Study: Sites attacked 4,000 times a week

[InfoSec News <isn () c4i org>]

http://news.cnet.com/news/0-1003-200-6006924.html?tag=mn_hd

By Robert Lemos
Special to CNET News.com 
May 22, 2001, 1:55 p.m. PT 

Online vandals intent on lashing out at companies and rivals stage
denial-of-service attacks more than 4,000 times every week,
researchers from the University of California at San Diego said
Tuesday.

Among the common targets are some names that come as no surprise:
Amazon.com, America Online and Microsoft's Hotmail. However, a large
number of individual users and small businesses were targeted by
attacks as well, the researchers found.

"We believe our research provides the only publicly available data
quantifying denial-of-service activity in the Internet," said David
Moore, senior researcher with the San Diego Supercomputer Center's
Cooperative Association for Internet Data Analysis and the primary
author of the paper.

Denial-of-service attacks attempt to overload or crash computers
connected to the Internet so people can't access them. A common type
of attack, called a flood attack, aims to overload a targeted computer
with so much data that it can no longer process legitimate access
attempts.

In early May, vandals used just such an attack to swamp
Whitehouse.gov, the public-relations Web site of President George W.
Bush, essentially removing it from the Net. Online hooligans attacked
Microsoft in January with a similar attack, causing headaches for the
company over a two-day period.

While such incidents are occasionally reported in the media, no one
had previously determined how prevalent the actual attacks were, Moore
said.

The key to the research, he said, was a technique known as "back
scattering."

When a computer is attacked, it generally can't determine that the
sent data is bogus, so it attempts to reply to every incoming data
packet. Yet, the most common denial-of-service attack programs
randomize the address from which the data seem to have come. The
result: The victim's computer will send replies to each of the random
addresses, essentially "scattering back" responses, which can signal
that it's under attack.

Moore and his colleagues collected such replies by listening to a
large segment of the Internet--known as an A-class network and
amounting to a collection of 1/256 of the total number of Internet
addresses. While the researchers would not identify the large network,
they did say that it harkens back to the founding of the Internet and
today is essentially "dead space"--with no computers connected to it.

Because there aren't any live servers on the network, any replies sent
to addresses there are either errors or evidence of randomized
addresses--and thus an attack. By recognizing that several addresses
are receiving replies from a single server, the researchers can peg
the server and identify the victim.

"We saw an odd, disproportionate concentration of attacks towards a
small group of countries," said Stefan Savage, a professor of computer
science at UCSD, also an author of the paper. "Surprisingly, Romania,
a country with a relatively poor networking infrastructure, was
targeted nearly as frequently as the .net and .com top-level domains."

Savage is also a co-founder of Asta Networks, a Seattle-based maker of
software for protecting networks against denial-of-service attacks.
Geoff Volker, also a professor of computer science at UCSD, was the
paper's third author.

Though more than 4,000 attacks were spotted in each of the three weeks
during which the team monitored the Internet, more than half of those
attacks lasted less than 10 minutes, Savage said.

Savage stressed that the study is not complete, but is the best
estimate to date of the prevalence of such attacks. "There are a
number of other attacks we cannot see," he said.






ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.