In what may be the first publicly announced research of its kind, a professor in San Diego has reported results of a study showing that 12,805 denial-of-service (DoS) attacks were launched against some 5,000 targets over a three-week period.

DoS attacks, cyber-assaults on computer systems, do their damage by “flooding” a Web site or other IP (Internet Protocol) address with high volumes of bogus messages such that the systems either cannot deliver service or are hampered in doing so.

The study was conducted by Stefan Savage, chief scientist of Seattle-based Asta Networkswhich markets DoS solutionsand professor of computer science at the University of California, San Diego, along with colleagues David Moore and Geoff Voelker. The researchers believe their study is the only publicly available data quantifying Internet-wide DoS activity.

According to Andrew Konstantaras, vice president of marketing for Asta, the data was gathered by monitoring “a huge portion of the Internet space, 1/256th of it all.”

“We know now with certainty that DoS attacks are even more powerful and prevalent than any one organization has let on,” Savage states. Konstantaras adds that many such attacks are not reported by Internet service providers (ISPs) and other enterprises, because of potential “bad press implications.”

According to Asta, the attack targets documented in the study “ranged from well-known companies such as Amazon.com and AOL to small foreign ISPs and broadband users.”

The study also found that the attacks against commercial targets were “extremely diverse and have the power to significantly hamper service on a wide range of networks.” The majority of the attacks monitored took place fast enough to “overwhelm” the victims attempts at prevention, says Asta.

“12,000 is a very conservative number,” says Konstantaras in reference to the attacks. “There are far more than 12,000 attacks on the whole Internet.”

Asta notes that in an information security industry survey conducted in 2000, 37 percent of companies had suffered a DoS attack over the past year.

The Web site of Mazu Networks, another vendor of DoS solutions, cites figures showing that distributed DoS attacks have increased by 60% over the past three years.

The Savage study also showed that many of the monitored attacks were directed against network infrastructure components, such as domain name servers and routers. “These attacks are especially devastating, because overwhelming a domain name server could deny service to all Web sites that rely upon that server,” Asta explains.

DoS attacks can be targeted at “nearly anyone,” the study states. Most of the attacks were relatively short in duration, with 50% lasting less than 10 minutes and 90% lasting less than one hour. Some attacks actually spanned several days or weeks.

International borders seem to have little to do with who is targeted, the study found, even extending to countries with “relatively poor networking infrastructure.”

“The attacks were well distributed,” notes Konstantaras, adding that the “star country” for DoS attacks is Romania.

Overall, most targets were attacked five or fewer times, the study stated, although five targets were flooded with traffic between 60 and 70 times. “One unfortunate victim was besieged 102 times in one week,” says Asta.

The study also noted that a significant portion of the attacks were directed at home-based machines using either dialup or broadband Internet access. “Some of these attacks constituted large, severe attacks, suggesting that DoS attacks are frequently used to settle personal vendettas,” according to Asta.

Other than personal revenge, why are such attacks launched?

“There are a couple of reasons,” says Konstantaras. “First, because they can [do it] and its a challenge to beat a system.” Doing so, he explains, helps one “gain reputation among hackers.”

The second reason cited by Konstantaras is that hackers often have political agendas. Such “hacktivists,” as they have come to be called, seek to bring systems down for political purposes, he notes. In an ironic reversal of roles, he adds, “the German government said a couple of months ago that they would DoS anyone who violated German law.”

Konstantaras also points out that DoS attacks may be used as a “diversionary tactic” to cover other types of hacking at another site.

Hackers “dont need to know that much” to launch DoS attacks, with programs that do so readily available online and fairly easy to implement, says Konstantaras. “It takes five [mouse] clicks to launch a DoS attack,” he explains, “versus 11 clicks to buy a book online.” Such attacks can be launched “from any computer with an Internet connection.”

What can corporate and home users do to protect themselves from attack? There are several products available that seek to establish defenses.

Asta has introduced Asta Networks Vantage System, composed of Sensorsnetwork appliances that collect traffic data from key routersand Coordinatorsservers that aggregate and analyze data from Sensors to construct an overall view of network activity. “Several phases of analysis are conducted to provide all the actionable knowledge network operations centers need to immediately detect an attack, locate its source, and counter it with the most appropriate measures,” says Asta.

Pricing for this product is $5,000 per sensor, plus a monthly charge based on projected bandwidth, the company notes. Information is available at www.astanetworks.com.

Meanwhile, Arbor Networks, based in Waltham, Mass., has introduced Peakflow DoS, a distributed, managed service that “proactively detects, traces and filters threats to network availability.”

Arbor says that Peakflow DoS works by gathering the data it needs from the networking equipment customers already have, “thus leveraging their existing IT investment.”

Pricing for the Arbor product begins at $5,000 per month, the company notes, and information is available at www.arbornetworks.com.

In addition, Niksun Inc., based in Monmouth Junction, N.J., offers NetDetector, a network monitoring system “that provides the capability to analyze traffic streams at very high data rates to detect and catch malicious activity, even post-event.”

According to Niksun, “Data captured by NetDetector is analyzed to inspect traffic flows for improper activities, detect intruders and set alarms while continuously recording and analyzing every packet in the network in real time.”

Pricing information was not immediately available. Details on the Niksun product can be found at www.niksun.com.


Reproduced from National Underwriter Life & Health/Financial Services Edition, July 20, 2001. Copyright 2001 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.


Copyright 2001 by The National Underwriter Company. All rights reserved. Contact Webmaster