Arbor Networks says 2% of internet traffic “raw sewage”

By Janine de Blois

For the last 18 months Arbor Networks has been gathering data from ISPs using Peakflow SP systems in order to evaluate internet traffic and attack characteristics over time.

Chief Research Officer, Danny McPherson says, “We’ve currently got 68 discrete ISPs participating, covering over 100k interfaces on nearly 1300 routers, and peak inter-domain traffic rates are currently nearing 1.5 Tbps, which is a statistically significant number.”

They see an average of about 1300 Distributed Denial of Service (DDOS) attacks a day, nearly a million since they began the program. Some trends have emerged. Attack frequency drops significantly on Christmas Day, New Years Eve and New Years Day.

The most common attacks are internet relay chat (IRC) servers, though these are usually low scale attacks. The most common attack vectors are TCP SYN (the TCP three-way handshake) floods, with ICMP (Internet Control Message Protocol) floods being a close second.

Consistently, 1-3% of all inter-domain traffic has been comprised of these raw flood attacks-this does not include any other malicious traffic, such as spam, phishing or scans.

There have been peaks of these DDoS attacks at well above 5%, but not consistently. With other malicious traffic easily accounting for an additional 2% of consistent traffic, that means at least 4% of inter-domain traffic is junk.

The cost of the bandwidth being wasted on this is high for legitimate users. Arbor will be publishing a report on this data in the coming months.