Posted on Monday, March 31st, 2008 | Bookmark on del.icio.us

2% of Internet Traffic Raw Sewage

by Danny McPherson

For the last 18 months or so here at Arbor we’ve been recruiting ISPs that currently use Peakflow SP systems to participate in our statistics sharing program. The goal of the program is to try and better understand Internet traffic and attack characteristics over time, to include protocol and packet size distributions, attack vectors, frequency and scale, source and target distributions, etc. Some of this information can be accessed in real-time via our ATLAS portal, with more to come.

The statistics sharing program is based on flow data (e.g., NetFlow, JFlow, IPFIX) collection systems, which deal primarily with Network and Transport Layer (Layer 3 & 4) traffic information, and data currently being collected here is only from interfaces participants have classified as inter-domain (i.e., not internal or customer).

We’ve currently got 68 discrete ISPs participating, covering over 100k interfaces on nearly 1300 routers, and peak inter-domain traffic rates are currently nearing 1.5 Tbps, which is a statistically significant number.

ASP Dashboard

We currently see somewhere around 1300 DDoS attacks a day on average, we’ve seen nearly 1 million since we began the program, and we’re getting to a point where after 1.5 years of collection, some trends are beginning to emerge. For example, attack frequency seems to drop significantly on Christmas Day, New Year’s Eve, and New Years Day (perhaps while the miscreants are either hung over or expending their spoils :-). The most common targets we see are IRC servers, although those attacks are usually lower-scale and not as well distributed as some of the larger attacks. The most common attack vectors are TCP SYN floods, with ICMP floods being a close second. It’s also particularly interesting to compare and contrast protocol distributions (e.g., peer-2-peer, http, etc..) and rates for inter-domain traffic versus broadband dense segments or other demographics. We’re intending to publish a report based on this data in the near future, so I won’t spoil it with any more details here.

24 hour Attack Rate Snapshot

However, one finding I did want to point out that was somewhat surprising is that DDoS (i.e., brute-force flood-based attacks) have over the past 18 months consistently accounted for ~1-3% of all all inter-domain Internet traffic. Again, this is raw attack traffic, simply meant to exhaust connection state or fill links, nowhere in this mix is spam, phishing, scans, or other malicious or similarly annoying traffic. We have seen peaks well above 5% of aggregate reported traffic, although not consistently.

As you might suspect, that’s no small amount of wasted resources consumed by DDoS attack traffic. TCP/25 (SMTP – email) seems to hover around 10-15 Gbps, so 1-1.5%. If you were to assume that only 66% of that is spam (which is likely a very low estimate, and one that varies rather widely), you get ~1%, so we’re at nearly 4% of all inter-domain traffic as junk, with over half being raw sewage.. Anyways, we’ve got some work to do to sure up these numbers and provide something folks can reference, you should be seeing something more definitive along these lines in the coming months.

Share

Related Posts

Zemanta

This entry was posted on Monday, March 31st, 2008 at 3:50 pm and is filed under Arbor Networks - DDoS Experts, ATLAS, Critical Infrastructure, Interesting Research, Netflow. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

11 Responses | Add your own



Comment Post by: İnternet Trafiğinin %2’si Çöp | Deneysel Manifesto — March 31st, 2008 @ 5:16 pm EST  Reply

[...] istatistikler çıkartan hem de başarılı çözümler üreten Arbor Networks‘ün blogundaki yazıya göre (ki yazıdan bu istatistiğin gerçekten internetin tamamını modellemeye yeteceğini [...]

Comment Post by: Petr Ruzicka — April 1st, 2008 @ 6:42 am EST  Reply

Hi, interesting data !
From testing of IronPort product in our customer infrastructure we see 80-90 % of all mail that hits their MX boxes is spam (sometimes as high as 97 %). So 66 % is, well, a much smaller number.
In typical enterprise about 1-5% of mail is clean, in SP or portal scenario up to 12 %. Rest is garbage.

Comment Post by: Internet has a trash problem, researcher says | InfoWorld | News | 2008-04-01 | By Robert McMillan, IDG News Service — April 1st, 2008 @ 2:37 pm EST  Reply

[...] Arbor’s data show other trends too. Attacks drop off during Christmas and New Year’s, perhaps while the attackers are “hungover or expending their spoils,” McPherson wrote in a blog posting. [...]

Comment Post by: Chris — April 3rd, 2008 @ 7:55 am EST  Reply

Danny:

On the 1.5Tb/s being statistically significant – are you using “statistically significant” as a synonym for “big enough to be meaningful”, or is there some sort of sampling issue here that I am missing? Not trying to be an annoying nit-picker (really!), just trying to understand the methodology better.

Thx.

Comment Post by: Danny McPherson — April 3rd, 2008 @ 5:48 pm EST  Reply

Chris,
I probably shouldn’t have used that phrase as folks that have taken a statistics class might misinterpret it. The point that I was attempting to convey was indeed “big enough to be meaningful”, specifically, that 1.5Tbps of inter-domain traffic across 68 ISPs is a lot, and significantly more than any other analysis of this type performed to date. As for “statistical significance”, well, when we issue a complete report we’ll attempt to quantify and qualify precisely what we believe this dataset represents.

Comment Post by: Yang Chung — April 4th, 2008 @ 4:48 pm EST  Reply

I am just curious….

Are these attacks mostly generated using botnet(s)? How easy is it for a reasonably tech-savvy person or kid to recruit his/her own bots? What do you think are motives behind these attacks?

Thanks,

Comment Post by: Danny McPherson — April 4th, 2008 @ 7:46 pm EST  Reply

Yang Chung,
Yes, most of these attacks do exhibit properties (e.g., multiple synchronized attack sources, common attack vectors, multiple source ISPs, well distributed source locations, etc..) that would suggest they are the work of bots. Bots are used for an array of malicious activities today, most of the interesting typically being associated with some economic motivations. Bots are indeed trivial to obtain today, either directly or through leased partitions from other bots. Have a look back through other entries here and on linked blogs for some more information about this.

Comment Post by: Here comes the government to fight cybercrime! [shudder] | Network Administrator | TechRepublic.com — May 13th, 2008 @ 10:28 pm EST  Reply

[...] 2% of Internet Traffic Raw Sewage (Arbor Networks) [...]

Comment Post by: As 7 pragas da internet « O Buraco Branco — November 22nd, 2008 @ 9:49 pm EST  Reply

[...] Só para você ter uma idéia, estima-se que 96% dos e-mails enviados no mundo são Spams, o que corresponde a uma média entre 2% a 5% de todo tráfego de informação da internet! [...]

Comment Post by: The end of bandwidth socialism. - Page 4 - SLUniverse Forums — February 5th, 2009 @ 7:09 pm EST  Reply

[...] 4% of all internet traffic either DDOS packets or spam email [...]

Comment Post by: DDoS’s make up 2% of all traffic in the tubes. « Bastard Sheep — February 24th, 2010 @ 8:13 pm EST  Reply

[...] now says those attacks account for about two percent of internet traffic, with peaks of up to five [...]

Leave a Comment