A third of the internet is under DoS attack

To detect attacks, the researchers – a collaborative effort from UC San Diego, University of Twente, and Saarland University in Germany – employed two raw data sources that complement each other: the UCSD Network Telescope, which captures evidence of DoS attacks that involve randomly and uniformly spoofed addresses; and the AmpPot DDoS (distributed denial-of-service) honeypots, which witness reflection and amplification of DoS attacks.

Their data revealed more than twenty million DoS attacks that targeted about 2.2 million “slash 24 or /24” internet addresses (part of a routing number that denotes bit-length of the prefix), which is about one-third of the 6.5 million /24 blocks estimated to be alive on the internet. A /24 is a block of 256 IP addresses, usually assigned to a single organization. If a single IP address in a /24 block is targeted by a sheer mass of requests or volumetric attack, it’s likely that the network infrastructure of the entire /24 block is affected.

“Put another way, during this recent two-year period under study, the internet was targeted by nearly 30,000 attacks per day,” said Dainotti. “These absolute numbers are staggering, a thousand times bigger than other reports have shown.”

That said, one of the researchers added she’s worried these statistics are likely “an under-estimation of reality.”

“Although our study employs state-of-the-art monitoring techniques, we already know we do not see some types of DoS attacks,” said Anna Sperotto, an assistant professor in the Design and Analysis of Communication Systems (DACS) department at the University of Twente. “In the future, we will need an even more thorough characterization of the DoS ecosystem to address this point.”

As might be expected, more than a quarter of the targeted addresses in the study came in the United States, the nation with the most internet addresses in the world. Japan, with the third most internet addresses, ranks anywhere from 14^th to 25^th for the number of DoS attacks, indicating a relatively safe nation for DoS attacks, while Russia is a prime example of a country that ranks higher than estimates for internet space usage, suggesting a relatively dangerous country for these attacks.

Several third-party organizations that offer website hosting were also identified as major targets; the three most frequently attacked “larger parties” over the two year-period were: GoDaddy, Google Cloud, and Wix. Others included Squarespace, Gandi, and OVH.

“Most of the times, it’s the customer who is being attacked,” explained Dainotti. “So if you have a larger number of customers, you’re likely to have more attacks. If you’re hosting millions of websites, of course, you’re going to see more attacks.”

Aside from quantifying the number of DoS attacks on the internet, the researchers also wanted to see if the attacks spurred website owners to purchase DoS protection services. Their study noted that people were more inclined to outsource protection to third parties following a strong attack. Depending on the intensity of the attack, the migration to a third-party service might take place even within 24 hours of an attack.

“One of the things we show is if a website is attacked, this creates an urgency for people to start outsourcing to protection services,” said Jonker.

Although the study does not address the causes for the well-recognized rise in DoS attacks in recent years, in an interview the researchers noted several strong possibilities including: cyber-extortion, cyber-crime, cyber-warfare, political protest aimed at governments, censorship from authoritative regimes, attacks relating to on-line gaming (e.g. to gain a competitive advantage), school kids who may attack to avoid taking an exam, and disgruntled former employees.

“Even non-technical people can launch significant attacks through DDoS-as-a-Service providers (i.e. Booters),” said Jonker. “People can pay others with a subscription in exchange for just a few dollars.”

As for future studies, the researchers said they wanted to assess the impact of the attacks, to see if they managed to take down the targeted network; they’re also studying political attacks similar to those witnessed in Egypt and Libya that were subject to a 2012 study led by CAIDA researchers.

UCSD notes that under a grant for the U.S. Department of Homeland Security (DHS), the CAIDA team also plans to continuously monitor the DoS ecosystem to provide data for analysis to agencies and other researchers in a timely fashion.