In this talk, we provide one of the first end-to-end studies of global DDoS traffic. We leverage a unique multi-year collaboration with Nokia CSP customers around the world to trace DDoS traffic from its IPHM hosting and botnet origins through global transit and on to the final consumer and enterprise network intended victims. Our data includes real-time telemetry from several thousand of backbone routers across a geographically and business model diverse set of carriers (i.e global transit, consumer, regional provider, web scale, hosting, etc). In addition, we estimate potential future scale of DDoS attacks using extensive crawling of active IPv4/IPv6 address space to discover potential abuse endpoints as well as packet traces gathered from commercial accounts on the top commercial “booter” services.
Our major findings include:
Peak daily aggregate DDoS traffic rates have more than doubled over the last year. At the end of 2020, we measured average daily 5min peaks at 1.5 Tbps. In March 20201, the average daily peak exceeded 3 Tbps in transit networks
The majority of DDoS (as measured by spoofed pps and number of events) originated in less than fifty IPHM hosting companies and regional carriers. While DDoS traffic reaching victim enterprise / consumer networks peaked at 3 Tbps, we observed spoofed pps origination rates exceeding 50 Mpps and represent a potential 5x or more larger amplified attack potential.
We show observed attack bandwidth at destination victim networks remains a fraction of potential due to errors in selection of amplifiers, non-optimal amplifier payload creation and widespread use of rate limiters on peering connections
Finally, we evaluate the efficacy of different DDoS mitigation strategies, including open source code and BGP FlowSpec as well as the use programmable router filters. We show recent routers OS / hardware offerings from most vendors can block up to 98% of all volumetric DDoS