American Scientist

Just days after the terrorist attack on the United States, the National Infrastructure Protection Center issued a warning that online assaults might follow. In particular, government officials worried about an increase in denial-of-service attacks, which essentially flood with messages a computer connected to the Internet and thereby cripple it or even shut it down. "The closest physical analogy to such an attack," says Stefan Savage of the University of California at San Diego (UCSD), "is someone signing you up for 100,000 pieces of extraneous junk mail. Without a good way to filter the junk from your regular mail, you're stuck spending lots of time reading each one." Past denial-of-service attacks targeted Web sites for CNN, The New York Times, the White House and many others. Yet despite the prevalence of denial-of-service attacks, one fundamental question long remained unanswered: Just how common are they? A team of UCSD investigators recently answered that question.

Although a variety of programs generate denial-of-service attacks, they all follow the same basic strategy. The attacker's computer sends messages to the victim, or targeted computer. Each message to the victim includes a randomly "spoofed" in cyber language—source address, which makes it hard to identify the attacker, and the victim computer sends a response to the spoofed address. The high flow of messages can overload the victim's Internet connection or computer, leaving it struggling to catch up and unable to handle real messages. Quantifying the characteristics of such attacks, though, requires some way to "see" them in progress.

An idea for such cyber-watching came to a UCSD computing team: David Moore, Savage and Geoff Voelker. They decided to assess denial-of-service attacks by watching the response messages sent from a victim, which is called backscatter. By using backscatter analysis, these investigators could determine the number of attacks, as well as their duration and the targets. The backscatter consists of unsolicited responses, which can be discriminated from other traffic online. Of course, normal mail distributions—including junk e-mail—also send unsolicited messages all over the Internet. This surely puts some bias in a backscatter-analysis approach. Nevertheless, Savage says, "The network we used had virtually no activity on it, so any packets that arrived were basically unsolicited."

Moore and his colleagues watched traffic for three one-week periods. Each time, they monitored more than 16 million addresses, which covers 1/256 of all address space on the Internet. That data revealed some spectacular findings. "In general, I'd say that we've demonstrated that denial-of-service attacks are both common and widespread," Savage said. "We have indications that there are several different kinds of attackers who mount attacks with different intensities and likely for different sorts of reasons. These range from individual vendettas that only impact a small number of systems to broader based attacks that pose a substantial threat to large content providers or even moderate-sized service providers."

In three weeks of data, the team analyzed more than 12,000 attacks. Most of the attacks sent fewer than 1,000 message packets per second, but some swamped sites with more than 600,000 message packets every second. The victims included virtually every part of the Internet—from home computers and large commercial sites to Internet traffic routers and other pieces of the Internet's infrastructure. Most victims endured only a single attack, but others got hit over and over. One received 102 attacks in a single week! About half of the attacks lasted for less than 10 minutes, but a few victims suffered attacks more or less continuously throughout the study. Still, Moore says, "The high amount of attacks under five minutes caught us by surprise; we expected more of the attacks to align with longer durations, such as an hour, since many tools default to longer durations." He adds, "We are currently investigating new techniques to tell whether the attacks actually stop after the short time period or the victim has crashed or otherwise become incapacitated, since the backscatter methodology requires the victim to respond to be tracked."

Some of the statistics on victims make sense, and some seem surprising. As expected, sites that end in .net or .com received the most attacks. Unpredictably, addresses that end in .ro—for Romania—got attacked just as often. Next in line came Brazil. Moore said, "We were initially very surprised at the amount of victims in Romania—greater than 12 percent—and Brazil—greater than 6 percent." These attacks may be in retaliation for denial-of-service and break-in attacks sent from those countries, or they might be responses to junk e-mail. Another possibility is that Internet service providers in Romania are attacking each other to make themselves look better and gain customers.

Perhaps even more surprising, Moore and his colleagues discovered that 10 to 20 percent of the denial-of-service attacks targeted home computers. One possible explanation is that the attacks are related to IRC, or Internet Relay Chat, which allows real-time communication. "IRC servers are often targets of attacks by upset users," observes Moore, "in order to get revenge or retribution for something said or done on IRC or as a response to a previous denial-of-service attack from the other party." IRC users may also attack to improve their scores in multi-player Internet games such as Quake or Halflife. A denial-of-service attack against other players may render the victims unable to send or receive enough traffic to play effectively.

Despite this epidemic of attacks, Savage says, "There is a lack of good automated defensive technology. Detecting, diagnosing and responding to denial-of-service attacks is still largely a manual procedure. That increases both response time and cost while also reducing the number of attacks that can be addressed." He adds: "While the attackers have embraced automation through worms, viruses, tools for breaking into machines and distributed control platforms, this same level of technology has been slow to emerge on the defensive side."

Although the attacks will continue, information technologists now at least know the breadth of this battle. As Moore, Savage and Voelker showed us, no one is safe, neither industries nor individuals. Like other forms of terrorism, denial-of-service attacks prove hard to stop.—Mike May