Slate Podcast on Estonian DOS atatck

Danny McPherson danny at
Fri May 25 01:56:04 UTC 2007

On May 24, 2007, at 4:58 PM, Bill Woodcock wrote:

>> First of it's kind that it targeted a country.
> No, at the very least, Moonlight Maze and Titan Rain came before.   
> But by
> today's standards, Moonlight Maze would have been trivially small.  I
> don't have any numbers for Titan Rain.  Anyone know how it compared  
> to the
> 4mpps of this attack?

A data point based on some information we have from looking
at inter-domain traffic and attack attributes across ~40 ISPs
(~1 Tbps) over ~250 days now (and rolling):

Days seeing at least one attack exceeding a given threshold:

 > 6 Mpps 1
 > 5 Mpps 12
 > 4 Mpps 33
 > 3 Mpps 53
 > 2 Mpps 91
 > 1 Mpps 149

Total attacks exceeding a given threshold:

 > 6 Mpps 1
 > 5 Mpps 17
 > 4 Mpps 82
 > 3 Mpps 135
 > 2 Mpps 352
 > 1 Mpps 813

The above is from the perspective of *a single ISP*, so the aggregate
of the attack is likely to be far greater (cross-ISP correlation of  
are NOT reflected in _this dataset).  Mpps and greater attacks make
up far less than 1% of the attacks we see (we've have data for ~142k
known attacks over this period).

More on this in the near future and note that none of the above is
meant to marginalize the Estonian attacks in any way, 4 Mpps is a
lot depending on where it's directed and how it's mitigated - it's
ALL about perspective.....


More information about the NANOG mailing list