Sizing Up Cybervandalism: Thousands Hit Monthly

Researchers find debilitating hacker attacks cross borders to hit big and small targets.

Frank Thorsberg, PCWorld.com

An international study that measures the incidence of crippling denial of service attacks on Web sites shows the online threat is global in nature and could be much greater than previously thought.

The study suggests massive attempts at cybervandalism are commonplace: It estimates more than 12,805 distributed denial of service attacks took place worldwide in one three-week period in February. What's more, the University of California, San Diego, researchers who devised a way to count such attacks say a small but significant number are aimed at Internet infrastructure.

"We now know with certainty that DDoS attacks are even more powerful and prevalent than any one organization has let on," says Stefan Savage, one of the study's authors and a professor at the university's Department of Computer Science and Engineering. "I think the numbers we are getting would tend to surprise most people."

In a DDoS attack, hackers select unprotected PCs to be their unwitting online accomplices. They seed these so-called "zombie computers" in advance with small programs that are remotely activated to attack another target.

Malicious hackers launched DDoS attacks against more than 5000 Web sites belonging to 2000 distinct organizations from February 1 through February 25, according to the researchers. They say their new monitoring and statistical analysis techniques enable them to quantify a problem that previously has been exposed primarily through headline-grabbing attacks on big sites plus anecdotal information from the Net community.

Savage calls his own conclusions conservative, because the researchers realize there are some types of DDoS attacks that cannot be tracked because they use "reflector" sites to bounce destructive messages on to the intended targets.

David Moore, a scientist with the San Diego Supercomputer Center at UCSD, and Geoffrey M. Voelker, another UCSD professor, collaborated with Savage on the DDoS study. They did the research after figuring out a way to capture the data they needed with a traffic-monitoring technique called "backscatter analysis."

A New Way to Watch Attacks

Most hacker programs that launch DDoS attacks select source addresses at random so they can conceal the source of the packets and also cloak the manipulator's identity. The targets' automatic "responses" to the attack are inadvertently distributed across the entire Internet address space, an unintended effect called "backscatter." By closely studying the backscatter data, Savage and his colleagues say they can quantify the extent of the problem.

According to the UCSD study, about 5 percent of the attacks were not on single servers or home PCs, but were targeted at key parts of Internet infrastructure like routers and name servers.

"If they were going to take down corouters or a name server affecting a whole company, that's like instead of sending junk mail, you block someone's post office," Savage says. "We had heard anecdotally about a few of these, but I find it a little scary to see just how many there were."

Savage, Moore, and Voelker are continuing to monitor attack data, which they say remains consistent with their initial findings.

"The biggest thing we took from what we saw was that DDoS attacks are going to be a fact of life on the Internet, and we need to build the infrastructure to deal with them on a day-to-day basis," Savage says.

Just a Start?

Although anecdotal reports about DDoS attacks--which hackers used to cripple Yahoo, eBay, E-Trade, and Microsoft in the past year--indicate a serious problem, no one really identified the extent of the trouble until the UCSD study.

Since this is uncharted territory, the researchers' methodology and conclusions bear close scrutiny, according to Martin Fong, a senior software engineer at SRI specializing in Internet security.

"I think what they've done is establish a methodology, but I don't know if they've established a baseline," Fong says. "It's a good starting point, but this [quantitative measurement] relies on a tremendous amount of cooperative effort."

Fong says a more valuable undertaking would be to find a way to exploit the distributive nature of the Net to develop a workable defense.

"This analysis is more of a business-threat analysis than responding to the threat," Fong says. "How you react to a distributed denial of service [attack] is probably more on the minds of people who are being attacked."

Growing Concern About Increasing Attacks

The work by the UCSD researchers at least provides additional information about a problem of growing concern, but little hard information.

For example, the Computer Security Institute and the FBI recently released the results of a survey of 538 large companies, government agencies, financial institutions, health care institutions, and universities that showed 85 percent reported security breaches within the past 12 months.

That survey did not include any individuals or overseas respondents, nor did it attempt to quantify the number of attacks or attackers.

The San Diego research finds that attacks against commercial targets are extremely diverse and have the power to significantly hamper service on a wide range of networks. The scientists discovered a common type of denial of service attack, which sends data requests at a rate of 500 packets per second, can overwhelm a standard server. Nearly half of all attacks reach that intensity, and some exceed it by 1200 times.

The study also finds that:

• Attacks can last from minutes to several days. The research showed that most attacks are relatively short, with 50 percent lasting less than 10 minutes and 90 percent less than an hour.
• International borders don't matter. Web sites in Romania were hit nearly as frequently as domains in the United States. Targets in Canada, Germany, and the United Kingdom were also hit frequently, and several attacks were directed at Belgium, Switzerland, and New Zealand. China Telecom was the target of one massive attack.
• Multiple attacks aren't uncommon. Most targets were attacked five or fewer times, but a few targets were flooded with traffic between 60 and 70 times, and one unfortunate victim was attacked 102 times in one week.
• Home machines are also at risk. A significant portion of the detected attacks was directed at home machines, either dial-up or broadband, and was likely personal in nature.

Detecting an Intrusion

Most of the monitored assaults were fast enough to overwhelm existing defensive technology, the researchers say. Savage is also chief scientist at Asta Networks, which develops software and services to increase network reliability and manageability. The company plans to release in June a product that detects and responds to DDoS attacks.

An intrusion-detection system, like those made by Network ICE, is designed to spot the flood of packets coming in during a DoS or DDoS attack, security experts note.

DDoS attacks are difficult to trace, because they come from so many directions. But because they're often composed of the same sets of attacks, an IDS can look for the specific packet types and filter them out, rather than block all traffic from a specific IP address, which is an older method of blocking DoS attacks.

However, like anti-virus software, an IDS requires frequent updates, because the "signature files" of particular DDoS tools vary over time as the malicious hackers write better, smarter tools.

Savage says Asta's software is designed to automate the process of detecting attacks, which right now is something that gets done manually, if at all. It will classify what kind of attack is being made. It will trace it back through the network that deploys the software, and then it will offer countermeasure recommendations.

The defensive actions can include blocking certain kinds of packets and imposing rate-limiting measures.