On May 24, 2007, at 4:58 PM, Bill Woodcock wrote:
First of it's kind that it targeted a country.
No, at the very least, Moonlight Maze and Titan Rain came before. But by today's standards, Moonlight Maze would have been trivially small. I don't have any numbers for Titan Rain. Anyone know how it compared to the 4mpps of this attack?
A data point based on some information we have from looking at inter-domain traffic and attack attributes across ~40 ISPs (~1 Tbps) over ~250 days now (and rolling): Days seeing at least one attack exceeding a given threshold:
6 Mpps 1 5 Mpps 12 4 Mpps 33 3 Mpps 53 2 Mpps 91 1 Mpps 149
Total attacks exceeding a given threshold:
6 Mpps 1 5 Mpps 17 4 Mpps 82 3 Mpps 135 2 Mpps 352 1 Mpps 813
The above is from the perspective of *a single ISP*, so the aggregate of the attack is likely to be far greater (cross-ISP correlation of targets are NOT reflected in _this dataset). Mpps and greater attacks make up far less than 1% of the attacks we see (we've have data for ~142k known attacks over this period). More on this in the near future and note that none of the above is meant to marginalize the Estonian attacks in any way, 4 Mpps is a lot depending on where it's directed and how it's mitigated - it's ALL about perspective..... -danny