Security Week, Nov 11, 2017 - The incidence of denial-of-service (DoS) attacks has consistently grown over the last few years, "steadily becoming one of the biggest threats to Internet stability and reliability." Over the last year or so, the emergence of IoT-based botnets -- such as Mirai and more recently Reaper, with as yet unknown total capacity -- has left security researchers wondering whether a distributed denial-of-service (DDoS) attack could soon take down the entire internet.
The problem is there is no macroscopic view of the DoS ecosphere. Analyses tend to be by individual research teams examining individual botnets or attacks. Now academics from the University of Twente (Netherlands); UC San Diego (USA); and Saarland University (Germany) have addressed this problem "by introducing and applying a new framework to enable a macroscopic characterization of attacks, attack targets, and DDoS Protection Services (DPSs)."
The initial results, published in a paper (PDF) presented at IMC 2017 in London this week, took the researchers by surprise. In devising a methodology to assess the entire DoS ecosphere, they discovered "the massive scale of the DoS problem, including an eye-opening statistic that one-third of all /24 networks recently estimated to be active on the Internet have suffered at least one DoS attack over the last two years."
In developing their framework for a macroscopic evaluation of Dos, the researchers aggregated and analyzed data over the last two years from the the UCSD Network Telescope -- which captures evidence of DoS attacks that involve randomly and uniformly spoofed addresses -- and the AmpPot DDoS honeypots -- which witness reflection and amplification of DoS attacks.
The results are staggering. "Together," say the researchers, "our data sets of attack events account for 20.90 M attacks, targeting 6.34 M unique IP addresses, over a two-year period." The daily figures are no less surprising. By combining the direct attacks with the reflection attacks, the researchers discovered that the internet suffers an average of 28,700 distinct DoS attacks every day. This is claimed to be 1000 times greater than other reports have indicated.
"A takeaway from these results," say the researchers, "is that each day we see attacks on tens of thousands of unique target IP addresses, spread over thousands of autonomous systems."
The geolocation of the targets closely reflects internet address space utilization -- for example, the USA has 25.56% of all unique IP addresses, and is the target for about 25% of all randomly spoofed attacks. Chinese IP addresses are the second most common target for random spoofing attacks. However, there are some exceptions. Russia and France both rank higher in the percentage of attacks than their overall percentage of internet address space -- making these locations statistically more likely to receive DoS attacks. Japan is the opposite with almost 7% of address space (the third largest region), but ranking 14th in the honeypot dataset and 25th in the telescope data set of attacks -- making Japan statistically one of the safer regions.