011 - NANOG Archive · Page 3 Key Findings in the 2011 Survey o Any Internet Operator Can Be a Target for DDoS – Ideologically-motivated ‘Hacktivism’](https://reader035.fdocuments.net/reader035/viewer/2022071213/60418dfbc88e8f65030ea504/html5/thumbnails/9.jpg)
Page 9
Measured Attacks in 2011 for US, Canada
o Data comes from Peakflow measurements
Inbound Outbound
0
1E+10
2E+10
3E+10
4E+10
5E+10
6E+10
7E+10
8E+10
9E+10
US Canada Global US Canada Global
Q4 2011 Q3 2011 Q2 2011
20Gbps
60Gbps
![Page 10: DDoS Attack Trends Through 2009-2011 - NANOG Archive · Page 3 Key Findings in the 2011 Survey o Any Internet Operator Can Be a Target for DDoS – Ideologically-motivated ‘Hacktivism’](https://reader035.fdocuments.net/reader035/viewer/2022071213/60418dfbc88e8f65030ea504/html5/thumbnails/10.jpg)
Page 10
Attack Sizes and Durations (2011)
1
10
100
1000
10000
100000
10Gps 8Gbps 4Gbps 2Gbps 1Gbps
8 hours 4 hours 2 hours 1 hour < 1 hour
![Page 11: DDoS Attack Trends Through 2009-2011 - NANOG Archive · Page 3 Key Findings in the 2011 Survey o Any Internet Operator Can Be a Target for DDoS – Ideologically-motivated ‘Hacktivism’](https://reader035.fdocuments.net/reader035/viewer/2022071213/60418dfbc88e8f65030ea504/html5/thumbnails/11.jpg)
Page 11
Average Attack Size Still Growing
Data from ATLAS via anonymous statistics
![Page 12: DDoS Attack Trends Through 2009-2011 - NANOG Archive · Page 3 Key Findings in the 2011 Survey o Any Internet Operator Can Be a Target for DDoS – Ideologically-motivated ‘Hacktivism’](https://reader035.fdocuments.net/reader035/viewer/2022071213/60418dfbc88e8f65030ea504/html5/thumbnails/12.jpg)
Page 12
Most Common Application Layer Attacks Seen
![Page 13: DDoS Attack Trends Through 2009-2011 - NANOG Archive · Page 3 Key Findings in the 2011 Survey o Any Internet Operator Can Be a Target for DDoS – Ideologically-motivated ‘Hacktivism’](https://reader035.fdocuments.net/reader035/viewer/2022071213/60418dfbc88e8f65030ea504/html5/thumbnails/13.jpg)
Page 13
IPv6 DDoS Attacks
o First report of an IPv6 DDoS attack in the history of the WISR
o Low frequency of attacks reflect low adoption of IPv6 for critical services
![Page 14: DDoS Attack Trends Through 2009-2011 - NANOG Archive · Page 3 Key Findings in the 2011 Survey o Any Internet Operator Can Be a Target for DDoS – Ideologically-motivated ‘Hacktivism’](https://reader035.fdocuments.net/reader035/viewer/2022071213/60418dfbc88e8f65030ea504/html5/thumbnails/14.jpg)
Page 14
Use of OPSEC Communities
o More than half of respondents do not actively participate in the Global OPSEC Community, yet 87% of them believe that the OPSEC Community is effective
![Page 15: DDoS Attack Trends Through 2009-2011 - NANOG Archive · Page 3 Key Findings in the 2011 Survey o Any Internet Operator Can Be a Target for DDoS – Ideologically-motivated ‘Hacktivism’](https://reader035.fdocuments.net/reader035/viewer/2022071213/60418dfbc88e8f65030ea504/html5/thumbnails/15.jpg)
Page 15
Summary
o IPv6 makes an appearance
o Peak bandwidth used in DDoS we see is down from 100Gbps (2010)
o HTTP GET floods becoming widely popular
o Ideological motivations now most prevalent