Top daily DDoS attacks worldwide

Data

Where does this data come from?

The Digital Attack Map presents data gathered and published by Arbor Networks ATLAS® global threat intelligence system. ATLAS sources its data worldwide from 330+ ISP customers with 130Tbps of global traffic visibility who have agreed to share anonymous network traffic and attack statistics. Data is updated hourly and can also be found in Arbor's ATLAS Threat Portal. DDoS data ©2013, Arbor Networks, Inc.

How comprehensive is the data?

It is impossible to fully map all digital attacks online because of the changing nature and the scope of the problem. While the data represented in the Digital Attack Map is sourced from one of the most complete data sets available, it is an incomplete picture. The data may misidentify or exclude attack activity, and is intended to present high level trends in significant attacks as they are observed by Arbor Networks.

Why can't I see information about the attacker, or targeted website?

Digital Attack Map is tool for displaying global activity levels in observed attack traffic – it is collected anonymously, and does not include any identifying information about the attackers or victims involved in any particular attack.

Does an attack's source country indicate the location of the attacker?

Usually not. The source of an attack can (and often is) forged to appear as though it is initiated from a different location and, when accurate, usually represents the location of an infected computer being used in a botnet.

Countries with high bandwidth are prime locations for building botnets, so attack traffic will often be seen as coming from these countries even if the botnet is actually commanded from from somewhere else in the world. The destination can also be falsified, but that is less common.

Visualization

What is the Gallery?

The gallery page displays snapshots of interesting past attack activity from a particular day along with news stories from the same time.

Do the news results describe the attack activity seen on the map?

The news results and the map are only correlated by time. They are sourced from a normal web search, and are not necessarily related to the activity seen on the map. Most DDoS attacks are never reported in the media; if a report is published days after the attack takes place, it will not appear in the news section.

What source is used to create the map?

Geographical information from D3 and topojson libraries are used to create the map used in this data visualization.

Preventing Attacks

What can individual sites do to protect themselves from DDoS attacks?

To protect your website, you need to be able to block or absorb malicious traffic. Webmasters can talk to their hosting provider about DDoS attack protection. They can also route incoming traffic through a reputable third-party service that provides distributed caching to help filter out malicious traffic -- reducing the strain on existing web servers. Most such services require a paid subscription, but often cost less than scaling up your own server capacity to deal with a DDoS attack.

Google Ideas has launched a new initiative, Project Shield, to use Google's infrastructure to support free expression online by helping independent sites mitigate DDoS attack traffic.

What can hosting providers, ISPs and large organizations do to protect their networks?

Many products and services exist to protect large networks from DDoS attacks and prevent network resources from being used to amplify attacks. Arbor Networks, who provide data for this visualization, also offer a number of DDoS mitigation services. To find out more visit arbornetworks.com/research/what-is-ddos.

Are there internet-wide best practices that can mitigate the impact of DDoS attacks?

Through the continued collaboration of the many stakeholders involved in improving the Internet, a number of efforts can help to reduce the threat of DDoS attacks.

For example, ten years ago the Network Working Group of the Internet Engineering Task Force published BCP 38 (also known as RFC 2827) as a best practice guideline for how ISPs and hosting providers can filter fake IP addresses to reduce the impact of DDoS activity on themselves and others. Unfortunately, many ISPs have still yet to implement these best practices, preventing its benefits from being fully realized by the wider internet community.