The incidence of denial-of-service (DoS) attacks has consistently grown over the last few years, “steadily becoming one of the biggest threats to Internet stability and reliability.” Over the last year or so, the emergence of IoT-based botnets — such as Mirai and more recently Reaper, with as yet unknown total capacity — has left security researchers wondering whether a distributed denial-of-service (DDoS) attack could soon take down the entire internet.
The problem is there is no macroscopic view of the DoS ecosphere. Analyses tend to be by individual research teams examining individual botnets or attacks. Now academics from the University of Twente (Netherlands); UC San Diego (USA); and Saarland University (Germany) have addressed this problem “by introducing and applying a new framework to enable a macroscopic characterization of attacks, attack targets, and DDoS Protection Services (DPSs).”
The initial results, published in a paper (PDF) presented at IMC 2017 in London this week, took the researchers by surprise. In devising a methodology to assess the entire DoS ecosphere, they discovered “the massive scale of the DoS problem, including an eye-opening statistic that one-third of all /24 networks recently estimated to be active on the Internet have suffered at least one DoS attack over the last two years.”
In developing their framework for a macroscopic evaluation of Dos, the researchers aggregated and analyzed data over the last two years from the the UCSD Network Telescope — which captures evidence of DoS attacks that involve randomly and uniformly spoofed addresses — and the AmpPot DDoS honeypots — which witness reflection and amplification of DoS attacks.
The results are staggering. “Together,” say the researchers, “our data sets of attack events account for 20.90 M attacks, targeting 6.34 M unique IP addresses, over a two-year period.” The daily figures are no less surprising. By combining the direct attacks with the reflection attacks, the researchers discovered that the internet suffers an average of 28,700 distinct DoS attacks every day. This is claimed to be 1000 times greater than other reports have indicated.
“A takeaway from these results,” say the researchers, “is that each day we see attacks on tens of thousands of unique target IP addresses, spread over thousands of autonomous systems.”
The geolocation of the targets closely reflects internet address space utilization — for example, the USA has 25.56% of all unique IP addresses, and is the target for about 25% of all randomly spoofed attacks. Chinese IP addresses are the second most common target for random spoofing attacks. However, there are some exceptions. Russia and France both rank higher in the percentage of attacks than their overall percentage of internet address space — making these locations statistically more likely to receive DoS attacks. Japan is the opposite with almost 7% of address space (the third largest region), but ranking 14th in the honeypot dataset and 25th in the telescope data set of attacks — making Japan statistically one of the safer regions.
The purpose of the study as to understand the overall scope and extent of DoS attacks together with the market reaction to them so that more efficient responses might be developed. In terms of current market reaction, it concludes that low-level, even if repeated, attacks are largely ignored by the site owners. By correlating attacks with the time web sites migrated their DoS defense to third-party DPS companies, the researchers were able to determine what triggers the use of a DPS. They found, in general, that attack duration does not strongly correlate with DPS migration; but early migration follows attacks of high intensity.
For now, this is a work in progress, and the researchers hope to expand its extent and coverage. For example, the current study concentrates on web attacks. The researchers note, however, that GoDaddyís e-mail servers, which are used by tens of millions of domain names, are frequently targeted by DoS attacks. “In future work,” they say, “we plan to investigate the impact of DoS attacks on mail infrastructure and for this purpose we recently instrumented our measurement infrastructure to query for more DNS RRs on the names found in MX records.”
The biggest single takeaway from this study, which aimed to provide a macroscopic view of the worldwide DoS problem, is that it has simultaneously discovered that the DoS problem is already many times greater than previously thought.