Denial of Service (DoS) attacks have become a major threat to current computer networks in the recent years, as the frequency and intensity of the attacks is on a rapid rise.
For those unaware, DoS attack is an attack to slow down the legitimate user’s computer by overloading its resources. This means that one computer and one internet connection is being used to flood a server with packets (also known as TCP/UDP). As a result, this makes the server inaccessible to other computers, which means that whatever form of content was being loaded by the server, ranging from a website, to a hosting service will not be visible to other computers. In simple words, DoS attack on a network is designed to take down the network by sending a large number of random packets.
A large-scale analysis done of two years (between March 2015 and Feb 2017) of DoS attacks around the world shows that one third of all internet addresses (IPv4) was under attack. This means that an average number of daily attacks was 30,000, which could even be an optimistic figure, considering the new kind of DoS attacks that are carried out every day.
“We’re talking about millions of attacks,” said Alberto Dainotti, a research scientist at CAIDA (Center for Applied Internet Data Analysis), based at the San Diego Supercomputer Center (SDSC) at the University of California San Diego and the report’s principal investigator. “The results of this study are gigantic compared to what the big companies have been reporting to the public.”
Mattijs Jonker, a researcher with the University of Twente in The Netherlands and former CAIDA intern who showed his study on the DoS at the Internet Measurement Conference in London, added, “These results caught us by surprise in the sense that it wasn’t something we expected to find. This is something we just didn’t see coming.”
CAIDA conducted the study to provide a “framework to enable a macroscopic characterisation of attacks, attack targets, and mitigation behaviours”. The study has been published in the Proceedings of the Association for Computing Machinery (IMC ’17).
According to the paper, the researchers used two raw data sources that provide signals of DoS attack events and complement each other: (1) the UCSD Network Telescope, which captures evidence of DoS attacks that involve randomly and uniformly spoofed IP addresses; and (2) the AmpPot DDoS honeypots, which witness reflection and amplification DoS attacks – an attack type that involves specifically spoofed IP addresses.
The researchers during their two year study saw more than 20 million DoS attacks, targeted at about 2.2 million /24 (slash 24) IPv4 internet addresses, either through direct DoS attacks or some kind of reflection attack. A /24 is a block of 256 IP addresses, usually assigned to a single organization. If a single IP address in a /24 block is targeted, it is likely that the entire /24 block network infrastructure is affected. Both the direct and reflection attacks affected 137,000 targets during the study period. On an average, every single day, about 3% of all registered web domains were involved in attacks that were hosted on the targeted IP addresses, which in turn accounted for two-thirds of all websites over the two-year period.
“Put another way, during this recent two-year period under study, the internet was targeted by nearly 30,000 attacks per day,” said Dainotti. “These absolute numbers are staggering, a thousand times bigger than other reports have shown.”
According to the study, among the targeted nations, United States which holds the most internet addresses in the world topped the list, as it accounted for more than a quarter of the targeted internet addresses. Japan, with the third most internet addresses, ranks anywhere from 14th to 25th for the number of DoS attacks, shows remarkably less attacks. On the other hand, the study suggests Russia as a relatively dangerous country for DoS attacks, as it has a high amount of attacks compared to the number of addresses.
Several third-party organizations that offer website hosting were also identified as major targets. GoDaddy, Google Cloud, and Wix were the three most frequently attacked “larger parties” over the two year-period. Others included Squarespace, Gandi, and OVH.
“Most of the times, it’s the customer who is being attacked,” explained Dainotti. “So if you have a larger number of customers, you’re likely to have more attacks. If you’re hosting millions of websites, of course, you’re going to see more attacks.”