The study comes as the result of a partnership between UCSD's Cooperative Association for Internet Data Analysis (CAIDA) and the Jacobs School of Engineering, also at UCSD. The study team, made up of CAIDA's David Moore, along with Geoffrey M. Volker and Stephen Savage, both of UCSD's Computer Science and Engineering Department, studied DoS attacks across the Internet for three one-week periods centering on the number, duration and focus of the attacks. They found that more than 12,000 DoS attacks were launched in the period studied, with a small percentage targeting devices crucial to the operation of the Internet, including routers and name servers.
DoS attacks involve flooding target computers with false requests for information, overloading the machines' capacity to respond and leading to denial of service to legitimate users. Many such attacks use multiple computers spread throughout the world that have been taken over through hacking. In early 2000, Denial of Service attacks brought offline for days a number of high-profile sites, including Yahoo.com, Amazon.com and eBay.com.
Between 2 per cent and 3 per cent of all DoS attacks studied targeted name servers, the computers used to route Internet traffic to the proper domain name, such as www.idg.com, instead of its numerical address equivalent, according to the study. Also, routers, which are devices directing traffic to its appropriate locations in networks, received 1 per cent to 3 per cent of the attacks.
Targeting routers and similar devices for attack is particularly troublesome because taking them offline could result in a service outage to a much greater cross-section of users, rather than just those of a specific Web site.
As was expected, high-profile sites such as Amazon.com, AOL.com and Hotmail.com were popular targets for DoS attacks, the study said. However, Romanian computers were attacked almost as much as .com and .net sites and Brazilian machines were hit more than .edu and .org sites combined. The vast majority of victims, 95 per cent, were attacked fewer than five times, with the bulk of that group, 65 per cent, experiencing only one attack.
Also of note, the researchers found that a number of attacks were directed against home users connecting to the Internet using dial-up or cable modems, indicating that DoS attacks are used in personal disputes.
The study tracked an effect called a backscatter, which follows the spread of information requests across the Internet generated by DoS attacks. In many DoS attacks, addresses from which the attacks are launched are faked, or "spoofed," and thus, when requests for service are answered by the server under attack, the data is sent all across the Internet, rather than to the computer where the attack originates. This spread of information is the backscatter, which provides an estimate of worldwide DoS activity, according to the report.
The study is available at http://www.caida.org/outreach/papers/backscatter/usenixsecurity01.pdf.