Q1 Key Findings from ATLAS

**Updated on 4/26 with infographic**

Q1 2013 saw the previous record for the largest reported DDoS attack, around 100Gbps, shattered by the 300Gb/sec DNS reflection / amplification attack which targeted Spamhaus. Attackers have had the technical capability to generate attacks of this magnitude for some time, and now this has been demonstrated. The attack vector used in this case was not new, DNS reflection / amplification has been used to generate several of the largest attacks seen on the Internet in recent years. DNS reflection / amplification attacks are actually relatively common, but usually at much lower traffic levels.

PeakDDoSAttack rev2

Although volumetric DDoS attacks have grown in size over the past few years, the Spamhaus attack was definitely an outlier; however, attacks above 10 and even 20Gb/sec now occur multiple times per day somewhere in the world. Every day hundreds, or even thousands, of attacks take place utilizing different attack vectors, having different levels of complexity and different motivations and resources behind them. For enterprise network operators, it is important to have a broad view of what is going on out there.  This is where the ATLAS system comes in. ATLAS is Arbor’s Internet traffic analysis system that combines data from participating customer deployments, a darknet sensor network, in-house malware research and data from third parties. The size and scale of ATLAS data is truly unique and provides Arbor with a unique position to monitor the Internet threat landscape.

  • 250+ ISPs from across the world sharing real-time data
  • Data derived from flow / BGP / SNMP correlation
  • ATLAS currently monitoring a peak of 42Tbps of IPv4 traffic (weekly peak) across all respondents

Q1 2013 ATLAS DDoS Highlights

  • Average DDoS attack size continues to grow
  • Average size of attack growth trend still tracking at 20% year on year (so far),
    • 2012 1.48 Gb/sec (+20% over 2011)
    • Q1 2013 1.77 (+19.5% over Q1 2012)
  • Proportion of attacks in the 2 – 10Gb/sec range grows from 15% to 21.5%
  • Just in the first quarter of 2013, ATLAS has already tracked 74% of the total number of attacks over 10Gb/sec seen in the whole of 2012!
  • Proportion of attacks less than 1Gb/sec continues to fall. Downward trend over last four years from 93% -> 79%-> 70.5% -> 66.89%->62.4%


What does this mean for enterprises?
It is very bad news indeed for organizations that rely solely on traditional perimeter security solutions such as Firewalls or IPS for DDoS defense. Many organizations still consider Firewall/IPS devices the front line defense against DDoS, thanks in large part to vendor claims about DDoS protection.

“A common response by many administrators to the challenges of DDoS is the belief that their firewall and IPS infrastructure will protect them from attack. Unfortunately, this is not true. Firewalls and IPS devices, while critical to network protection, are not adequate to protect against complex DDoS attacks,” Richard Martinez, enterprise network security analyst, Frost & Sullivan

IPS devices, firewalls and other security products are essential elements of a layered-defense strategy, but they are designed to solve security problems that are fundamentally different from dedicated DDoS detection and mitigation products. IPS devices, for example, block break-in attempts that cause data theft. Meanwhile, a firewall acts as policy enforcer to prevent unauthorized access to data. While such security products effectively address “network integrity and confidentiality,” they fail to address a fundamental concern regarding DDoS attacks—”network availability.”

With the average size DDoS attack now at 1.77Gb/sec, and many larger attacks going on (2.5% of attacks were over 10Gb/sec in Q1 2013) Internet connectivity can easily be saturated for a lot of organizations.  When this occurs perimeter defenses don’t help, organizations need cloud / service-provider based DDoS protection services to step in and deal with the attack traffic for them.  However, 62.4% of attacks are still less than 1Gb/sec and size – so can these be dealt with using our traditional perimeter security solutions?

Unfortunately the answer is ‘no’ in a lot of cases.

Firewalls and IPS are not designed to deal with DDoS threats, as mentioned above, and maintain a lot of per connection state. 34% of the attacks tracked by ATLAS in Q1 2013 were TCP SYN floods – a simple example of a TCP state exhaustion attack. These, and other more crafted TCP state exhaustion attack vectors, attempt to consume the connection state tables which are present in many infrastructure components such as load-balancers, firewalls and application servers themselves. Even high capacity devices capable of maintaining state on millions of connections can be taken down by these attacks.

The solution to the DDoS problem is specialized, layered defense. Organizations should deploy specialized DDoS mitigation solutions at their network perimeter, outside of exposed firewalls etc. These solutions can provide proactive protection from ALL types of DDoS attacks – volumetric, TCP state-exhaustion and the more sophisticated application layer attacks – as long as they do not saturate Internet connectivity. Ideally these solutions should maintain minimal state, offer a range of mitigation mechanisms, provide detailed reporting and leverage intelligence on current attack vectors to ensure Internet service availability is maintained.  In the cases where connectivity is becoming saturated by a larger attack, these devices should contact a cloud / service provider based DDoS mitigation service provider who can then deal with the large attack within their infrastructure, where sufficient capacity exists.

Using this layered approach, organizations can protect their businesses from the threat posed by DDoS attacks.

  • Posted in DDoS
  • Comments Off on Q1 Key Findings from ATLAS