The Other Attacks Last Thursday

Yesterday morning was a busy time for Internet security.

As an illustration of this activity, the graph below shows a summary of attack traffic across the 77 Observatory ISPs reporting anonymized attack statistics.

Each line or rectangle represents a distinct attack (we saw over 770 attacks Thursday covering a wide variety of scale and targets). Each color represents a different ISP under attack.

Though most of the press and blogosphere focused on Twitter, Facebook and LiveJournal, from an Observatory perspective those weren’t even the biggest attacks (at least in terms of traffic rate / volume). Turns out that the 30 Gbps spike in the above graph represents a withering attack against the web portal of a 3G mobile operator in Asia.

The press and various public / private mailing lists have generated a lot of discussion (and quite a bit of speculation) on the execution and motives behind the Twitter / Facebook / LiveJournal attacks (including this Slashot overview). I don’t have much new to add to this part of the discussion, but I can share a few anecdotal bits of data the Observatory saw on these attacks.

First, some background: the Observatory monitors both coarse grain Internet traffic and attack DDoS statistics. The DDoS portion of the Observatory is designed to provide visibility into broad trends, i.e. what are the new types of attacks, how are attacks growing against specific services (and ports / protocols), etc. As part of the data data sharing arrangement with Observatory participants, the system goes to great lengths to protect the commercial privacy and anonymity of the actual companies and ISPs under attack.

So, for example, we generally have visibility into, say the growth of “Christmas Tree” attacks against web servers in Asia, but the actual victims are anonymous. In particular, this means we cannot correlate most of the attack traffic yesterday with specific sites like Twitter / Facebook / etc. (though we can monitor aggregate traffic levels to these sites using the traffic portion of the Observatory as in our previous post).

The one exception to this anonymity is outbound attacks. In other words, the Observatory does monitor the destination of an attack if the provider has explicitly configured their DDoS detection to alert when machines within their network or customer base attack services in another ISP.

Since each individual ISP in a well-distributed DDoS attack may originate relatively little traffic (i.e. the attack does not impact their infrastructure, many providers only focus detection on inbound attacks (i.e. when the attack does impact their customers or infrastructure).

The data below is an example snippet of a dozen or so such outgoing attacks yesterday (all times are EDT). Note that destinations of outgoing attacks are not anonymized but specific source addresses have the first two octets replaced with “XX”.

The first two DDoS look like small run of the mill TCP Syn attacks against a Twitter IP from both randomized sources and an individual host. The two attacks originate in an anonymous North American tier1 and MSO, respectively. The third attack example occurred later in the day (5:30pm EDT) and consisted of a 80 Kpps UDP flood.

While “Joe Job” SPAM links may have comprised a significant portion of the attacks yesterday (as others have reported), the Observatory saw a range of additional attack vectors including TCP Syn, UDP flood, and Christmas Tree attacks.

6 Responses to “The Other Attacks Last Thursday”

August 07, 2009 at 8:11 pm, stacksmash.org » More journalism FAIL said:

[…] facts and data, you can predict a relatively small DoS at any time and be right.  For example, Arbor Networks shows that a ton of similar attacks happened… at the exact same time as the Twitter attack.  In fact, they were all dwarfed by a massive […]

August 08, 2009 at 5:57 am, Arturo Servin said:

“Since each individual ISP in a well-distributed DDoS attack may originate relatively little traffic (i.e. the attack does not impact their infrastructure, many providers only focus detection on inbound attacks (i.e. when the attack does impact their customers or infrastructure).”

It is a shame that they do not filter outbound traffic. Filter hundreds of outbound little attacks would reduce significant the impact to the target. Unfortunately I think that the effort is not yet “cost-sensitive” for single ISPs, although for the whole benefit of the Internet ecosystem it would be.

August 08, 2009 at 7:39 pm, Damian Menscher said:

The graph label is Gpps but you seem to be interpreting it as Gbps. Which is it?

August 10, 2009 at 12:43 pm, Craig Labovitz said:

The graph label is incorrect — it should read Gbps.

August 11, 2009 at 1:42 pm, Support Wars » Denial-Of-Service Attacks Hard To Kill said:

[…] one, according to Craig Labovitz, chief scientist at Arbor Networks, who has been tracking the recent trends in DDoS attacks. The 30-Gbps DDoS was unusually potent; most attacks average […]

September 30, 2010 at 3:15 pm, DDoS Wars « Odyssey said:

[…] click through links) and crowd-sourcing takes over. Last year Craig Labovitz at Arbor described a DDoS at over 30Gbps on an Asian mobile operator. It is likely to have been done with a herd numbering in 10s of thousands rather than the order of […]

Comments are closed.