Slashdot Mirror
Study on DoS Activity In The Internet
Random Walk writes "A group of researchers from the UCSD Supercomputer Center has used a
technique they call "backscatter analysis" to study
the prevalence and targets of DoS attacks. They claim that
their study is
"the only publically available data quantifying
denial-of-service activity in the Internet", and
provide interesting statistics on attack rates, durations, and victims." CT:This is an amazing report.
I found the paper really interesting. The methods and techniques seem reasonably sound for establishing a lower bound for "significant" attacks. But I'm disturbed that in the midst of the IPv4 address-space crunch where getting a /19 out of ARIN is practically impossible, the researchers were allowed to use a /8 network that was totally unutilized (or if that wasn't true, their data are seriously problematic).
They say themselves -- they were monitoring backscatter traffic by observing any traffic sent into an unused network address space comprising 1/256th of the total IPv4 space.
This just in:
In what many people are calling a sick twist of fate, the Supercomputer Center was hit with a Denial of Service attack shortly after issuing a study on the prevalence and target of DoS attacks. While details are sparse at this point, that attack is rumored to have been a "Slashdot-effect" attack. The leader of the "Slashdot" group of hackers, CmdrTaco, could not be reached for comment. His partner in crime, Hemos, was quoted as saying, "Ph34r the sl4shd0t 3ff3ct!" More details to follow as they become public..
Maybe a little off topic but congress just published a report on FBI's National Infrastructure Protection Center. It deems the FBI imcompetent and nothing more than a incident report function. DOS is covered in details. TheRegister has a good write up today.
Help fight continental drift.
As somebody who has had to deal with the fallout of these attacks more than once, I would say no. They are never justified. If you are flooding enough traffic to affect the target, you are almost certainly affecting lots of other people who just happen to share a pipe with the target. If you DoS some web site, what do you think that does to other sites on the same server? Other folks who just happen to be at the same co-lo site? What about the folks who just happen to have the same local or upstream ISP? Is it OK for me to DoS you because I don't like your neighbor? Is it OK for me to DoS all of optonline.net because I don't like your political views?
Even if you accept the premise that it's OK to DoS innocent people, a DoS is a piss-poor political statement. No body is going to notice at all. If I find that riaa.org is unreachable, am I going to suddenly telepathetically reach some conclusion about their politics? No. If you want to make a political statement, you have to actual say something. Merely screaming nothing at the top of your lungs accomplishes nothing.
So CmdrTaco is posting as Hemos now?
--
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Regardless, their study is probably useful at gauging the frequency of attacks that aren't truly massive enough to attract widespread notice. Some of those do seem to reveal more sophistication than this technique would catch. Yahoo attacks and the Microsoft DNS attack seem to have revealed a certain amount of awareness of network structure. But as a technique of measuring attacks that aren't otherwise widely reported, this study is an order of magnitude more interesting than anything I've seen before.
I've personally noticed what I believe to be "backscatter" - large, brief ping floods that are too small or brief to be an actual DoS.
Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.
Expanding a vast wasteland since 1996.
Its just like any violent protest. Everyone has a breaking point.
I'm not sure if its a very good form of protest, it might get a few lines in a newspaper article but doesn't make for good film at 11.
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
You can view Stefan Savage (one of the paper's co-authors) giving a lecture on his findings at http://stanford-online.stanford.edu. The lecture is only about 50 minutes. Click on "View Free Seminars" and then on the link for "CS548 Internet and Distributed Systems Research Seminar". The lecture is from May 16th.
Sorry, the only format is streaming Windows Media.
-Sverker
Nicely written document although they should have focused likewise on posting some methods to circumvent DoS attacks. Many networking, and security admins, know of the problems arising from DoS, yet there are scores of them who know little about protecting their infrastructure from an attack.
Personally I think its a trivial job to halt denials of service attacks, but it can be done, and what someone should create is a framework for ISP's, Colleges, whoever has a networking propagating info out, to follow that shows them how to enable engress filtering so no attacks come out of their network, and an equally likewise doc that shows preventive measures.
Everyone, and their BOFH mother thats on the net, knows the effects of a DoS attacks, or what a DoS attack is, but a fraction of them know what to do about it.
Anyways for some of those admins, I have a doc called Stopping DoS which is a die hard "this-is-what-you-do-on-this-hadware" to limit DoS attacks, as well as a s(emi)tudy paper called "Theories in DoS" which is a higher protocol level look at Denials of Service, which provides a framework look into future avoidances of them.
P.S. These are docs I wrote out of spare time, etc. nothing more, so don't expect any RFC based documents such as this paper thats linked.
Want Root?
1) Right now, any insecure computer can be cracked for use in a DoS attack, thereby indirectly implicating an innocent person. Anyone can get hijacked in this way and framed for another attack, particularly if the investigators choose not to trace back to the original source.
This is something that is bugging me right now. I got myself cracked on New Year's Eve. It was my own stupid fault, I had forgotten to patch ftpd and some little wiener had installed a root kit through it. As luck would have it I was in bed with the flu and happened to notice the flashing lights on my cable modem so I got the machine unplugged right away.
Here's the thing that's bothers me. If I hadn't noticed for a day or two and the script kiddie had gone and used my machine as a place to crack from or if he used it as a node is a DDOS attack how responsible am I. It is partialy my fault the machine got comprimised but how much trouble could I get in when the federales came and busted down my door. I honestly belive that if some subsequent attack had been traced back to my box and the feds found out it ws owned by a mid 20s UNIX geek type guy I could really been in for some grief. I would at least get all my machines confiscated for "evidence".
Something to think about anyways.
What someone should really do is set up a kernel module and/or userspace app that reports unusual packets back to a data-gathering server. Because the reporting machines would be scattered all over the place there's no practical way to avoid them, and they'd get a good pool of backscatter.
Of course, the data-gathering server would probably get DoSed in short order...
--
314-15-9265
Sorry. Should have checked the coordinator name for 44.0.0.0/8: "Kantor, Brian (BK29-ARIN) brian@UCSD.EDU". Looks like this was the block they were using, then.
my plan
GROGGS: alive and well and living in
No. This is wo be self-administered justice and cannot be justified.
KdenLive/PIAVE - non-linear video editing
Analyzing the backscatter traffic from attacks is actually a very well-known technique among firewall admins and other security practitioners.
lcamtuf's wtfs project, for instance, has successfully used this kind of distributed monitoring to discover many interesting probes, including Hotmail's stealthy reverse tracerouting, strange behaviour from f5 load balancers, as well as many actual attacks and scans, by monitoring unused /16s and random hosts across the net.
So I guess there are even non-political, ethical justifications for DoS attacks.
Moreso, isn't DoS precisely what companies like Mercury Interactive and Keynote do when they try to slam your webserver so you know whether you need to buy more server processing power, etc.?
--
What do you mean, "replaced"? ;-)
--
PortSentry, the stateful firewall I use on my linux box, picks up a ton of attempts from .ro domains. A friend of mine had his box owned by a .ro. Someone from a .ro host ran a CGI-scanner against one of my commercial websites, generating about 3,000 404 email reports in 10 minutes. A lot of fraudulent orders (on that same site) come from IPs in Romania.
I get more problems from Romania than I do from Russia. For a country with such a "poor networking infrastructure," they have no shortage of crackers and carders. And it doesn't surprise me in the least that they're getting their punk asses DoS'd!
Shaun
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
This report sounds similar to the "Resiliance of the Internet to Random Breakdowns" report that was on Slashdot a while ago, from the Online Journal Publishing Service (Physical Review Letters, or something). While, yes, in theory, the Internet could still operate with 99% of its nodes nonfunctional, most of the content of the Internet would be lost in the 99% that went down.
It seems like it would be similar here. I will state right off that I have not had the time to read the article yet, since I'm writing this message from on the job, but it sounds to me like it's just looking at raw numbers, and not the implications of those numbers. The sites that were attacked were high-profile sites, such as Amazon.com, yahoo.com, ebay.com, microsoft.com, and such - sites that the orchestrators were trying to make a point by attacking. If you look at the number of machines used, etc... you get an idea of the attacker's technical savvy, but not necessarely their motives.
Anaylizing raw data is good, but when it comes to humans, it is very hard to reduce human behavior down to a series of numbers in a table. Of course, my conclusion may change on reading the paper in more detail later this afternoon.
Seven out of ten statisticians say that all statistics are meaningless.
While I am pleased that there is a scientific mapping of DoS attacks I would like to take the opportunity to point out certain dynamics in DoS attacking, particularly if used as a disinformation and political tool by government.
1) Right now, any insecure computer can be cracked for use in a DoS attack, thereby indirectly implicating an innocent person. Anyone can get hijacked in this way and framed for another attack, particularly if the investigators choose not to trace back to the original source.
2) DoS and other infowar techniques have been used by the political opponents of Indymedia and other "subversive" websites. I am not referring to the Indymedia subpoena related to the Quebec protests, which was referred to earlier on this site, but to the simple denial of service that crashes these things when they are needed most.
3) Lets say that there is, hypothetically, some politically motivated DoS going on. If so, it;s quite silly and wasteful. The sites that are being DoS'ed are usually those prominent targets, big corporations and government sites which are sometimes capable of holding off attack but are always capable of sending many goons after you. Might I suggest that there are more effective ways of using technology as a political tool.
Goat sex free since 2001
Owing to the potential for malfunctioning devices, misconfigured systems, etc. to generate traffic that might appear as a DoS attack under their definitions (they stuck to flooding attacks), I wonder if they drew a line, below which something did not qualify as an attack? And if so, where did they draw the line, and how many script kiddies' actions fell below it?
For your security, this post has been encrypted with ROT-13, twice.
CERT appears to be conducting some additional research in this field right now. http://news.cnet.com/news/0-1003-200-6016900.html
Quoted from the article above:
*begin quote*
3.3 Analysis limitations
There are three assumptions that underly our analysis:
* Address uniformity: attackers spoof source addresses at random.
*end quote*
This seems to me to be a currently acceptable assumption IFF the attacks are of an unsophisticated/sophomoric nature; however, if the attackers are attempting to cause maximum utilization of the target network's resources, the attackers most likely will not use a randomly distributed source address. In fact, the optimal employment of spoofed addresses will likely be some subset of the addresses employed by the target's network.
It seems likely in light of this that the "backscatter technique" outlined here, while useful, may not record the attacks engineered by more sophisticated attackers.
Nietzsche on Diku:
sn; at god ba g
:Backstab >KILLS< god.
While we're on the subject, I'm interested in the Slashdot community's opinion on DoS. Is anyone in support of it in special circumstances? For example, would you support it if it were politically justified? I'm not talking about anything and everything one disagrees with, but what about cases of blatant human rights violations? Comments?
----------What the Chiquita banana?