Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Third of the Internet Experienced DoS Attacks in the Last Two Years (sciencedaily.com)

Posted by EditorDavid on from the no-denying-it dept.

Long-time Slashdot reader doom writes: Over a two year period, a third of the IPv4 address space have experienced some sort of DoS attack, though the researchers who've ascertained this suspect this is an underestimate. This is from a story at Science Daily reporting on a study recently presented in London at the Internet Measurement Conference.

"As might be expected, more than a quarter of the targeted addresses in the study came in the United States, the nation with the most internet addresses in the world. Japan, with the third most internet addresses, ranks anywhere from 14th to 25th for the number of DoS attacks, indicating a relatively safe nation for DoS attacks..."

The study itself states, "On average, on a single day, about 3% of all Web sites were involved in attacks (i.e., by being hosted on targeted IP addresses)."
"Put another way," said the report's principal investigator, "during this recent two-year period under study, the internet was targeted by nearly 30,000 attacks per day."

31 comments

  1. Am I safe? by 110010001000 · · Score: 1

    I installed Win95 on my DOS system. Am I safe?

    1. Re:Am I safe? by jez9999 · · Score: 3, Funny

      Yes. There's no way it could connect to the internet.

      --
      == Jez ==
      Do you miss Firefox? Try Pale Moon.
    2. Re:Am I safe? by puddingebola · · Score: 1

      NO! And you're getting sued. Upgrade to Windows 10 immediately. The undead zombie lawsuit wants more BRAINS! Or legal fees, whichever.

  2. Looks like bullshit. Smells like bullshit.... by Anonymous Coward · · Score: 0

    Guess what.... it is bullshit

  3. So,, what's the fix? by doom · · Score: 3, Interesting

    What I'd actually like to hear about are alternate designs that could be used to create a net without vulnerability to denial-of-service.

    1. Re:So,, what's the fix? by jez9999 · · Score: 1

      The fundamental problem is DDoS with thousands of bots, is it not? In which case the fix is to get rid of all the insecure devices. Either refuse all traffic from them somehow or maybe have an opt-in internetwork where you're booted off if you're found to have an insecure device, having to earn your way back in.

      --
      == Jez ==
      Do you miss Firefox? Try Pale Moon.
    2. Re:So,, what's the fix? by 110010001000 · · Score: 2

      Yep. That is the next step. Only "approved" devices can connect (iOS, Windows 10, etc). Be careful what you wish for.

    3. Re:So,, what's the fix? by dog77 · · Score: 1

      Quickly drop packets that don't have a correct cryptographic signature necessary to talk with a site. Make it a slow process requiring some human intervention to get a temporary cryptographic signature necessary to send a packet to a site. This way, the denial of service attack would be limited by the speed of the human. There would still be the problem of the site that gives out the cryptographic signature, but that function could be spread out and optimized making it impractical to attack.

    4. Re:So,, what's the fix? by Anonymous Coward · · Score: 0

      You'd have to rip out TCP/IP from the root.

      Denial-of-service works because the only way to stop legitimate packets is your firewall. The only way to fix this would involve giving complete strangers the (automated and automatic) ability to tell your hypothetical backbone that they do not want traffic from a particular source and trust that this power would not be abused.

    5. Re:So,, what's the fix? by Anonymous Coward · · Score: 0

      If ISPs would actually police their network this would be solved very quickly.
      For example xs4all, immediately disconnects you when they find you spew any kind of malware or are part of a ddos.
      Disconnected means you can no longer open connections outside of the ISP, so you can still use their email server, web proxy server, their website, etc.

      It happened to me twice now. Once was a virus running on a friends windows machine that was connected to my wifi, the second was an incorrectly configured dns server (default configuration of OS X Server DNS) which could be used to perform amplification attacks.

      You fix the problem, you call them, they open the connection again, really quite quick.

    6. Re: So,, what's the fix? by CaseyAnnis · · Score: 1

      That isn't entirely true, there are a few carrier grade solutions that providers can deploy within thier transport structure to mitigate DDoS attacks. These systems do not rely on "your" firewall, mostly human intelligence and the occasional premises monitor NVF. Arbor Networks comes to mind. The ISP installs scrubbers at their ENNI interfaces and at key transport interconnects. The scrubbers reroute customer traffic, clean it and then hairpin the traffic back out of the scrubbers and deliver it to the customer. Of course this does require the providers to outlay significant capital to provid this service.

  4. Bullshit by Anonymous Coward · · Score: 0

    I work for an ISP, maybe 5-10 IPs get hit per year. We have at least 64 Class C's.

    1. Re: Bullshit by Anonymous Coward · · Score: 0

      As a company you have to deal with 5-10 a year. Point proven, I'd say.

  5. Character Set Limited? by John.Banister · · Score: 1

    I wonder, what is the ratio of per capita DoS attacks between sites that use the ASCII character set for their URL and sites that use other character sets for the URL? Is there a preference for victims using ASCII for the URL that's stronger than preferences based on the geographic location of the site owner?

  6. Who cares by Anonymous Coward · · Score: 0

    The internet could go down for a year, it's really not that useful anymore.

  7. Re:DDoS by botnets running Windows. Thanks Microso by Anonymous Coward · · Score: 0

    Facts are marked as flamebait these days...
    Slashdot is dead.

  8. Re:DDoS by botnets running Windows. Thanks Microso by Ol+Olsoc · · Score: 1

    All of this is possible

    Has there ever been a +5 Flamebait?

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  9. Re:DDoS by botnets running Windows. Thanks Microso by Mike+Sheen · · Score: 2

    Acutally, the handful of times I've traced back attacking IP's during a significant DDoS attack (3+Gb/s) I found the attacking IP's to be web servers from small to medium businesses running the LAMP stack. The most common was a php file was uploaded to the server and simply executed via the web server due to misconfiguration. Not surprisingly contacting the owners of the compromised servers never yielded any response - but one I did contact I saw that about a week later the offending php file was gone as attempting to execute it via web browser resulted in a 404 when previously it did not. This was only about 3 or 4 years ago, too.

  10. Officially giving up slashdot by Anonymous Coward · · Score: 0

    Goodbye slashdot. I have read you for many years as an anonymous coward. You just post a fucking shitload of bullshit recently. Since the take over you have been hovering between average and below par in article quality compared to what it was before, and in the beginning. Additionally, you are late in publishing things these days that have been sitting around the web for a while. I now care nothing for this site, so consider this some feedback. I can't be bothered to write everything that annoys me about this site even.

    In reference to this particular article that pushed me over the edge (but not up to it, thats a collective effort), I guess EditorDavid doesn't have a fucking clue. David, fuck off. Hardly anyone even bothered commenting on this complete load of wank. Perhaps you should be textually masturbating out your shitty articles elsewhere on the web.

    1. Re: Officially giving up slashdot by Anonymous Coward · · Score: 0

      This that you call load of wank is science. Can you argument using facts instead of insults? Have you even read the scientific paper that is linked from the original article? University of California has among the most respected researchers in computer science and engineering and in Internet security in the world. The scientific paper has been peer reviewed and published at the most respected international conference on Internet measurements.

  11. Or maybe browsers suck by RogueWarrior65 · · Score: 1

    I mean, jeez, Mozilla, why is Firefox so friggin' SLOW?

  12. Experienced DoS attack last night by Zubinix · · Score: 1

    Here in Oz, last evening it was obvious the Internet was slowing down drastically, oh wait I'm on the NBN....

    1. Re: Experienced DoS attack last night by Anonymous Coward · · Score: 0

      Yeah. Remember when the government claimed the census was dos attacked. It certainly wasn't because the servers and connections were underspeced for the millions of people who wanted to connect at the last minute.

      I reckon dos attacks are actually far less common than claimed.

  13. DoS/DDoS protections... apk by Anonymous Coward · · Score: 0

    Protect vs. SYN Attacks

    FROM -> http://msdn.microsoft.com/en-u...

    SYN Attack Protection

    ---

    The named value to enable SYN attack protection is located beneath the registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters.

    Value name: SynAttackProtect

    Recommended value: 2

    Valid values: 0 1 2

    Description: Causes TCP to adjust retransmission of SYN-ACKS. When you configure this value the connection responses timeout more quickly in the event of a SYN attack. A SYN attack is triggered when the values of TcpMaxHalfOpen or TcpMaxHalfOpenRetried are exceeded.

    ---

    SYN Protection Thresholds

    The following values determine the thresholds for which SYN protection is triggered. All of the keys & values in this section are under the registry key

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters

    Value name: TcpMaxPortsExhausted

    Recommended value: 5

    Valid values: 0-65535

    Description: Specifies the threshold of TCP connection requests that must be exceeded before SYN flood protection is triggered.

    Value name: TcpMaxHalfOpen

    Recommended value data: 500

    Valid values: 100-65535

    Description: When SynAttackProtect is enabled this value specifies the threshold of TCP connections in the SYN_RCVD state. When SynAttackProtect is exceeded SYN flood protection is triggered.

    Value name: TcpMaxHalfOpenRetried

    Recommended value data: 400

    Valid values: 80-65535

    Description: When SynAttackProtect is enabled this value specifies the threshold of TCP connections in the SYN_RCVD state for which at least one retransmission has been sent. When SynAttackProtect is exceeded SYN flood protection is triggered.

    ---

    More Protections

    All keys & values in this section are located under the registry key

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters

    Value: TcpMaxConnectResponseRetransmissions

    Recommended value data: 2

    Valid values: 0-255

    Description: Controls how many times a SYN-ACK is retransmitted before canceling the attempt when responding to a SYN request.

    Value name: TcpMaxDataRetransmissions

    Recommended value data: 2

    Valid values: 0-65535

    Description: Specifies the number of times that TCP retransmits an individual data segment (not connection request segments) before aborting the connection.

    Value name: EnablePMTUDiscovery

    Recommended value data: 0

    Valid values: 0 1

    Description: Setting this value to 1 (default) forces TCP to discover the maximum transmission unit or largest packet size over the path to a remote host. An attacker can force packet fragmentation which overworks the stack.

    Specifying 0 forces the MTU of 576 bytes for connections from hosts not on the local subnet.

    Value name: KeepAliveTime

    Recommended value data: 300000

    Valid values: 80-4294967295

    Description: Specifies how often TCP attempts to verify that an idle connection is still intact by sending a keep-alive packet.

    ---

    "Null-routing" (A network w/ multiple IP addresses ala multi-homed servers ahead of production ones must be done "upstream" of them):

    http://en.wikipedia.org/wiki/N...

    ---

    Microsoft &/or Amazon setups alerts them to DoS/DDoS & can start "shutting down" IP address sources of packets for DDoS easily - it's the reason "Anonymous" can't "take them down" (& they've tried).

    ---

    Microsoft: We're not vulnerable to DDoS attacks

    http://www.networkworld.com/co...

    PERTINENT QUOTE:

  14. News flash by buss_error · · Score: 1

    My home modem is subjected to 50 meg ddos attacks every day. I think the "1/3'd" cited is pretty much a low ball. My web servers see 1 gig attacks just about every day, and my mail servers see at least 1 million emails per day rejected based on nothing more than it's RIR space. We won't even discuss what is going on with port 22 since I do not allow password PAM and require a key. If you are in APNIC, LATNIC, BRNIC, and much of RIPE space, sorry. It's firewalled completely for all ports. (Except for the UK, no one using my stuff needs the others.)

    --
    Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
  15. 1/3...more like 1/9 by Anonymous Coward · · Score: 0

    If you count the dark web, which is actually 80% of the Internet, then it's more like 1/9.

  16. Re: DDoS by botnets running Windows. Thanks Micros by Anonymous Coward · · Score: 0

    Well, I had genuine facts moderated as flamebait yesterday (literally just facts, but apparently if they don't like or agree with facts then its time to pull the flamebait censorship out). In this case, however, I'd question whether this is the case or not. DDOSes seen within the provider I work for have consisted of mostly IOT/router and DNS amplification attacks, some minor application layer stuff. Website compromises, which are platform agnostic and certainly include a large percentage of Linux hosts are responsible for being part of the originating botnets. The problem with Windows is that as a toy only suited for the desktop its not always on, is unstable under load, and tends not to be on a high bandwidth connection - a decidedly low value target for compromise.

  17. Re: DDoS by botnets running Windows. Thanks Micros by Anonymous Coward · · Score: 0

    Yup, pretty much this. The DDOSes we see are an order of magnitude or so greater but much the same source. As a hosting provider we are constantly disabling compromised LAMP sites, mostly thanks to customer Wordpress installs.