One third of IPv4 address space fell under a denial of service (DoS) attack over the past two years, according to a large-scale analysis worldwide.
IPv4 is the fourth version of an Internet Protocol (IP) address, a numerical label assigned to each device participating in a computer network.
“We’re talking about millions of attacks,” said Alberto Dainotti, a research scientist at CAIDA (Center for Applied Internet Data Analysis), based at the San Diego Supercomputer Center (SDSC) at the University of California San Diego and the report’s principal investigator. “The results of this study are gigantic compared to what the big companies have been reporting to the public.” The research spanned two years from March 2015 to February 2017.
“These results caught us by surprise in the sense that it wasn’t something we expected to find. This is something we just didn’t see coming,” said the study’s first author, Mattijs Jonker, a researcher with the University of Twente in The Netherlands and former CAIDA intern.
The study sheds light on most of the DoS attacks on the Internet, its victims, and even the adoption of commercial services to combat these attacks.
Two predominant types of DoS attacks, intended to overwhelm a service by a sheer mass of requests are:
• “Direct” attacks, which involve traffic sent directly to the target from some infrastructure controlled by the attackers (e.g. their own machines, a set of servers, or even a botnet under their command.) These attacks often involve “random spoofing”, characterized by faking the source IP address in the attack traffic.
• “Reflection” attacks, during which third-party servers are involuntarily used to reflect attack traffic toward its victim. Many protocols that allow for reflection also add amplification, causing the amount of reflected traffic sent toward the victim to be many times greater than that sent toward the reflector initially.
To detect attacks, the researchers – a collaborative effort from UC San Diego, University of Twente, and Saarland University in Germany – employed two raw data sources that complement each other: The UCSD Network Telescope, which captures evidence of DoS attacks that involve randomly and uniformly spoofed addresses and the AmpPot DDoS (distributed denial-of-service) honeypots, which witness reflection and amplification of DoS attacks.
20 Million Attacks
Their data revealed more than 20 million DoS attacks that targeted about 2.2 million “slash 24 or /24” Internet addresses (part of a routing number that denotes bit-length of the prefix), which is about one-third of the 6.5 million /24 blocks estimated to be alive on the Internet. A /24 is a block of 256 IP addresses, usually assigned to a single organization. If a single IP address in a /24 block is targeted by a sheer mass of requests or volumetric attack, it’s likely the network infrastructure of the entire /24 block is affected.
“Put another way, during this recent two-year period under study, the Internet was targeted by nearly 30,000 attacks per day,” said Dainotti. “These absolute numbers are staggering, a thousand times bigger than other reports have shown.”
One researchers fears these statistics are likely “an under-estimation of reality.”
“Although our study employs state-of-the-art monitoring techniques, we already know we do not see some types of DoS attacks,” said Anna Sperotto, an assistant professor in the Design and Analysis of Communication Systems (DACS) department at the University of Twente. “In the future, we will need an even more thorough characterization of the DoS ecosystem to address this point.”
As might be expected, more than a quarter of the targeted addresses in the study came in the United States, the nation with the most Internet addresses in the world. Japan, with the third most Internet addresses, ranks anywhere from 14 to 25 for the number of DoS attacks, indicating a relatively safe nation for DoS attacks, while Russia is a prime example of a country that ranks higher than estimates for Internet space usage, suggesting a relatively dangerous country for these attacks.
Several third-party organizations that offer website hosting were also identified as major targets; the three most frequently attacked “larger parties” over the two year-period were: GoDaddy, Google Cloud, and Wix. Others included Squarespace, Gandi, and OVH.
“Most of the times, it’s the customer who is being attacked,” Dainotti said. “So, if you have a larger number of customers, you’re likely to have more attacks. If you’re hosting millions of websites, of course, you’re going to see more attacks.”
Aside from quantifying the number of DoS attacks on the Internet, the researchers also wanted to see if the attacks spurred website owners to purchase DoS protection services. Their study noted people were more inclined to outsource protection to third parties following a strong attack. Depending on the intensity of the attack, the migration to a third-party service might take place even within 24 hours of an attack.
“One of the things we show is if a website is attacked, this creates an urgency for people to start outsourcing to protection services,” Jonker said.
Although the study does not address the causes for the rise in DoS attacks in recent years, in an interview the researchers noted several strong possibilities including: Cyber-extortion, cyber-crime, cyber-warfare, political protest aimed at governments, censorship from authoritative regimes, attacks relating to on-line gaming (e.g. to gain a competitive advantage), school kids who may attack to avoid taking an exam, and disgruntled former employees.