Slashdot Mirror

← Back to Stories (view on slashdot.org)

Study on DoS Activity In The Internet

Posted by ryuzaki0 on from the looking-under-the-hood dept.

Random Walk writes "A group of researchers from the UCSD Supercomputer Center has used a technique they call "backscatter analysis" to study the prevalence and targets of DoS attacks. They claim that their study is "the only publically available data quantifying denial-of-service activity in the Internet", and provide interesting statistics on attack rates, durations, and victims." CT:This is an amazing report.

7 of 53 comments (clear)

  1. Breaking news! by Anonymous Coward · · Score: 5

    This just in:

    In what many people are calling a sick twist of fate, the Supercomputer Center was hit with a Denial of Service attack shortly after issuing a study on the prevalence and target of DoS attacks. While details are sparse at this point, that attack is rumored to have been a "Slashdot-effect" attack. The leader of the "Slashdot" group of hackers, CmdrTaco, could not be reached for comment. His partner in crime, Hemos, was quoted as saying, "Ph34r the sl4shd0t 3ff3ct!" More details to follow as they become public..

  2. Can carpet bombing be justified? by BeBoxer · · Score: 5

    As somebody who has had to deal with the fallout of these attacks more than once, I would say no. They are never justified. If you are flooding enough traffic to affect the target, you are almost certainly affecting lots of other people who just happen to share a pipe with the target. If you DoS some web site, what do you think that does to other sites on the same server? Other folks who just happen to be at the same co-lo site? What about the folks who just happen to have the same local or upstream ISP? Is it OK for me to DoS you because I don't like your neighbor? Is it OK for me to DoS all of optonline.net because I don't like your political views?

    Even if you accept the premise that it's OK to DoS innocent people, a DoS is a piss-poor political statement. No body is going to notice at all. If I find that riaa.org is unreachable, am I going to suddenly telepathetically reach some conclusion about their politics? No. If you want to make a political statement, you have to actual say something. Merely screaming nothing at the top of your lungs accomplishes nothing.

  3. Theories in DoS by joq · · Score: 3


    Nicely written document although they should have focused likewise on posting some methods to circumvent DoS attacks. Many networking, and security admins, know of the problems arising from DoS, yet there are scores of them who know little about protecting their infrastructure from an attack.

    Personally I think its a trivial job to halt denials of service attacks, but it can be done, and what someone should create is a framework for ISP's, Colleges, whoever has a networking propagating info out, to follow that shows them how to enable engress filtering so no attacks come out of their network, and an equally likewise doc that shows preventive measures.

    Everyone, and their BOFH mother thats on the net, knows the effects of a DoS attacks, or what a DoS attack is, but a fraction of them know what to do about it.

    Anyways for some of those admins, I have a doc called Stopping DoS which is a die hard "this-is-what-you-do-on-this-hadware" to limit DoS attacks, as well as a s(emi)tudy paper called "Theories in DoS" which is a higher protocol level look at Denials of Service, which provides a framework look into future avoidances of them.

    P.S. These are docs I wrote out of spare time, etc. nothing more, so don't expect any RFC based documents such as this paper thats linked.

    --

    Want Root?
  4. Re:CmdrTaco replaced by Shell Script? by seanmeister · · Score: 3

    What do you mean, "replaced"? ;-)

    --

  5. Romania is a hotbed for (h|cr)acking by ShaunC · · Score: 3

    PortSentry, the stateful firewall I use on my linux box, picks up a ton of attempts from .ro domains. A friend of mine had his box owned by a .ro. Someone from a .ro host ran a CGI-scanner against one of my commercial websites, generating about 3,000 404 email reports in 10 minutes. A lot of fraudulent orders (on that same site) come from IPs in Romania.

    I get more problems from Romania than I do from Russia. For a country with such a "poor networking infrastructure," they have no shortage of crackers and carders. And it doesn't surprise me in the least that they're getting their punk asses DoS'd!

    Shaun

    --
    Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
  6. Yay, analysis. by perdida · · Score: 3

    While I am pleased that there is a scientific mapping of DoS attacks I would like to take the opportunity to point out certain dynamics in DoS attacking, particularly if used as a disinformation and political tool by government.

    1) Right now, any insecure computer can be cracked for use in a DoS attack, thereby indirectly implicating an innocent person. Anyone can get hijacked in this way and framed for another attack, particularly if the investigators choose not to trace back to the original source.

    2) DoS and other infowar techniques have been used by the political opponents of Indymedia and other "subversive" websites. I am not referring to the Indymedia subpoena related to the Quebec protests, which was referred to earlier on this site, but to the simple denial of service that crashes these things when they are needed most.

    3) Lets say that there is, hypothetically, some politically motivated DoS going on. If so, it;s quite silly and wasteful. The sites that are being DoS'ed are usually those prominent targets, big corporations and government sites which are sometimes capable of holding off attack but are always capable of sending many goons after you. Might I suggest that there are more effective ways of using technology as a political tool.

    --
    Goat sex free since 2001
  7. When random. . . isnt'. by RalphTWaP · · Score: 5

    Quoted from the article above:

    *begin quote*

    3.3 Analysis limitations
    There are three assumptions that underly our analysis:
    * Address uniformity: attackers spoof source addresses at random.

    *end quote*

    This seems to me to be a currently acceptable assumption IFF the attacks are of an unsophisticated/sophomoric nature; however, if the attackers are attempting to cause maximum utilization of the target network's resources, the attackers most likely will not use a randomly distributed source address. In fact, the optimal employment of spoofed addresses will likely be some subset of the addresses employed by the target's network.

    It seems likely in light of this that the "backscatter technique" outlined here, while useful, may not record the attacks engineered by more sophisticated attackers.


    Nietzsche on Diku:
    sn; at god ba g
    :Backstab >KILLS< god.