Fire or DDoS – Which is more probable?

By: Danny McPherson -

The charts below contain summary data obtained from ~100 ISPs sharing information with Arbor by way of our anonymous statistics sharing program, enabled through operational Peakflow SP systems globally over the past 12 months (roughly, CY2009).

This data is largely a superset follow-on to a blog post from mid-2009 that seems to have gained momentum in assisting network operators in risk management planning exercises and sizing of mitigation capacities, either for themselves, or when looking to offer managed DDoS detection and mitigation services.  While the data will be explored in more detail in our annual ATLAS report (in a few weeks), we thought it worth sharing one of the high-level bits now.  In contrast to the 5th edition of the Worldwide Infrastructure Security Report, with an expected release data of January 19th, 2010, the information in this blog post is based on empirical data from production Peakflow SP deployments.

That said, to the data… There were 350,367 discrete anomalies reported within the 12-month study period, with 20,280 (~5.8%) of these exceeding 1 Gbps.  As with the previously referenced blog post, incident attributes and target aggregation has not yet been performed on this dataset, so it is quite likely that many of the attacks that failed to make the 1 Gbps threshold for reporting here actually exceeded 1 Gbps in aggregate on the egress side – that is, these attacks could have been reported by ingress, transit, or egress/target networks, and the closer you get to the target on the attack trajectory, the larger the aggregate scale of the attack is likely to be.

With just over 20k attacks larger than 1 Gbps in 2009, we collected a registered incident of 1 Gbps or larger roughly every 26 minutes throughout the year, and received a reportable attack every ~90 seconds.  Furthermore, we observed a registered 10 Gbps or larger attack roughly every 190 minutes (just over 3 hours).

As denoted in the referenced blog post, attacks larger than 1 Gbps seem to be considerably biased towards “long and heavy”, which perhaps seems counter-intuitive initially, but is clearly supported by the data.  That is, larger attacks usually last longer.  This largely dispels a suspicion that many of these anomalies may have simply been temporal or transient forwarding information loops in the network.

Many (most?) enterprises remain connected to the Internet at 1 Gbps or slower speeds, and therefore, must proactively work with their network service providers or DDoS managed security services providers in the event that large-scale attacks occur.  Also, as the scale of volumetric attacks continues to grow, the risk of collateral damage to network infrastructure, adjacent customers, and critical IP-based services (e.g., VoIP or IPTV) that employ that that same IP substrate increases.   Consider that we observed 2,761 attacks that were in excess of 10 Gbps, yet most discrete IP Internet backbone links, network interconnects, and access router aggregation links remain limited to 10 Gbps or slower (e.g., OC192 or 10GE).

It should also be noted that this information is mostly focusing on volumetric attacks, attacks which usually just aim to exhaust link bandwidth and overwhelm network capacity to impact target availability.  Over the past couple years, we’ve observed a considerable uptick in application layer attacks aiming to impact load-balancers, firewalls, DNS and VoIP infrastructure services, back-end transaction infrastructure, and so forth, illustrating that even relatively low-bandwidth attacks can have considerable impact on a sites availability, particularly as more sophisticated attacks grow in frequency.

Today, most enterprises and online properties don’t traditionally factor DDoS attacks in risk planning and management related processes.  That is, while they go to great lengths to periodically obtain coveted [err..  necessary] compliance check marks related to data integrity and confidentiality, the third pillar, availability, often takes a backseat.  This is perhaps largely driven by auditors with fairly static and quantifiable lists of controls that can be put in place to contain risks associated with traditional vulnerabilities.  Unfortunately, lack of foresight and appropriate preparation often leaves folks scurrying about madly when DDoS-related incidents do occur, as they’re not considered until you’ve been hit at least once.

To that point, I suspect it would be safe to assume that the probability of an effectively-sized attack targeting a given Internet property today is higher than the probability of a fire that affects that enterprises Internet availability and online presence (something I’ll look to qualify) – whilst from a business continuity perspective the latter is quite likely what the enterprise values most in today’s ‘connected’ world.

As such, folks should be reminded to consider their Internet ‘availability’ as an asset during risk management planning functions, factor associated annualized loss expectancies (ALE), and invest in controls that bring residual risks associated with DDoS attacks and other network events down to a consumable level.

Comments

  1. If DDOS is real and happening at such high frequency, Arbor should make the statistics of DDOS attacks among the peering countries also analyzed. Interesting point could be as follows:
    1) Which Service provider is the largest receipent of DDOS attack in Y 2009. Any Statistics of business loss or Performance impact of customers in that Service provider.
    2) Which Service Provider has mitigated highest risk for its customers using DDOS mitigation if any done as outcome of Sr. No.1
    3) If the Origin of Attack in case of DDOS is difficult to find, the list of BOT herders and BOT controllers links to DDOS if any can it be established?
    4) Which is the highest domain or hosted customer if known receiving DDOS attacks and what is the frequency? Average domains receiving DDOS attacks at what frequency.
    5) What looks to be the main reason of DDOS attacks? etc…

    Any analysis on the above available.