Five percent of Web traffic caused by DDoS attacks

After analysing traffic from 68 ISPs around the globe, a security researcher claims that as much as five percent of all Internet traffic is from DDoS-attacks.
Written by Liam Tung, Contributing Writer

After analysing traffic from 68 ISPs around the globe, a security researcher claims that as much as five percent of all Internet traffic is from DDoS-attacks.

Since beginning the research, Arbor Network's chief research officer Danny McPherson claims there were over one million denial of service attacks — roughly 1,300 per day — across the ISP networks involved in the study, which has already run for 18 months.

Information collected during the study was shared anonymously between the 68 ISPs and Arbor. McPherson said the data helped better understand Internet traffic and attack characteristics such as packet size distributions, attack vectors, the frequency and scale of attacks, as well as source and target distributions.

The system looks specifically at traffic on Transport Layer 3 and 4, which, according to McPherson, is the equivalent of looking at "details on an envelope" but not the content inside.

"We look at how big [an attack] is, where it's from, and who it's being sent to — basically the addressing and transaction information," McPherson told ZDNet.com.au.

"No one has ever [conducted research] at this speed. A couple of gigabytes per second was the maximum and they have only looked at single links on a network. Here we're covering 68 ISPs at speeds of around 1.5 terabytes per second," he said.

But the study is not just about speed, explained McPherson: "We want to understand the characteristics behind the biggest and most distributed attacks."

"If you understand how many packets of what protocol-type and how big those packets are, [ISPs] can engineer their networks more effectively," said McPherson.

The data may also help router manufacturers improve their designs to better meet network traffic demands, he said.

The monitoring system has already helped reveal which organisations are being targeted and has even uncovered interactions between the more nefarious participants on the Internet: botnet operators.

"Some of the biggest attacks are on the root name server infrastructure, and there are many extortion attacks. 99 percent of these attacks aren't that interesting but one percent is really interesting.

"We like to look at attack data ... We have our own malware database and monitor control channels to see where people launch attacks from, such as which botnets are attacking which targets," he said.

Early last year, McPherson noticed a high frequency of cyber-attacks that looked remarkably similar.

"It turned out that MPack was attempting to steal bots from Storm," he said.

"The Storm guys figured out that MPack was stealing bots and started attacking Mpack distribution sites so they couldn't compromise each others hosts."

But besides understanding that everything is an enemy to a botnet operator, McPherson said the study helped explain the significance of DDoS attacks for the average corporate network.

"What has surprised me the most is that this [DDoS] traffic bottoms out consistently at around two percent of total traffic. The best is one percent of all traffic and the worst is around five percent — when you factor in spam. If you think about it, that's quite a lot and there's a lot of room for improvement. So for an organisation, if you can find one to two percent more efficiency out of your network resources, that's important," he said.

Editorial standards