Researchers Challenge DOS Attack Data

Nearly three-quarters of denial-of-service attacks come from a small number of troublemakers, new research says

Tim Wilson, Editor in Chief, Dark Reading, Contributor

September 6, 2006

2 Min Read
Dark Reading logo in a gray background | Dark Reading

Conventional wisdom about the sources and causes of denial-of-service (DOS) attacks -- and the best methods for preventing them -- could be completely wrong, a group of researchers said this week.

Researchers at the University of Michigan, Carnegie Mellon University, and AT&T Labs-Research said they have completed a study that debunks the widely-held belief that DOS attack traffic is usually generated by a large number of attack sources disguised by spoofed IP addresses.

In its study, the group found that 70 percent of DOS attacks are generated by less than 50 sources, and a relatively small number of attack sources account for nearly 72 percent of total attack volume. IP spoofing, long thought to be the most popular vector for launching a DOS attack, was found in only a few instances, the researchers said.

In the past, sources of DOS attacks were tracked by measuring "backscatter," the amount of unwanted traffic sent to unused address blocks, the researchers observed. Examining this type of traffic helps expose conversations generated between spoofed IP addresses and unknown recipients. But because this measurement technique assumes the DOS attack was launched through spoofed IP addresses, it doesn't account for DOS attacks launched via botnets, which have become a much more attractive vector for attackers, the research team said.

The new study combines traditional indirect measurement of backscatter with direct measurement of Netflow and alarms from a commercial DOS detection system. The resulting data suggests the vast majority of DOS traffic is coming not from hundreds of sources across the Web, but from a few sources that can be pinpointed and eliminated from everyday traffic flows, significantly reducing the impact of DOS traffic on a network or server.

The new data also suggests that current methods of preventing DOS, which assume large numbers of sources using IP spoofing, need some rethinking. "Less than 1 percent of the directly measured attacks produced backscatter," according to the paper. "Most attacks (83 percent) consist only of packets smaller than 100 bytes." The directly measured attack volume was highly predictable and often came from the same sources, which suggests that enterprises and service providers could solve a big chunk of the DOS problem simply by blocking traffic from those sources.

Enterprises and service providers "can reduce a substantial volume of malicious traffic with targeted deployment of DOS defenses," the group said. Makers of DOS defense tools said they could not comment until they had a chance to review the research.

— Tim Wilson, Site Editor, Dark Reading

About the Author

Tim Wilson, Editor in Chief, Dark Reading

Contributor

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one of the top cyber security journalists in the US in voting among his peers, conducted by the SANS Institute. In 2011 he was named one of the 50 Most Powerful Voices in Security by SYS-CON Media.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights