UCSD RESEARCHERS ANALYZE PREVALENCE AND PATTERNS OF WORLDWIDE DENIAL-OF-SERVICE ATTACKS ON THE INTERNET

Thousands of attacks each week target home machines as well as high-profile servers and Internet routers

Contacts:
- David Moore, CAIDA, 858-534-5160, <info@caida.org>
- Diana Steele, Jacobs School of Engineering at UCSD, 858-534-2920, <dsteele@soe.ucsd.edu>
- Alexandra Kostenko, Asta Networks, 206-264-2444 x311, <alex@astanetworks.com>

UNIVERSITY OF CALIFORNIA, SAN DIEGO -- Using a new technique, UCSD network researchers from the San Diego Supercomputer Center (SDSC) and the Jacobs School of Engineering have analyzed the worldwide pattern of malicious denial-of-service (DoS) attacks against the computers of corporations, universities, and private individuals. The attacks disable Web servers on the Internet by overloading them with messages, which usually contain false source addresses to conceal the locations of the attackers. But in a clever twist, the researchers used key features of these messages' forged signatures to detect and track the attacks.

"We believe that our research provides the only publicly available data quantifying denial-of-service activity in the Internet," said David Moore, a senior researcher in UCSD's Cooperative Association for Internet Data Analysis (CAIDA) program at SDSC. Moore and UCSD Computer Science and Engineering professors Geoff Voelker and Stefan Savage have devised a new technique called "backscatter analysis" that gives an estimate of worldwide denial-of-service activity. Their research enables network engineers to understand the nature of recent attacks and to study long-term trends and recurring patterns of attacks.

The researchers collected and analyzed three week-long data sets to assess the number, duration, and focus of attacks, and to characterize their behavior. In these three time windows, they observed more than 12,000 attacks against more than 5,000 distinct targets, ranging from well known e-commerce companies such as Amazon.com and Hotmail to small foreign Internet service providers and even individual personal computers on dial-up connections. Some of the attacks flooded their targets with more than 600,000 message packets per second.

"We were a bit surprised by what we found," Voelker said. "First, a significant percentage of attacks are directed against home machines, users with dial-up and broadband modem connections. Some of these attacks -- especially those against cable modem users -- can be pretty severe, with rates in the thousands of packets per second. This suggests that minor denial-of-service attacks are frequently being used in personal vendettas."

A small but significant fraction of attacks are directed against network infrastructure. Between two and three percent of attacks target name servers, and one to three percent target routers. The researchers view this as particularly disturbing, since overwhelming a router could deny service to all end hosts that rely upon that router for connectivity.

"We also were surprised at the diversity of commercial targets," Moore explained. "We expected to see attacks on high-profile Internet sites, including aol.com, akamai.com, amazon.com and hotmail.com -- and we did. But we also saw attacks against a large range of smaller and medium-sized businesses."

"We saw an odd, disproportionate concentration of attacks toward a small group of countries," Savage said. "Surprisingly, Romania (.ro), a country with a relatively poor networking infrastructure, was targeted nearly as frequently as the .net and .com top-level domains, and Brazil (.br) was targeted almost more than .edu and .org combined. Canada, Germany, and the United Kingdom each were targeted by one to two percent of the attacks."

The majority of victims (65%) were attacked only once, and many of the remaining victims (18%) were attacked twice. Most victims (95%) were attacked no more than five times. But a handful of sites were attacked quite often. In the trace period, one host was besieged 48 times by attacks that lasted from 72 seconds to five hours (at times simultaneously). Five victims were attacked 60 to 70 times, and one unfortunate victim was attacked 102 times in the course of a week.

A summary of the researchers' methods and results was presented on May 21 at the spring 2001 meeting of the North American Network Operators' Group (NANOG) in Scottsdale, Arizona. The preprint of a complete technical paper to be presented on August 15 at the 2001 USENIX Security Symposium in Washington D.C. is available on the Web at https://catalog.caida.org/paper/2001_backscatter/.

"To conceal their identities, attackers usually forge -- or 'spoof' -- the IP source address of each packet they send in a denial-of-service flood, so the packets appear to the victim to be arriving from one or more third parties," said Savage, who is also chief scientist of Asta Networks. "The key to our technique is that most automated flood recipes select a random source address for each packet sent. The victim receives a spoofed packet and tries to send an appropriate response to the faked IP address; because the attacker's source address is selected at random, the victim's responses are scattered across the entire Internet address space, an effect called 'backscatter.'"

By observing a large enough address range, the researchers can effectively sample all such denial-of-service activity on the Internet. Contained in these samples are the identity of the victim, information about the kind of attack, and a timestamp with which they estimated attack duration. They also used the average arrival rate of unsolicited responses directed at the monitored address range to estimate the actual rate of the attack being directed at the victim.

A number of people contributed to the attack analysis effort. David Wetherall and Gretta Bartels at Asta Networks donated their time, data, and insight. Brian Kantor and Jim Madden of UCSD provided access to key network resources and clarified the local network topology. Vern Paxson of ACIRI and K. Claffy and Colleen Shannon of CAIDA provided assistance and valuable advice. Support for this work was provided by DARPA NGI Contract N66001-98-2-8922, NSF grant NCR-9711092, and Asta Networks.

CAIDA is a program of the San Diego Supercomputer Center (SDSC), an organized research unit of UCSD. CAIDA creates tools and technologies for Internet measurement, message traffic analysis, and network topology visualization for use by network engineers and researchers. CAIDA also sponsors education and outreach efforts such as the Internet Engineering Curriculum Repository.

UCSD's Department of Computer Science and Engineering, a division of the Jacobs School of Engineering, is ranked among the top 20 such departments in the country. The faculty excel in a wide variety of fields, including Internet technologies, bioinformatics, security and cryptography, high-performance computer architecture, VLSI, distributed systems, databases, software engineering, parallel computing, artificial intelligence, and theoretical computer science.

For more information on CAIDA, see https://www.caida.org/. For more information on SDSC, see http://www.sdsc.edu/. For more information on the Department of Computer Science and Engineering at UCSD, see http://www.cs.ucsd.edu/. For more information on Asta Networks, see http://www.astanetworks.com/.