Denial of Service Attacks “One Thousand Times Bigger” Than Expected
“We’re talking about millions of attacks… The results of this study are gigantic compared to what the big companies have been reporting to the public.”
With constant reports of what seems like a never ending spate of digital crime, it can be difficult to see the larger trends in the today’s cyber-landscape.
Now, for the first time, a team of computer scientists have carried out research on denial-of-service (DoS) attacks on a worldwide scale. The results, according to the analysts, has unveiled an, “an eye-opening statistic.”
The team of analysts, based at UC San Diego, the University of Twente in the Netherlands and Saarland University in Germany, revealed that more than 20 million DoS attacks have targeted around one-third of the IPv4 address space (IPv4 being the most common protocol for internet traffic). Research spanned two years, from March 2015 to February 2017, and investigated DoS trends on a global scale.
“We’re talking about millions of attacks,” said research scientist and lead analyst Alberto Dainotti. Dainotti also warned: “The results of this study are gigantic compared to what the big companies have been reporting to the public.”
Co-author Mattijs Jonker added: “These results caught us by surprise in the sense that it wasn’t something we expected to find. This is something we just didn’t see coming.”
Their final report, titled Millions of Targets Under Attack: a Macroscopic Characterization of the DoS Ecosystem, was first presented on November 1, 2017 at the Internet Measurement Conference in London and published in the Proceedings of the Association for Computing Machinery. The study also examines how these attacks are made and the adoption of commercial services to combat the attacks.
According to the report, there are two common DoS attack avenues, namely:
- ‘Direct’ attacks, where criminals send traffic directly from an infrastructure that they control (such as their own machines or servers). Attackers here will typically ‘spoof’ the IP address of the offending traffic, to avoid detection.
- ‘Reflection’ attacks, where third-party servers are used involuntarily to reflect traffic towards their intended victim. Typically, these attacks also involve amplification, where the amount of traffic sent to the victim may be much greater than what was sent to the reflector initially.
The United States endured the highest number of attacks – over 25% of the worldwide total. Japan, despite having around 30% of the world’s internet addresses ranks between 14th and 25th in the sheer number of DoS attacks. Conversely, Russia suffered from a far higher number of DoS attacks in relation to the number of sites hosted in the country.
Besides quantifying and locating DoS numbers across the globe, the team also examined whether cyber-incidents encouraged website owners and organisations to purchase DoS protection services. The study found that most were inclined to seek protection from a third-party following a strong attack, and that depending on the severity of the incident, this might take place within 24 hours of the original assault.
“One of the things we show is if a website is attacked, this creates an urgency for people to start outsourcing to protection services,” Jonker noted.
Organisations that host web services were identified in the study as major targets; the three most frequently attacked ‘larger parties’ over the two year period being GoDaddy, Google Cloud, and Wix. Dainotti explained: “Most of the time, it’s the customer who is being attacked. So if you have a larger number of customers, you’re likely to have more attacks. If you’re hosting millions of websites, of course, you’re going to see more attacks.”
Commenting further on the statistics, Dainotti added: “Put another way, during this recent two-year period under study, the internet was targeted by nearly 30,000 attacks per day. These absolute numbers are staggering, a thousand times bigger than other reports have shown.”
Anna Sperotto, an Assistant Professor in the Design and Analysis of Communication Systems (DACS) department at the University of Twente, warned that even these statistics could be underestimating reality. Sperotto said: “Although our study employs state-of-the-art monitoring techniques, we already know we do not see some types of DoS attacks. In the future, we will need an even more thorough characterisation of the DoS ecosystem to address this point.”
The survey offers no explanation as to why DoS attacks might be on the rise. Ian McGowan, Managing Consultant at Barrier Networks, offered DIGIT several reasons as to why DoS attacks appear to be proliferating. First and foremost, according to McGowan: “The use of DoS attacks is becoming more prevalent as it’s easier than ever to launch them. I’m not surprised to read this, [given] the accessibility of DoS services available for hire.”
McGowan explained: “DoS platforms enable cyber criminals with minimal skills to launch devastating attacks at low cost. As there is a demand for them, we are seeing an increase in the number of suppliers and advances in the sophistication of the DDoS platforms available.”
But Federico Charosky, Managing Director of Quorum Cyber, told DIGIT to treat these findings with caution. Charosky claimed that general numbers oversimplify the actual impact of individual DoS attacks, telling DIGIT: “This is very welcome research, but just because we see a lot of something, doesn’t mean that it is as critical as it is perceived just by looking at the numbers.
“In fact, the mere fact that it surprised everybody in the research team could indicate that we are actually not feeling any impact from these attacks. In a way, if one-third of the internet had gone down last year (a successful DoS attack’s objective), we would probably have known about it.”