Arbor WISR XII The Stakes Have Changed -...
Transcript of Arbor WISR XII The Stakes Have Changed -...
Arbor WISR XII The Stakes Have Changed
Julio Arruda V1.0
© Arbor Networks 2016 2
This presentation provides a quick view of the ATLAS collected information for the year of 2016, then focus in Latin America targeted DDoS, and trends from 2015 to 2017
Overview
© Arbor Networks 2016 3
WISR Scale : Volumetric Attacks Increase
• Largest attack reported was 800 Gbps with other respondents reporting attacks of 600 Gbps, 550 Gbps, and 500 Gbps
• One third of respondents report peak attacks over 100Gbps• Brazil had a record year again, with sustained +450Gbps attacks during
the year, peaking at 540Gbps
© Arbor Networks 2016 4
Scale : The ATLAS Perspective
• Peak monitored attack of 579Gbps, 73% growth from 2015• 558 attacks over 100Gbps, 87 over 200Gbps
– Compared to 223 and 16 in 2015• 20% of attacks over 1Gbps, as opposed to 16% in 2015• Average attacks size now 931Mbps, up from 760Mbps, a 23% increase
© Arbor Networks 2016 5
Scale: Driving Factors, IoT
The Result• First high-profile attack using IoT devices Christmas 2013, using CPE and webcams• In 2016 Botnet owners started to recruit IoT devices en mass• Attacks of 540Gbps against Brazil Large Sports Event, 620Gbps against Krebs, Dyn
etc..
The Problem• Almost every piece of technology we buy
is ‘connected’ • Devices are designed to be easy to
deploy and use, often resulting in limited security capabilities
• Software is very rarely upgraded. Some manufacturers don’t provide updates, or the ability to install updates
© Arbor Networks 2016 6
Scale: Driving Factors, Mirai
• Billions of IoT devices connected to the Internet – Estimates vary, 5B+, with millions added every day
• Arbor honeypot devices look for exploit activity on Telnet / SSH ports
• 1M login attempts from 11/29 to 12/12 from 92K unique IP addresses
• More than 1 attempt per minute in some regions
Mirai is designed to infect and control IoT devices and contains the code necessary to manage and build large-scale botnets
© Arbor Networks 2016 7
Scale: Driving Factors, Reflection Amplification
• Reflection Amplification attacks continue, but there has been some cyclic change in the protocols favored by attackers.
• Strong growth in the use of DNS (again) through 2016• Largest monitored attack of 498.3Gbs, a 97% jump from last year
– DNS and NTP attacks over 400Gbps, Chargen over 200Gbps
© Arbor Networks 2016 8
Scale: Driving Factors, Reflection Amplification
• Reflection Amplification attacks continue, but there has been some cyclic change in the protocols favored by attackers.
• Strong growth in the use of DNS (again) through 2016• Largest monitored attack of 498.3Gbs, a 97% jump from last year
– DNS and NTP attacks over 400Gbps, Chargen over 200Gbps
© Arbor Networks 2016 9
Complexity : Attack Types
• Volumetric attacks still represent the majority of activity for both SP and EGE respondents
• 95% of SP report applications layer attacks, 93% last year, 90% in 2014• 67% of SP report multi-vector attacks, 56% last year, 32% in 2014
EGESP
© Arbor Networks 2016 10
Complexity : Targeted Services
• DNS and HTTP the most common services targeted by application later attacks• Majority of SP and EGE respondents also see attacks targeting HTTPS• 57% of EGE respondents see attacks targeting the application behind HTTPS
– Much higher than the 22% seen by SPs– Cipher suites that prevent traffic inspection are a key problem
EGE Service Targets
SP Service Targets
© Arbor Networks 2016 11
Frequency : Up Across the Board
• 53% of SPs see more than 51 attacks per month, up from 44%• 21% of data-centers see more than 50 attacks per month, up from 8%• 45% of EGE see more than 10 attacks per month, up from 28%• ATLAS is tracking 135,000 Volumetric attacks per week.
Data Center Attack Frequency EGE Attack Frequency
© Arbor Networks 2016 12
Motivations: Many and Varied
• SPs see Online Gaming and Hackivism as top motivations
• EGE see Ideological Hacktivism and Extortion as top
• 26% of EGE see DDoS for distraction, up from 12%
© Arbor Networks 2016 13
IPv6• SP visibility is down 10%
– IPv6 flow telemetry capability up to 53% from 43% last year
• Peak IPv6 traffic 6Tbps, up 20%– Predicted growth rates are low
Service Provider
EGE
• Higher proportions of EGE offer services over IPv6 and use it on internal networks, 67% vs 58% and 67% vs 50%
• DDoS attacks are the top security concern for both SP and EGE
© Arbor Networks 2016 14
Countries with largest attacks ATLAS 2016
• Brazil – 254Gbps (Confirmed > 450Gbps in Large Sports Event, not in ATLAS)
• Argentina – 108Gbps• Chile – 103Gbps• Ecuador – 74Gbps• Colombia – 72Gbps• Mexico – 83Gbps
© Arbor Networks 2016 15
Averages including Brazil
714679
888
0
100
200
300
400
500
600
700
800
900
1,000
2015 2016 2017Q1
LATAM Average Mbps
© Arbor Networks 2016 16
Peaks including Brazil
186
254
152
0
50
100
150
200
250
300
2015 2016 2017Q1
LATAM Peak Gbps
© Arbor Networks 2016 17
Averages Excluding Brazil
1,071
651
530
0
200
400
600
800
1000
1200
2015 2016 2017Q1
LATAM NoBR Average Mbps
© Arbor Networks 2016 18
Peaks Excluding Brazil
75
108
62
0
20
40
60
80
100
120
2015 2016 2017Q1
LATAM NoBR Peak Gbps
© Arbor Networks 2016 19
2016 Total Number of Attacks Per Top 11 Countries
151371101677
7612465306
2008119504
15401456829411739973
0 50000 100000 150000 200000
BRECCOBOARMXCLCRPEBZBM
© Arbor Networks 2016 20
54.44%
15.02%
14.98%
9.31%
4.17%1.52%
0.34% 0.17% 0.02% 0.02%
PercentageofAttacks>10G2016(Top10)
BR
AR
CL
EC
CO
MX
CR
BO
BZ
BB
© Arbor Networks 2016 21
2016 Number of Attacks (Top 6)
54%
24%
7%
6%
6% 3%
BR
CO
EC
MX
AR
CL
© Arbor Networks 2016 22
Attack Types Breakout 2016
•
27.14%
20.11%
14.70%
12.55%
9.38%
5.82%
2.94%2.62%
2.24%1.02%
0.99% 0.27%0.20% 0.03% UDP
Total Traffic
IP Fragmentation
IP Private
TCP SYN
DNS
TCP RST
ICMP
DNS Amplification
SSDP Amplification
NTP Amplification
TCP null
Chargen Amplification
IP null