[ISN] Study: Sites attacked 4,000 times a week

From: InfoSec News (isnat_private)
Date: Tue May 22 2001 - 22:54:53 PDT

  • Next message: InfoSec News: "[ISN] Woe Unto White House Site"

    By Robert Lemos
    Special to CNET News.com 
    May 22, 2001, 1:55 p.m. PT 
    Online vandals intent on lashing out at companies and rivals stage
    denial-of-service attacks more than 4,000 times every week,
    researchers from the University of California at San Diego said
    Among the common targets are some names that come as no surprise:
    Amazon.com, America Online and Microsoft's Hotmail. However, a large
    number of individual users and small businesses were targeted by
    attacks as well, the researchers found.
    "We believe our research provides the only publicly available data
    quantifying denial-of-service activity in the Internet," said David
    Moore, senior researcher with the San Diego Supercomputer Center's
    Cooperative Association for Internet Data Analysis and the primary
    author of the paper.
    Denial-of-service attacks attempt to overload or crash computers
    connected to the Internet so people can't access them. A common type
    of attack, called a flood attack, aims to overload a targeted computer
    with so much data that it can no longer process legitimate access
    In early May, vandals used just such an attack to swamp
    Whitehouse.gov, the public-relations Web site of President George W.
    Bush, essentially removing it from the Net. Online hooligans attacked
    Microsoft in January with a similar attack, causing headaches for the
    company over a two-day period.
    While such incidents are occasionally reported in the media, no one
    had previously determined how prevalent the actual attacks were, Moore
    The key to the research, he said, was a technique known as "back
    When a computer is attacked, it generally can't determine that the
    sent data is bogus, so it attempts to reply to every incoming data
    packet. Yet, the most common denial-of-service attack programs
    randomize the address from which the data seem to have come. The
    result: The victim's computer will send replies to each of the random
    addresses, essentially "scattering back" responses, which can signal
    that it's under attack.
    Moore and his colleagues collected such replies by listening to a
    large segment of the Internet--known as an A-class network and
    amounting to a collection of 1/256 of the total number of Internet
    addresses. While the researchers would not identify the large network,
    they did say that it harkens back to the founding of the Internet and
    today is essentially "dead space"--with no computers connected to it.
    Because there aren't any live servers on the network, any replies sent
    to addresses there are either errors or evidence of randomized
    addresses--and thus an attack. By recognizing that several addresses
    are receiving replies from a single server, the researchers can peg
    the server and identify the victim.
    "We saw an odd, disproportionate concentration of attacks towards a
    small group of countries," said Stefan Savage, a professor of computer
    science at UCSD, also an author of the paper. "Surprisingly, Romania,
    a country with a relatively poor networking infrastructure, was
    targeted nearly as frequently as the .net and .com top-level domains."
    Savage is also a co-founder of Asta Networks, a Seattle-based maker of
    software for protecting networks against denial-of-service attacks.
    Geoff Volker, also a professor of computer science at UCSD, was the
    paper's third author.
    Though more than 4,000 attacks were spotted in each of the three weeks
    during which the team monitored the Internet, more than half of those
    attacks lasted less than 10 minutes, Savage said.
    Savage stressed that the study is not complete, but is the best
    estimate to date of the prevalence of such attacks. "There are a
    number of other attacks we cannot see," he said.
    ISN is hosted by SecurityFocus.com
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Wed May 23 2001 - 00:16:43 PDT