metricon5 powell - ddos analytics
DESCRIPTION
ddos analyticsTRANSCRIPT
© 2010 Akamai
Headlines You May Have SeenOnline attack hits US government Web sites (7 Jul 09)
Twitter DDoS Attack Politically Motivated, Says Report (7 Aug 09)
Four arrested in China over net-paralyzing gaming spat (2 Sep 09)
DDoS attacks topple 40 Swedish sites (30 Oct 09)
Study: DDoS attacks threaten ISP infrastructure (11 Nov 09)
Hacker grinches launch DDoS attack against Amazon (29 Dec 09)
Chinese Human Rights Sites Hit by DDoS Attack (25 Jan 10)
DDoS attacks, Network hacks rampant in oil & gas industry (28 Jan 10)
Intel Chief: U.S. at Risk of Crippling Cyber Attack (4 Feb 10)
Chinese ISP Momentarily hijacks the Internet (again) (8 Apr 10)
Attack of the Opt in Botnets (23 Apr 10)
Verisign Warns of growing denial-of-service threat (7 May 10)
Hackers Retaliate as Turkey’s censorship tightens (18 Jun 10)
[DDoS] BotNet spread by pressing one button… (2 Aug 10)
DNSMadeEasy Rallies After 50Gbps DDoS (9 Aug 10)
© 2010 Akamai
Headlines You DID NOT See
POWERING A BETTER INTERNET
President Delays Trip Due to Cyber Attacks
Independence Day Attacks Paralyze the U.S.
Government and Financial Websites Attacked and Taken Down: Stocks Show Concerns
© 2010 Akamai
IT Risk In a Complex World
© 2010 Akamai
What’s At Risk?
NSA's Guide: Defense in Depth - A practical strategy for achieving Information Assurance in today’s highly networked environments
Reputation & Brand
Dollars & Revenue Mission & Trust
Weathering Storms in the Cloud: Analyzing Massive DDoS Attacks to Prepare for the Future
R. H. Powell IVSenior Service Line ManagerAugust 10, 2010
© 2010 Akamai
Agenda
Weathering Storms in the Cloud
• Is the Threat Worth Considering?• Data Collection & Considerations• Observations from the Wild
• July 4th DDoS Case Study• How Do you Analyze This• Future Expectations & Innovation
© 2010 Akamai
State of Internet Security Today
• 95% of corporate Web applications have severe vulnerabilities.1
• 34 million computers in the U.S. alone may now be part of a botnet.2
• Cybercrime costs businesses $1 trillion a year.3
• In 2008, a Web page was infected every 4.5 seconds.4
• Attack traffic observed from 198 countries in Q1 ‘10, up 291% from 68 countries in Q1 ‘09.5
1 WASC 2 Georgia Tech Information Security 3 McAfee 4 Sophos 5 Akamai
© 2010 Akamai
Targets of Opportunity
2,750
1,875
3,4624000
3000
2000
1000
0Volu
me o
f Vuln
era
bili
ties
2,029
2008 2007 20082007
(Web Application Vulnerabilities)
(Non-Web Application Vulnerabilities)
Source: Symantec Internet Security Threat Report, April 2009
© 2010 Akamai
50
45
40
35
30
25
20
15
10
5
0
Peak Attack Traffic per year
2002 2003 2004
1.2
2.5
Att
ack
Siz
e -
Gbp
s
10
17
2005 2006 2007 2008
24
40
(Arbor Networks)
49
>200
(Akamai Technologies)
2009
250
225
200
175
150
125
100
75
50
25
0
© 2010 Akamai
Where Does the Data Come From?
Primary Data
Sources
AuxiliaryData
SourceAkamai Distributed Agents
Publicly Available ReportsAkamai Customer Production Traffic Logs
© 2010 Akamai
Top Attack Countries (Akamai Agents)
© 2010 Akamai
Top Attack Regions (Akamai Agents)
Europe 44% Overall Europe 50% of Mobile
© 2010 Akamai
A Note On Mobile Connectivity
The GSM Association reports that global Mobile Broadband connections roughly doubled during 2009 to 200 million. By the
end of 2010, they estimate this will reach 342 million global connections, with 120 million in Europe, 116 million in the Asia
Pacific region, and 58 million in North America. 2
1 Akamai 2 GSM Association
GlobalMobile
Providers
% > 1 Mbps
% > 2Mbps
% > 5 Mbps
% > 10 Mbps
Average Connection Speed 32%1 13%1 -- --
Maximum Connection Speed -- 76%1 30%1 6%1
© 2010 Akamai
July 4 2009 DDoS AttackObserved Attack Profile
Type of Attack – Brute Force DDoS• The largest coordinated DDoS cyber attack against
US Government Websites• HTTP Resource Drain attack• Sourced primarily from compromised Korean
computers Intensity of Attack• 1,000,000+ hits per second and ~200 Gbps
aggregate attack traffic (US Gov Only)• One website received 8 years of traffic in a day
All Traffic Logged for Akamai Customers• 64 Billion Log Lines• 13 TB of uncompressed log data (400+
Gigs of Compressed logs)
“Between the volume of the requests and their frustrating nature, a Web site with few servers or limited bandwidth can quickly be taken down. Others with greater physical and financial resources can take the punishment. That may explain why high-volume Web sites such as those belonging to the White House, the Pentagon and the New York Stock Exchange were able to withstand such attacks with barely a hiccup, while the Federal Trade Commission's and the Transportation Department's were knocked offline." - Paul Wagenseil, Fox News
© 2010 Akamai
July 4, 2009 DDoS Attack
Customer – PROTECTED
U.S. Government Customer 1
U.S. Government Customer 2
U.S. Government Customer 3
U.S. Government Customer 4
U.S. Government Customer 5
U.S. Government Customer 6
New U.S. Government Customer
Peak Traffic
124 Gbps
32 Gbps
9 Gbps
9 Gbps
2 Gbps
1.9 Gbps
0.7 Gbps
Times AbovePrevious Peak Traffic
598x
369x
39x
19x
9x
6x
SITE DOWN before Akamai
“Between the volume of the requests and their frustrating nature, a Web site with few servers or limited bandwidth can quickly be taken down. Others with greater physical and financial resources can take the punishment. That may explain why high-volume Web sites such as those belonging to the White House, the Pentagon and the New York Stock Exchange were able to withstand such attacks with barely a hiccup, while the Federal Trade Commission's and the Transportation Department's were knocked offline." - Paul Wagenseil, Fox News
© 2010 Akamai
Akamai Analysis of Log Data Top Attacking IP Address Over Time
• July 4th – Attacks focused on two sites• July 5th – Attacks spread to include 5 other sites. Even traffic spread.• July 5th (late) – Attack shifts bulk of attack to 2 new sites• July 7th (late) – Attack Ends
All Targeted US Government Websites (not using Akamai) Went Down!
© 2010 Akamai
Unique Hostile IPs Over Time
Much Larger Then Any Public Estimates
2.23.5 5.0.0 6.8.0 7.16.0 9.0.0 10.8.0 11.16.0 13.0.00
20000
40000
60000
80000
100000
120000
# Unique Hostile IP's Per 30 Minute Block
# IP's
Spike 1
Spike 3Spike 2
Few common attackers between spikes:(Only 4,284 IP’s Shared Across all Spikes)
97,882 Unique IP’s in 30 mins
© 2010 Akamai
Crunching The Data
© 2010 Akamai
Future Outlook and Innovation
Thank you
© 2010 Akamai
Akamai Architecture Operational View – OV-1
End Users
Internet
Network Storage
Akamai Network65,000+ Servers1500+ Locations950+ Networks70+ Countries
Compression
AkamaiSite Shield
Network Storage
Back-Up Site or Load Balanced
Multi-Data Center
EDNS
Transaction Server
DNS Server
Directory/Policy Server
LegacySystems
App Servers
Database
Load Balancer
Edge Servers
Web Servers
Fire
Wall Edge Servers
Data Center
Security Availability Scalability Visibility Resource Savings Performance
WAF
© 2010 Akamai
Technology• The top five anti-virus companies
Media & Entertainment• 30 of the top 30 M&E companies
Retail & Travel• Over 400 Global Retailers• 50 of the top 50 U.S. Retailers• Over 125 Global Online Travel Sites
Broad adoption across verticalsIf you’re on-line you’re using Akamai
Finance• 9 of top 15 Global Banks
© 2010 Akamai
US Government Customers12 of 15 Cabinet Agencies