[96788] in North American Network Operators' Group
Re: Slate Podcast on Estonian DOS atatck
daemon@ATHENA.MIT.EDU (Danny McPherson)
Thu May 24 21:56:55 2007
In-Reply-To: <Pine.SOC.4.61.0705241556170.451@paixhost.pch.net>
From: Danny McPherson <danny@tcb.net>
Date: Thu, 24 May 2007 19:56:04 -0600
To: NANOG <nanog@merit.edu>
Errors-To: owner-nanog@merit.edu
On May 24, 2007, at 4:58 PM, Bill Woodcock wrote:
>
>> First of it's kind that it targeted a country.
>
> No, at the very least, Moonlight Maze and Titan Rain came before.
> But by
> today's standards, Moonlight Maze would have been trivially small. I
> don't have any numbers for Titan Rain. Anyone know how it compared
> to the
> 4mpps of this attack?
A data point based on some information we have from looking
at inter-domain traffic and attack attributes across ~40 ISPs
(~1 Tbps) over ~250 days now (and rolling):
Days seeing at least one attack exceeding a given threshold:
> 6 Mpps 1
> 5 Mpps 12
> 4 Mpps 33
> 3 Mpps 53
> 2 Mpps 91
> 1 Mpps 149
Total attacks exceeding a given threshold:
> 6 Mpps 1
> 5 Mpps 17
> 4 Mpps 82
> 3 Mpps 135
> 2 Mpps 352
> 1 Mpps 813
The above is from the perspective of *a single ISP*, so the aggregate
of the attack is likely to be far greater (cross-ISP correlation of
targets
are NOT reflected in _this dataset). Mpps and greater attacks make
up far less than 1% of the attacks we see (we've have data for ~142k
known attacks over this period).
More on this in the near future and note that none of the above is
meant to marginalize the Estonian attacks in any way, 4 Mpps is a
lot depending on where it's directed and how it's mitigated - it's
ALL about perspective.....
-danny
