Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
The Internet

Study on DoS Activity In The Internet 53

Posted by Hemos from the looking-under-the-hood dept.
Random Walk writes "A group of researchers from the UCSD Supercomputer Center has used a technique they call "backscatter analysis" to study the prevalence and targets of DoS attacks. They claim that their study is "the only publically available data quantifying denial-of-service activity in the Internet", and provide interesting statistics on attack rates, durations, and victims." CT:This is an amazing report.
This discussion has been archived. No new comments can be posted.

Study on DoS Activity In The Internet More

Study on DoS Activity In The Internet

Comments Filter:

  • Re:That's it? (Score:1)

    by Anonymous Coward
    What version of DOS is it up to now? 6.2? 7.0? And does anyone know the nake of a good DOS web browser? Hell, I thought DOS was dead. Good to see some people still using it.

  • lots of addresses (Score:2)

    by Anonymous Coward

    I found the paper really interesting. The methods and techniques seem reasonably sound for establishing a lower bound for "significant" attacks. But I'm disturbed that in the midst of the IPv4 address-space crunch where getting a /19 out of ARIN is practically impossible, the researchers were allowed to use a /8 network that was totally unutilized (or if that wasn't true, their data are seriously problematic).

    They say themselves -- they were monitoring backscatter traffic by observing any traffic sent into an unused network address space comprising 1/256th of the total IPv4 space.

  • Breaking news! (Score:5)

    by Anonymous Coward on Wednesday May 23, 2001 @08:10AM (#203376)
    This just in:

    In what many people are calling a sick twist of fate, the Supercomputer Center was hit with a Denial of Service attack shortly after issuing a study on the prevalence and target of DoS attacks. While details are sparse at this point, that attack is rumored to have been a "Slashdot-effect" attack. The leader of the "Slashdot" group of hackers, CmdrTaco, could not be reached for comment. His partner in crime, Hemos, was quoted as saying, "Ph34r the sl4shd0t 3ff3ct!" More details to follow as they become public..
  • That these places always publish their documents in some wimpy quiche-eating format like PDF and postscript only?

    PDF and postscript are excellent for hardcopies, but they're not distributing hardcopies. They're distributing electronic copies.

    I suppose it's just WAY too difficult to run their PDF through a filter to convert it from PDF to HTML or text. Of course, I could do it myself, but I'm a slashdot poster, and I whine, I don't actually do anything proactive.

  • Microsoft's DNS actually went down two days in a row. The first day was a router misconfiguration. I remember because a lot of my office was having problems with IE loading its default homepage (msn.com). After checking things out it was pretty clear that even with an ip address from whois for their dns servers that traceroutes died at an MS router. i.e. you could get to the DNS router that was doing the round robin for the DNS servers, so it wasn't being DoSed. Go to this Wired article [wired.com] where Microsoft spokespersons admit that it was a router misconfiguration. And we know that Microsoft's PR people are always putting down Microsoft products and services as being the worst.

    After the 23 hours it took Microsoft to figure out it had a bad router config, the skript kitties obviously decided that this poor router had to be rebaptised in a stream of packets, a veritable flood of packets. I don't condone it, but the fact that MS took 23 hours to figure out they had a bad router config causing them a DoS and took another few days to decide that they should outsource their DNS to someone who could provide a distributed and reliable service shows a top heavy beast that could not compete without the monopoly (District Court ruling stands until the Milton Friedman acolytes on the Appeals Court hand down a verdict as a resume addendum to Dubya for selection to the Supreme Court.) power that they possess.

  • Maybe a little off topic but congress just published a report [gao.gov] on FBI's National Infrastructure Protection Center. It deems the FBI imcompetent and nothing more than a incident report function. DOS is covered in details. TheRegister has a good [theregister.co.uk] write up today.
  • From the article in the first few paragraphs, talking about denial of service attacks:
    Microsoft's name server infrastructure was disabled by a similar assault.

    No it wasn't. Microsoft just fucked up with the ONE router that had their DNS traffic going through it.

    Makes me want to give up reading if it's going to be crap like that.

    Bah.

    --
    Delphis
  • From yours and the other posts, thankyou. Seems I got the wrong end of the stick. I could have sworn I heard at first that it was a configuration or failure of the router that brought MS's DNS down - not a denial of service attack.

    No, I have no love for Microsoft either, that's true. :>

    --
    Delphis
  • Ah.. thanks for that information. 23 hours is crazy to get it fixed. It seems the Microsoft marketing machine has done well to cover this little factoid up :>

    --
    Delphis

  • Contrariwise, every day I can download a paper in PS or PDF and not in Word is a good day.

    Caution: contents may be quarrelsome and meticulous!

  • Can carpet bombing be justified? (Score:5)

    by BeBoxer ( 14448 ) on Wednesday May 23, 2001 @09:58AM (#203384)
    As somebody who has had to deal with the fallout of these attacks more than once, I would say no. They are never justified. If you are flooding enough traffic to affect the target, you are almost certainly affecting lots of other people who just happen to share a pipe with the target. If you DoS some web site, what do you think that does to other sites on the same server? Other folks who just happen to be at the same co-lo site? What about the folks who just happen to have the same local or upstream ISP? Is it OK for me to DoS you because I don't like your neighbor? Is it OK for me to DoS all of optonline.net because I don't like your political views?

    Even if you accept the premise that it's OK to DoS innocent people, a DoS is a piss-poor political statement. No body is going to notice at all. If I find that riaa.org is unreachable, am I going to suddenly telepathetically reach some conclusion about their politics? No. If you want to make a political statement, you have to actual say something. Merely screaming nothing at the top of your lungs accomplishes nothing.
  • Could be. Of course, considering that CmdrTaco's contribution to this story consisted of the words "random," "walk," and "writes," I'd suggest that the shell script theory might be somewhat flawed in this case.
  • So CmdrTaco is posting as Hemos now?

    --
  • insecure vs. unsecure(d).

    English is not my mothers tongue but I have this feeling that an insecure computer would be a form of artificial intelligence.....

  • /. forgot to mention that the paper is in PDF or PostScript.

    I don't understand, they always seem to mention that fact and the fact that the NY Times is a free registration. :P

    --
  • I can understand brazil being targeted for DoS attacks due to the amount of spam originating there.

    Why would Romania be on someone's shitlist?

    Surprisingly, Romania (ro), a country with a relatively poor networking infrastructure, was targeted nearly as frequently as net and com.
  • That's an interesting limitation. Do any of the kiddie tools support the "targeted backscatter" technique you describe? If so, that could be a really significant limitation.

    Regardless, their study is probably useful at gauging the frequency of attacks that aren't truly massive enough to attract widespread notice. Some of those do seem to reveal more sophistication than this technique would catch. Yahoo attacks and the Microsoft DNS attack seem to have revealed a certain amount of awareness of network structure. But as a technique of measuring attacks that aren't otherwise widely reported, this study is an order of magnitude more interesting than anything I've seen before.

    I've personally noticed what I believe to be "backscatter" - large, brief ping floods that are too small or brief to be an actual DoS.

    Boss of nothin. Big deal.
    Son, go get daddy's hard plastic eyes.

  • xpdf& (Score:1)

    by Sogol ( 43574 )
    Try reading the paper before you post. It is one of the best things I have read on the subject, and addresses the things that are being "pointed out" in previous posts. (not a troll, just a recommendation)

  • Its just like any violent protest. Everyone has a breaking point.

    I'm not sure if its a very good form of protest, it might get a few lines in a newspaper article but doesn't make for good film at 11.

  • Since they say they are probably underestimating the number of actual DoS attacks because of their limited assumptions, I wonder how many DoS attacks are really happening each day. I was actually surprised at the number they were able to personally witness in their limited study (5,000 distinct hosts over 3 weeks). I figured DoS attacks were just a once in a blue moon kind of thing. It amazes me that all those script kiddies are so bored as to like doing this so much. The actual number of attacks must be like 2-3 times that amount. Crazy. I guess that's why we need more research like this.

    --

  • You can view Stefan Savage (one of the paper's co-authors) giving a lecture on his findings at http://stanford-online.stanford.edu [stanford.edu]. The lecture is only about 50 minutes. Click on "View Free Seminars" and then on the link for "CS548 Internet and Distributed Systems Research Seminar". The lecture is from May 16th.

    Sorry, the only format is streaming Windows Media.

    -Sverker

  • Theories in DoS (Score:3)

    by joq ( 63625 ) on Wednesday May 23, 2001 @01:04PM (#203395) Homepage Journal

    Nicely written document although they should have focused likewise on posting some methods to circumvent DoS attacks. Many networking, and security admins, know of the problems arising from DoS, yet there are scores of them who know little about protecting their infrastructure from an attack.

    Personally I think its a trivial job to halt denials of service attacks, but it can be done, and what someone should create is a framework for ISP's, Colleges, whoever has a networking propagating info out, to follow that shows them how to enable engress filtering so no attacks come out of their network, and an equally likewise doc that shows preventive measures.

    Everyone, and their BOFH mother thats on the net, knows the effects of a DoS attacks, or what a DoS attack is, but a fraction of them know what to do about it.

    Anyways for some of those admins, I have a doc called Stopping DoS [antioffline.com] which is a die hard "this-is-what-you-do-on-this-hadware" to limit DoS attacks, as well as a s(emi)tudy paper called "Theories in DoS [antioffline.com]" which is a higher protocol level look at Denials of Service, which provides a framework look into future avoidances of them.

    P.S. These are docs I wrote out of spare time, etc. nothing more, so don't expect any RFC based documents such as this paper thats linked.

  • 1) Right now, any insecure computer can be cracked for use in a DoS attack, thereby indirectly implicating an innocent person. Anyone can get hijacked in this way and framed for another attack, particularly if the investigators choose not to trace back to the original source.

    This is something that is bugging me right now. I got myself cracked on New Year's Eve. It was my own stupid fault, I had forgotten to patch ftpd and some little wiener had installed a root kit through it. As luck would have it I was in bed with the flu and happened to notice the flashing lights on my cable modem so I got the machine unplugged right away.

    Here's the thing that's bothers me. If I hadn't noticed for a day or two and the script kiddie had gone and used my machine as a place to crack from or if he used it as a node is a DDOS attack how responsible am I. It is partialy my fault the machine got comprimised but how much trouble could I get in when the federales came and busted down my door. I honestly belive that if some subsequent attack had been traced back to my box and the feds found out it ws owned by a mid 20s UNIX geek type guy I could really been in for some grief. I would at least get all my machines confiscated for "evidence".

    Something to think about anyways.
  • Although it'll work well at first, using a /8 network (or several /16s later in the paper) for this sort of testing could become inaccurate if DoS tool authors start making their tools avoid choosing source addresses that they know may lead to detection.

    What someone should really do is set up a kernel module and/or userspace app that reports unusual packets back to a data-gathering server. Because the reporting machines would be scattered all over the place there's no practical way to avoid them, and they'd get a good pool of backscatter.

    Of course, the data-gathering server would probably get DoSed in short order...
    --

  • Merely screaming nothing at the top of your lungs accomplishes nothing.

    I love that observation of what a DoS attack is. The image it brought to mind was of a teacher/parent overwhelmed by a group of three year olds. This is appropriate since this is the typical maturity level of the individuals who launch these attacks.
  • 44 is "Amateur Radio Digital Communications [arin.net]". (Here's a list of all class As [columbia.edu]; UCSD doesn't figure in it.) Though the most obvious reading of the document is that the experiments were carried out there, they don't say that explicitly, and indeed there are other places which would seem more likely choices. Odd that they don't say where it was, though.
    my plan [gospelcom.net]
  • Sorry. Should have checked the coordinator name for 44.0.0.0/8: "Kantor, Brian (BK29-ARIN) brian@UCSD.EDU". Looks like this was the block they were using, then.
    my plan [gospelcom.net]
  • No. This is wo be self-administered justice and cannot be justified.

  • Analyzing the backscatter traffic from attacks is actually a very well-known technique among firewall admins and other security practitioners.

    lcamtuf's wtfs project [coredump.cx], for instance, has successfully used this kind of distributed monitoring to discover many interesting probes, including Hotmail's stealthy reverse tracerouting, strange behaviour from f5 load balancers, as well as many actual attacks and scans, by monitoring unused /16s and random hosts across the net.

  • Yeah ... the zombie is part of the issue but you've got to realize that this is just not gonna end.

    The key is to go after the zombies but also go affter the traffic. I was not shocked by the findings of the report but I've gotta wonder how much of this DoS tarffic is eating up bandwith that I've gotta pay for.

  • Most of my job revolves around Denial of Service attacks. I work for a company that writes server software; it is my responsibility to benchmark that server software on an array of different hardware platforms and configurations. The best way to benchmark this software is to run a series of DoS attacks against the server to find out what the server can't handle. By fine-tuning the DoS attack, we can ascertain exactly what we can handle. Once the barrage is over, we can then sell the software on the hardware platform and claim that it can sustain a specific level of performance.

    So I guess there are even non-political, ethical justifications for DoS attacks.

    Moreso, isn't DoS precisely what companies like Mercury Interactive [mercuryinteractive.com] and Keynote [keynote.com] do when they try to slam your webserver so you know whether you need to buy more server processing power, etc.?

    ::Colz Grigor
    --

  • I think I own a porno of the same name. *Ba-doom sha* Another example of a worthless study clogging /., please for the childrens sake, stop the insanity!

  • Re:CmdrTaco replaced by Shell Script? (Score:3)

    by seanmeister ( 156224 ) on Wednesday May 23, 2001 @08:20AM (#203406)
    What do you mean, "replaced"? ;-)

    --
  • Let's send these guys the address of any little site that's being Slashdotted.

  • Slashdot reads like CmdrTaco has been replaced by a very small shell script. Every other article is "interesting", if a hard disk is mentioned he will tell us "personally" how he would use it for MP3s, and any display technology will be used to play games. Not to mention the same spelling errors over and over again. Has Slashdot become a Turing test or what?
  • I was expecting the number of DoS attacks to be higher. Being on IRC a lot, I see a number of small single user DoS attacks made.
  • While your comment points out a good point, I would strongly not reccomend running xpdf& on the document. The problem is this will fork it into the background, assuming that the reader understands how to properly use a terminal and is running X Windows. Many times due to enviromental variables beyond the average users control/knowledge the application will go off into void space. This is a problem for the Slashdot Posting Joe, who by now has given up on reading and is thinking of a new goatse.cx link to post. It is my conclusion that you should therefor use xpdf, NOT forking it into the background, so you will clearly see any errors stated. Thank you.

  • Romania is a hotbed for (h|cr)acking (Score:3)

    by ShaunC ( 203807 ) on Wednesday May 23, 2001 @01:40PM (#203411)
    PortSentry, the stateful firewall I use on my linux box, picks up a ton of attempts from .ro domains. A friend of mine had his box owned by a .ro. Someone from a .ro host ran a CGI-scanner against one of my commercial websites, generating about 3,000 404 email reports in 10 minutes. A lot of fraudulent orders (on that same site) come from IPs in Romania.

    I get more problems from Romania than I do from Russia. For a country with such a "poor networking infrastructure," they have no shortage of crackers and carders. And it doesn't surprise me in the least that they're getting their punk asses DoS'd!

    Shaun
  • No. Ddos is repression.. If the anger of the Ddos attackers keep me from expressing my ideas or reading the ideas of others they are repressive. Ddos is a theft, you are stealing bandwidth I paid for. Ddos attacks keep network engineers busy on resolving them instead of improving thruput and maintainig systems I paid to use. There is NO excuse ever.
  • No way.
    The perl script just needs some debugging.

  • This report sounds similar to the "Resiliance of the Internet to Random Breakdowns" report that was on Slashdot a while ago, from the Online Journal Publishing Service (Physical Review Letters, or something). While, yes, in theory, the Internet could still operate with 99% of its nodes nonfunctional, most of the content of the Internet would be lost in the 99% that went down.

    It seems like it would be similar here. I will state right off that I have not had the time to read the article yet, since I'm writing this message from on the job, but it sounds to me like it's just looking at raw numbers, and not the implications of those numbers. The sites that were attacked were high-profile sites, such as Amazon.com, yahoo.com, ebay.com, microsoft.com, and such - sites that the orchestrators were trying to make a point by attacking. If you look at the number of machines used, etc... you get an idea of the attacker's technical savvy, but not necessarely their motives.

    Anaylizing raw data is good, but when it comes to humans, it is very hard to reduce human behavior down to a series of numbers in a table. Of course, my conclusion may change on reading the paper in more detail later this afternoon.

    Seven out of ten statisticians say that all statistics are meaningless.

  • Yay, analysis. (Score:3)

    by perdida ( 251676 ) <thethreatproject@@@yahoo...com> on Wednesday May 23, 2001 @08:07AM (#203415) Homepage Journal
    While I am pleased that there is a scientific mapping of DoS attacks I would like to take the opportunity to point out certain dynamics in DoS attacking, particularly if used as a disinformation and political tool by government.

    1) Right now, any insecure computer can be cracked for use in a DoS attack, thereby indirectly implicating an innocent person. Anyone can get hijacked in this way and framed for another attack, particularly if the investigators choose not to trace back to the original source.

    2) DoS and other infowar techniques have been used by the political opponents of Indymedia [indymedia.org] and other "subversive" websites. I am not referring to the Indymedia subpoena related to the Quebec protests, which was referred to earlier on this site, but to the simple denial of service that crashes these things when they are needed most.

    3) Lets say that there is, hypothetically, some politically motivated DoS going on. If so, it;s quite silly and wasteful. The sites that are being DoS'ed are usually those prominent targets, big corporations and government sites which are sometimes capable of holding off attack but are always capable of sending many goons after you. Might I suggest that there are more effective ways of using technology as a political tool.

  • Owing to the potential for malfunctioning devices, misconfigured systems, etc. to generate traffic that might appear as a DoS attack under their definitions (they stuck to flooding attacks), I wonder if they drew a line, below which something did not qualify as an attack? And if so, where did they draw the line, and how many script kiddies' actions fell below it?
  • You've all probably seen this already, but you may be interested in the /. Random Story Generator [bbspot.com]
  • 3.3 Analysis limitations

    There are three assumptions that underly our analysis:
    * Address uniformity: attackers spoof source addresses at random.
    This seems to me to be a currently acceptable assumption IF the attacks are of an unsophisticated/sophomoric nature; however, if the attackers are attempting to cause maximum utilization of the target network's resources, the attackers most likely will not use a randomly distributed source address. In fact, the optimal employment of spoofed addresses will likely be some subset of the addresses employed by the target's network.

    Most networks have a single route to the rest of the internet. directing traffic through this router is a lot more likely to cause problems than packets that are handled within the network.

    A limitation that makes more sense is "valid" ip addresses only. And it's simple to do - just pick a class A like 198.* that way you eliminate 10.* and 255.* which are might be filtered before they reach the main router. Since most IP's are valid (in that they get routed somewhere) this only makes a tiny difference in attack performance, but hey - every little bit hurts.

    The statements above do not necessarily reflect the authors opinion.

  • Interesting... I'm a writer, and a while back I had an idea for a novel about a group of grey hats called JiHAD who would go around bombing, cracking, DoSing, etc., etc. various parties opposed to free speech & human rights etc.

    The concept would be something akin to Spiderman: wisecracking hero, hated and pursued by cops, but who does manage to give the bad guys their just desserts (tangling with a web, appropriately enough...)

    The first chapter would involve our hero, on the anniversary of the Halloween memo incident, anonymously bringing to light hundreds of incriminating documents that he has "liberated" from some of M$'s most private servers....

    What do you think? Do you think it has potential?
  • I just don't understand it. I got moderated down as "offtopic". Since when did humor have to be "on topic"? Some folks got no sense of humor, I guess...
  • CERT appears to be conducting some additional research in this field right now. http://news.cnet.com/news/0-1003-200-6016900.html
  • Was I the only one to find this funny?

  • When random. . . isnt'. (Score:5)

    by RalphTWaP ( 447267 ) on Wednesday May 23, 2001 @08:21AM (#203423)
    Quoted from the article above:

    *begin quote*

    3.3 Analysis limitations
    There are three assumptions that underly our analysis:
    * Address uniformity: attackers spoof source addresses at random.

    *end quote*

    This seems to me to be a currently acceptable assumption IFF the attacks are of an unsophisticated/sophomoric nature; however, if the attackers are attempting to cause maximum utilization of the target network's resources, the attackers most likely will not use a randomly distributed source address. In fact, the optimal employment of spoofed addresses will likely be some subset of the addresses employed by the target's network.

    It seems likely in light of this that the "backscatter technique" outlined here, while useful, may not record the attacks engineered by more sophisticated attackers.


    Nietzsche on Diku:
    sn; at god ba g
    :Backstab >KILLS< god.
  • While we're on the subject, I'm interested in the Slashdot community's opinion on DoS. Is anyone in support of it in special circumstances? For example, would you support it if it were politically justified? I'm not talking about anything and everything one disagrees with, but what about cases of blatant human rights violations? Comments?
  • What's amazing is the level of hate people have towards MS that they let it distort things. The attack was a DoS attack, it just happened that they only used one router with all of their DNS on the same subnet. People make mistakes, regardless of how big the company.

    --------------------------------------------------
  • We tried to be quite clear that the methodology we used is generally conservative and likely underestimates the total number of attacks in the Internet.

    Without widespread monitoring its impossible to know for sure how many attacks have the address uniformity property (that the victim sees an attack with source addresses uniformly distributed across all 2^32 address). In addition to the targeted spoofing you mention, ingress/egress filtering and reflector attacks also have the property that the source address profile is restricted and will not generate backscatter seen by us. While one could potentially produce a more complete estimate by extrapolating from data about how often such attacks are seen at a few monitored sites, the Internet is so diverse and varied that we had little faith in the quality of results derived in that way. Instead, we preferred to produce an underestimate that we were confident in.

    Frankly, most people we've shown our data to are surprised (as we were) at the level of DoS activity we found. That the true numbers may be significantly higher still only reinforces that feeling. Undoubtedly, some people had different expectations :-)

Slashdot Top Deals

We must believe that it is the darkest before the dawn of a beautiful new world. We will see it when we believe it. -- Saul Alinsky

Close