• Subscribe

A third of the internet is under attack

Speed read
  • Internet hosts attacked millions of times a year
  • Greatest number of attacks occur in US
  • Attacks may lead website owners to outsource protection

For the first time, researchers have carried out a large-scale analysis of victims of internet denial-of-service (DoS) attacks worldwide. And what they found is, in a phrase from their study, “eye-opening”.

Spanning two years, from March 2015 to February 2017, the researchers found that about one-third of the IPv4 address space was subject to some kind of DoS attacks, where a perpetrator maliciously disrupts services of a host connected to the internet.

<strong>Constant threat. </strong>Reasons for the increase in DoS attacks include cyber-extortion, cyber-warfare, political protest, censorship, on-line gaming tactics, and disgruntled former employees.

“We’re talking about millions of attacks,” says Alberto Dainotti, a research scientist with the Center for Applied Internet Data Analysis (CAIDA) at the San Diego Supercomputer Center (SDSC) and the report’s principal investigator. “The results of this study are gigantic compared to what the big companies have been reporting to the public.”

Mattijs Jonker, a researcher with the University of Twente adds: “These results caught us by surprise. This is something we just didn’t see coming.”

The study – presented November 1, 2017 at the Internet Measurement Conference in London – sheds light on most of the DoS attacks on the internet.

To detect attacks, the researchers employed two raw data sources that complement each other: the UCSD Network Telescope, which captures evidence of DoS attacks that involve randomly and uniformly spoofed addresses; and the AmpPot DDoS (distributed denial-of-service) honeypots, which witness reflection and amplification of DoS attacks.

Types of DoS attacks

  • “Direct” attacks involve traffic sent directly to the target from infrastructure controlled by the attackers (e.g., their own machines, a set of servers, or a botnet). Often involves “random spoofing”, characterized by faking the source IP address.
  • In “Reflection” attacks, third-party servers are used to reflect attack traffic toward a victim. Many protocols that allow for reflection also add amplification, increasing the volume of reflected traffic.

Their data revealed more than 20 million DoS attacks that targeted about 2.2 million “slash 24 or /24” internet addresses, which is about one-third of the 6.5 million /24 blocks estimated to be alive on the internet.

A /24 is a block of 256 IP addresses, usually assigned to a single organization. If a single IP address in a /24 block is targeted by a sheer mass of requests or volumetric attack, it’s likely that the network infrastructure of the entire /24 block is affected.

During the two-year period under study, the internet was targeted by nearly 30,000 attacks per day—a thousand times more than other reports have shown. ~Alberto Dainotti

That said, one of the researchers worries that these statistics are likely “an under-estimation of reality.”

“Although our study employs state-of-the-art monitoring techniques, we already know we do not see some types of DoS attacks,” says Anna Sperotto, assistant professor in the Design and Analysis of Communication Systems (DACS) department at the University of Twente. “In the future, we will need an even more thorough characterization of the DoS ecosystem to address this point.”

As might be expected, more than a quarter of the targeted addresses in the study occurred in the US, the nation with the most internet addresses in the world. Japan, with the third most internet addresses, ranks anywhere from 14th to 25th for the number of DoS attacks, indicating a relatively safe nation for DoS attacks.  

Several third-party organizations that offer website hosting were also identified as major targets; the three most frequently attacked “larger parties” over the two year-period were: GoDaddy, Google Cloud, and Wix. Others included Squarespace, Gandi, and OVH.

Most of the time, it’s the customer who’s being attacked. If you’re hosting millions of websites, of course you’re going to see more attacks. ~Alberto Dainotti

Aside from quantifying the number of DoS attacks on the internet, the researchers also wanted to see if the attacks spurred website owners to purchase DoS protection services.

People were more inclined to outsource protection to third parties following a strong attack. Depending on the intensity of the attack, migration to a third-party service might take place within 24 hours of an attack.

“One of the things we show is if a website is attacked, this creates an urgency for people to start outsourcing to protection services,” says Jonker. 

Now that the researchers know the extent of the cyberthreat, in the future they hope to assess the impact to see if attacks are effective in taking down the targeted networks. Not every attack succeeds, and a secure internet depends not just on the number of attacks but also how great the risk.

Read the original article on SDSC's website.

Join the conversation

Do you have story ideas or something to contribute? Let us know!

Copyright © 2017 Science Node ™  |  Privacy Notice  |  Sitemap

Disclaimer: While Science Node ™ does its best to provide complete and up-to-date information, it does not warrant that the information is error-free and disclaims all liability with respect to results from the use of the information.

Republish

We encourage you to republish this article online and in print, it’s free under our creative commons attribution license, but please follow some simple guidelines:
  1. You have to credit our authors.
  2. You have to credit ScienceNode.org — where possible include our logo with a link back to the original article.
  3. You can simply run the first few lines of the article and then add: “Read the full article on ScienceNode.org” containing a link back to the original article.
  4. The easiest way to get the article on your site is to embed the code below.