- Internet hosts attacked millions of times a year
- Greatest number of attacks occur in US
- Attacks may lead website owners to outsource protection
For the first time, researchers have carried out a large-scale analysis of victims of internet denial-of-service (DoS) attacks worldwide. And what they found is, in a phrase from their study, “eye-opening”.
Spanning two years, from March 2015 to February 2017, the researchers found that about one-third of the IPv4 address space was subject to some kind of DoS attacks, where a perpetrator maliciously disrupts services of a host connected to the internet.
“We’re talking about millions of attacks,” says Alberto Dainotti, a research scientist with the Center for Applied Internet Data Analysis (CAIDA) at the San Diego Supercomputer Center (SDSC) and the report’s principal investigator. “The results of this study are gigantic compared to what the big companies have been reporting to the public.”
To detect attacks, the researchers employed two raw data sources that complement each other: the UCSD Network Telescope, which captures evidence of DoS attacks that involve randomly and uniformly spoofed addresses; and the AmpPot DDoS (distributed denial-of-service) honeypots, which witness reflection and amplification of DoS attacks.
Their data revealed more than 20 million DoS attacks that targeted about 2.2 million “slash 24 or /24” internet addresses, which is about one-third of the 6.5 million /24 blocks estimated to be alive on the internet.
A /24 is a block of 256 IP addresses, usually assigned to a single organization. If a single IP address in a /24 block is targeted by a sheer mass of requests or volumetric attack, it’s likely that the network infrastructure of the entire /24 block is affected.
During the two-year period under study, the internet was targeted by nearly 30,000 attacks per day—a thousand times more than other reports have shown. ~Alberto Dainotti
That said, one of the researchers worries that these statistics are likely “an under-estimation of reality.”
“Although our study employs state-of-the-art monitoring techniques, we already know we do not see some types of DoS attacks,” says Anna Sperotto, assistant professor in the Design and Analysis of Communication Systems (DACS) department at the University of Twente. “In the future, we will need an even more thorough characterization of the DoS ecosystem to address this point.”
As might be expected, more than a quarter of the targeted addresses in the study occurred in the US, the nation with the most internet addresses in the world. Japan, with the third most internet addresses, ranks anywhere from 14th to 25th for the number of DoS attacks, indicating a relatively safe nation for DoS attacks.
Several third-party organizations that offer website hosting were also identified as major targets; the three most frequently attacked “larger parties” over the two year-period were: GoDaddy, Google Cloud, and Wix. Others included Squarespace, Gandi, and OVH.
Most of the time, it’s the customer who’s being attacked. If you’re hosting millions of websites, of course you’re going to see more attacks. ~Alberto Dainotti
Aside from quantifying the number of DoS attacks on the internet, the researchers also wanted to see if the attacks spurred website owners to purchase DoS protection services.
People were more inclined to outsource protection to third parties following a strong attack. Depending on the intensity of the attack, migration to a third-party service might take place within 24 hours of an attack.
“One of the things we show is if a website is attacked, this creates an urgency for people to start outsourcing to protection services,” says Jonker.
Now that the researchers know the extent of the cyberthreat, in the future they hope to assess the impact to see if attacks are effective in taking down the targeted networks. Not every attack succeeds, and a secure internet depends not just on the number of attacks but also how great the risk.