May 22, 2001 2:55 PM PDT
Study: Sites attacked 4,000 times a week
- Related Stories
Hackers cripple White House siteMay 4, 2001
Attack slows auction service siteMarch 21, 2001
New attacks block access to Microsoft sitesJanuary 26, 2001
Internet companies begging for attack, experts sayJanuary 26, 2001
Attack knocks out Microsoft Web sitesJanuary 25, 2001
How a 'denial of service' attack worksFebruary 9, 2000
Among the common targets are some names that come as no surprise: Amazon.com, America Online and Microsoft's Hotmail. However, a large number of individual users and small businesses were targeted by attacks as well, the researchers found.
"We believe our research provides the only publicly available data quantifying denial-of-service activity in the Internet," said David Moore, senior researcher with the San Diego Supercomputer Center's Cooperative Association for Internet Data Analysis and the primary author of the paper.
Denial-of-service attacks attempt to overload or crash computers connected to the Internet so people can't access them. A common type of attack, called a flood attack, aims to overload a targeted computer with so much data that it can no longer process legitimate access attempts.
In early May, vandals used just such an attack to swamp Whitehouse.gov, the public-relations Web site of President George W. Bush, essentially removing it from the Net. Online hooligans attacked Microsoft in January with a similar attack, causing headaches for the company over a two-day period.
While such incidents are occasionally reported in the media, no one had previously determined how prevalent the actual attacks were, Moore said.
The key to the research, he said, was a technique known as "back scattering."
When a computer is attacked, it generally can't determine that the sent data is bogus, so it attempts to reply to every incoming data packet. Yet, the most common denial-of-service attack programs randomize the address from which the data seem to have come. The result: The victim's computer will send replies to each of the random addresses, essentially "scattering back" responses, which can signal that it's under attack.
Moore and his colleagues collected such replies by listening to a large segment of the Internet--known as an A-class network and amounting to a collection of 1/256 of the total number of Internet addresses. While the researchers would not identify the large network, they did say that it harkens back to the founding of the Internet and today is essentially "dead space" and not normally used.
Because the UCSD researchers control all traffic to the large network, they can easily decern which data is legitimate and which is indicative of an attack. By recognizing that several addresses are receiving replies from a single server, the researchers can peg the server and identify the victim.
"We saw an odd, disproportionate concentration of attacks towards a small group of countries," said Stefan Savage, a professor of computer science at UCSD, also an author of the paper. "Surprisingly, Romania, a country with a relatively poor networking infrastructure, was targeted nearly as frequently as the .net and .com top-level domains."
Savage is also a co-founder of Asta Networks, a Seattle-based maker of software for protecting networks against denial-of-service attacks. Geoff Voelker, also a professor of computer science at UCSD, was the paper's third author.
Though more than 4,000 attacks were spotted in each of the three weeks during which the team monitored the Internet, more than half of those attacks lasted less than 10 minutes, Savage said.
Savage stressed that the study is not complete, but is the best estimate to date of the prevalence of such attacks. "There are a number of other attacks we cannot see," he said.