Arbor WISR XII The Stakes Have Changed -...

Arbor WISR XII The Stakes Have Changed

Julio Arruda V1.0

© Arbor Networks 2016 2

This presentation provides a quick view of the ATLAS collected information for the year of 2016, then focus in Latin America targeted DDoS, and trends from 2015 to 2017

Overview


WISR Scale : Volumetric Attacks Increase

• Largest attack reported was 800 Gbps with other respondents reporting attacks of 600 Gbps, 550 Gbps, and 500 Gbps

• One third of respondents report peak attacks over 100Gbps• Brazil had a record year again, with sustained +450Gbps attacks during

the year, peaking at 540Gbps


Scale : The ATLAS Perspective

• Peak monitored attack of 579Gbps, 73% growth from 2015• 558 attacks over 100Gbps, 87 over 200Gbps

– Compared to 223 and 16 in 2015• 20% of attacks over 1Gbps, as opposed to 16% in 2015• Average attacks size now 931Mbps, up from 760Mbps, a 23% increase


Scale: Driving Factors, IoT

The Result• First high-profile attack using IoT devices Christmas 2013, using CPE and webcams• In 2016 Botnet owners started to recruit IoT devices en mass• Attacks of 540Gbps against Brazil Large Sports Event, 620Gbps against Krebs, Dyn

etc..

The Problem• Almost every piece of technology we buy

is ‘connected’ • Devices are designed to be easy to

deploy and use, often resulting in limited security capabilities

• Software is very rarely upgraded. Some manufacturers don’t provide updates, or the ability to install updates


Scale: Driving Factors, Mirai

• Billions of IoT devices connected to the Internet – Estimates vary, 5B+, with millions added every day

• Arbor honeypot devices look for exploit activity on Telnet / SSH ports

• 1M login attempts from 11/29 to 12/12 from 92K unique IP addresses

• More than 1 attempt per minute in some regions

Mirai is designed to infect and control IoT devices and contains the code necessary to manage and build large-scale botnets


Scale: Driving Factors, Reflection Amplification

• Reflection Amplification attacks continue, but there has been some cyclic change in the protocols favored by attackers.

• Strong growth in the use of DNS (again) through 2016• Largest monitored attack of 498.3Gbs, a 97% jump from last year

– DNS and NTP attacks over 400Gbps, Chargen over 200Gbps


Complexity : Attack Types

• Volumetric attacks still represent the majority of activity for both SP and EGE respondents

• 95% of SP report applications layer attacks, 93% last year, 90% in 2014• 67% of SP report multi-vector attacks, 56% last year, 32% in 2014

EGESP


Complexity : Targeted Services

• DNS and HTTP the most common services targeted by application later attacks• Majority of SP and EGE respondents also see attacks targeting HTTPS• 57% of EGE respondents see attacks targeting the application behind HTTPS

– Much higher than the 22% seen by SPs– Cipher suites that prevent traffic inspection are a key problem

EGE Service Targets

SP Service Targets


Frequency : Up Across the Board

• 53% of SPs see more than 51 attacks per month, up from 44%• 21% of data-centers see more than 50 attacks per month, up from 8%• 45% of EGE see more than 10 attacks per month, up from 28%• ATLAS is tracking 135,000 Volumetric attacks per week.

Data Center Attack Frequency EGE Attack Frequency


Motivations: Many and Varied

• SPs see Online Gaming and Hackivism as top motivations

• EGE see Ideological Hacktivism and Extortion as top

• 26% of EGE see DDoS for distraction, up from 12%


IPv6• SP visibility is down 10%

– IPv6 flow telemetry capability up to 53% from 43% last year

• Peak IPv6 traffic 6Tbps, up 20%– Predicted growth rates are low

Service Provider

EGE

• Higher proportions of EGE offer services over IPv6 and use it on internal networks, 67% vs 58% and 67% vs 50%

• DDoS attacks are the top security concern for both SP and EGE


Countries with largest attacks ATLAS 2016

• Brazil – 254Gbps (Confirmed > 450Gbps in Large Sports Event, not in ATLAS)

• Argentina – 108Gbps• Chile – 103Gbps• Ecuador – 74Gbps• Colombia – 72Gbps• Mexico – 83Gbps


Averages including Brazil

714679

888

0

100

200

300

400

500

600

700

800

900

1,000

2015 2016 2017Q1

LATAM Average Mbps


Peaks including Brazil

186

254

152

0

50

100

150

200

250

300

2015 2016 2017Q1

LATAM Peak Gbps


Averages Excluding Brazil

1,071

651

530

0

200

400

600

800

1000

1200

2015 2016 2017Q1

LATAM NoBR Average Mbps


Peaks Excluding Brazil

75

108

62

0

20

40

60

80

100

120

2015 2016 2017Q1

LATAM NoBR Peak Gbps


2016 Total Number of Attacks Per Top 11 Countries

151371101677

7612465306

2008119504

15401456829411739973

0 50000 100000 150000 200000

BRECCOBOARMXCLCRPEBZBM


54.44%

15.02%

14.98%

9.31%

4.17%1.52%

0.34% 0.17% 0.02% 0.02%

PercentageofAttacks>10G2016(Top10)

BR

AR

CL

EC

CO

MX

CR

BO

BZ

BB


2016 Number of Attacks (Top 6)

54%

24%

7%

6%

6% 3%

BR

CO

EC

MX

AR

CL


Attack Types Breakout 2016

•

27.14%

20.11%

14.70%

12.55%

9.38%

5.82%

2.94%2.62%

2.24%1.02%

0.99% 0.27%0.20% 0.03% UDP

Total Traffic

IP Fragmentation

IP Private

TCP SYN

DNS

TCP RST

ICMP

DNS Amplification

SSDP Amplification

NTP Amplification

TCP null

Chargen Amplification

IP null

Questions?

Contact: [email protected]

23

Arbor WISR XII The Stakes Have Changed -...

Documents

Transcript of Arbor WISR XII The Stakes Have Changed -...