For the last 18 months or so here at Arbor we’ve been recruiting ISPs that currently use Peakflow SP systems to participate in our statistics sharing program. The goal of the program is to try and better understand Internet traffic and attack characteristics over time, to include protocol and packet size distributions, attack vectors, frequency and scale, source and target distributions, etc. Some of this information can be accessed in real-time via our ATLAS portal, with more to come.
The statistics sharing program is based on flow data (e.g., NetFlow, JFlow, IPFIX) collection systems, which deal primarily with Network and Transport Layer (Layer 3 & 4) traffic information, and data currently being collected here is only from interfaces participants have classified as inter-domain (i.e., not internal or customer).
We’ve currently got 68 discrete ISPs participating, covering over 100k interfaces on nearly 1300 routers, and peak inter-domain traffic rates are currently nearing 1.5 Tbps, which is a statistically significant number.
We currently see somewhere around 1300 DDoS attacks a day on average, we’ve seen nearly 1 million since we began the program, and we’re getting to a point where after 1.5 years of collection, some trends are beginning to emerge. For example, attack frequency seems to drop significantly on Christmas Day, New Year’s Eve, and New Years Day (perhaps while the miscreants are either hung over or expending their spoils :-). The most common targets we see are IRC servers, although those attacks are usually lower-scale and not as well distributed as some of the larger attacks. The most common attack vectors are TCP SYN floods, with ICMP floods being a close second. It’s also particularly interesting to compare and contrast protocol distributions (e.g., peer-2-peer, http, etc..) and rates for inter-domain traffic versus broadband dense segments or other demographics. We’re intending to publish a report based on this data in the near future, so I won’t spoil it with any more details here.
However, one finding I did want to point out that was somewhat surprising is that DDoS (i.e., brute-force flood-based attacks) have over the past 18 months consistently accounted for ~1-3% of all all inter-domain Internet traffic. Again, this is raw attack traffic, simply meant to exhaust connection state or fill links, nowhere in this mix is spam, phishing, scans, or other malicious or similarly annoying traffic. We have seen peaks well above 5% of aggregate reported traffic, although not consistently.
As you might suspect, that’s no small amount of wasted resources consumed by DDoS attack traffic. TCP/25 (SMTP – email) seems to hover around 10-15 Gbps, so 1-1.5%. If you were to assume that only 66% of that is spam (which is likely a very low estimate, and one that varies rather widely), you get ~1%, so we’re at nearly 4% of all inter-domain traffic as junk, with over half being raw sewage.. Anyways, we’ve got some work to do to sure up these numbers and provide something folks can reference, you should be seeing something more definitive along these lines in the coming months.