SEATTLE–(BUSINESS WIRE)–May 21, 2001–
Study Verifies More than 12,000 Attacks Against 5,000 Targets
Including Major Internet Companies
Asta Networks, a network reliability company, announced today research that provides a breakthrough for understanding the scope and dimensions of the problem of Denial-of-Service (DoS) attacks plaguing the global Internet.
Over the course of a three-week period, the study showed that 12,805 attacks were launched against more than 5,000 distinct targets, representing a conservative glimpse into the actual number of DoS attacks that occur on the Internet. The targets ranged from well-known companies such as Amazon.com and AOL to small foreign ISPs and broadband users.
Professor Stefan Savage, co-founder of Asta Networks, conducted the study at the University of California, San Diego along with colleagues David Moore and Geoff Voelker. Their goals were to assess the number, duration, and focus of DoS attacks and to characterize DoS attack behavior. Asta Networks provided data that qualitatively confirms the research based on the deployment of the limited release of its product for protecting networks from DoS attacks. The study is believed to be the only publicly available data quantifying Internet-wide DoS activity.
“When we founded Asta Networks a year ago we knew that DoS attacks were one of the toughest problems on the Internet. At that time the industry could only speculate that the problem was also immense and widespread,” said Stefan Savage, chief scientist of Asta Networks and professor of computer science at the University of California, San Diego. “We now know with certainty that DoS attacks are even more powerful and prevalent than any one organization has let on. The knowledge and insight Asta Networks has gained from this research is critical to building the most effective way to detect and respond to these attacks.”
Threats to Business Proven
The study found that the attacks targeted against commercial targets are extremely diverse and have the power to significantly hamper service on a wide range of networks. Attacks ranged from bellwether Internet companies including AOL, Akamai, and Amazon.com as well as a range of smaller and medium-sized businesses. The majority of the attacks monitored were fast enough to overwhelm existing attempts to solve DoS. For example, recent experiments show that one common type of DoS attack requires only a rate of 500 packets per second to overwhelm a standard server. In the study, nearly half of all attacks reached this intensity, and some of them exceeded it by 1200 times.
The study also showed that a significant percentage of attacks are directed against network infrastructure components, including domain name servers and routers. These attacks are especially devastating because overwhelming a domain name server could deny service to all Web sites that rely upon that server.
Additional Findings of the Study
The study concluded that DoS attacks come in all shapes and sizes and can be targeted at nearly anyone. Some of the specific findings follow:
— Attack duration can range from minutes to several days. The
research showed that most attacks are relatively short — 50
percent of the attacks found were less than ten minutes in
duration and 90 percent were less than one hour. Two percent
of the attacks were greater than five hours and dozens spanned
several days or weeks.
— No country is immune. Even countries with relatively poor
networking infrastructure were targeted with DoS attacks
during the course of the study. Web sites in Romania were hit
nearly as frequently as domains ending in .net or .com, and
Brazil was targeted almost more than .edu and .org combined.
Targets in Canada, Germany and the United Kingdom were also
hit frequently, and several attacks were directed at Belgium,
Switzerland and New Zealand. China Telecom was the target of
one particularly massive attack.
— Attacks can be relentless. Overall, most targets were attacked
five or fewer times. However, five targets were inundated with
traffic between 60 and 70 times, and one unfortunate victim
was besieged 102 times in one week.
— Home machines are also at risk. A significant fraction of
attacks was directed at home machines — either dialup or
broadband. Some of these attacks constituted large, severe
attacks, suggesting that DoS attacks are frequently used to
settle personal vendettas.
About the Study’s Methodology
The study was based on the observation that most programs that launch DoS attacks select source addresses at random in order to conceal the source of the packets and further hide the identity of the hacker. Since the attacker selects source addresses at random, the targets’ unintended and automatic “responses” to the attack are distributed across the entire Internet address space, an inadvertent effect called “backscatter.” For the study, the researchers were able to monitor the only inbound link into a network comprising approximately 1/256th of the total Internet address space. Over the course of the experiment almost 200 million backscatter packets were observed.
The findings of the study are conservative with respect to the number, length, and size of attacks due to the limitations of the backscatter method of detection. Once a particular target reached its capacity it might shut down, therefore stopping the backscatter.
Asta Networks’ Product
Asta Networks’ first product, which will be broadly released in June, is designed to detect, locate, and counter even the most clever and severe attacks. This product addresses not only the diverse types of attacks shown in this study, but also “Pulsing Zombies” and other new attack trends the company has recently identified during its initial deployments. “Pulsing Zombies” refers to the latest generation of zombies that send pulses of attack traffic at the intended target. The discontinuous nature of these attacks makes detection and location of these sources far more difficult. Another key trend includes what Asta Networks calls “the new DoS,” in which service is not denied but degraded to unnecessarily burden links with significant amounts of bad traffic. Today most businesses pay for bandwidth on a per-usage basis, meaning that this type of DoS attack not only slows performance, but significantly increases costs, especially since these types of attacks often go undetected for long periods of time.
Presentation of the Research
Professor Savage will be presenting preliminary results from the research today at NANOG, a conference for network operators being held at the Metropolitan Phoenix in Scottsdale, Ariz. The final version of this study will appear in a paper at the USENIX Security Symposium held in Washington D.C. from August 13th-17th. Savage will also be providing the latest information on DoS attacks and defense methods at the Internet Security Conference, being held June 6th at the Century Plaza Hotel in Los Angeles. For additional information about the study, please visit http://www.astanetworks.com.
About Asta Networks
Asta Networks develops software and services that increase the reliability, predictability and manageability of networks. This is done through a distributed, scalable, system that bridges the gap between network providers and their customers to provide insight into, and control over, network traffic. The company’s initial product is the first proven solution to automatically detect and respond to DoS attacks.