[iwar] Fwd: Re: (ai) Study: Sites attacked 4,000 times a week (fwd)

From: Fred Cohen (fc@all.net)
Date: 2001-05-31 05:13:00

Return-Path: <sentto-279987-1270-991311182-fc=all.net@returns.onelist.com>
Delivered-To: fc@all.net
Received: from by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Thu, 31 May 2001 05:14:07 -0700 (PDT)
Received: (qmail 4438 invoked by uid 510); 31 May 2001 11:14:23 -0000
Received: from n3.groups.yahoo.com (HELO hj.egroups.com) ( by with SMTP; 31 May 2001 11:14:23 -0000
X-eGroups-Return: sentto-279987-1270-991311182-fc=all.net@returns.onelist.com
Received: from [] by hj.egroups.com with NNFMP; 31 May 2001 12:13:02 -0000
X-Sender: fc@all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-7_1_3); 31 May 2001 12:13:00 -0000
Received: (qmail 57863 invoked from network); 31 May 2001 12:13:00 -0000
Received: from unknown ( by l9.egroups.com with QMQP; 31 May 2001 12:13:00 -0000
Received: from unknown (HELO all.net) ( by mta1 with SMTP; 31 May 2001 12:13:00 -0000
Received: (from fc@localhost) by all.net (8.9.3/8.7.3) id FAA31202 for iwar@onelist.com; Thu, 31 May 2001 05:13:00 -0700
Message-Id: <200105311213.FAA31202@all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL1]
From: Fred Cohen <fc@all.net>
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Thu, 31 May 2001 05:13:00 -0700 (PDT)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] Fwd: Re: (ai) Study: Sites attacked 4,000 times a week (fwd)
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

>Here's a link to the study:

Study: Sites attacked 4,000 times a week
By Robert Lemos

Online vandals intent on lashing out at companies and rivals stage
denial-of-service attacks more than 4,000 times every week, researchers
from the University of California at San Diego said Tuesday. 

Among the common targets are some names that come as no surprise:
Amazon.com, America Online and Microsoft's Hotmail.  However, a large
number of individual users and small businesses were targeted by attacks
as well, the researchers found. 

"We believe our research provides the only publicly available data
quantifying denial-of-service activity in the Internet," said David
Moore, senior researcher with the San Diego Supercomputer Center's
Cooperative Association for Internet Data Analysis and the primary
author of the paper. 

Denial-of-service attacks attempt to overload or crash computers
connected to the Internet so people can't access them.  A common type of
attack, called a flood attack, aims to overload a targeted computer with
so much data that it can no longer process legitimate access attempts. 

In early May, vandals used just such an attack to swamp Whitehouse.gov,
the public-relations Web site of President George W.  Bush, essentially
removing it from the Net.  Online hooligans attacked Microsoft in
January with a similar attack, causing headaches for the company over a
two-day period. 

While such incidents are occasionally reported in the media, no one had
previously determined how prevalent the actual attacks were, Moore said. 

The key to the research, he said, was a technique known as "back

When a computer is attacked, it generally can't determine that the sent
data is bogus, so it attempts to reply to every incoming data packet. 
Yet, the most common denial-of-service attack programs randomize the
address from which the data seem to have come.  The result: The victim's
computer will send replies to each of the random addresses, essentially
"scattering back" responses, which can signal that it's under attack. 

Moore and his colleagues collected such replies by listening to a large
segment of the Internet--known as an A-class network and amounting to a
collection of 1/256 of the total number of Internet addresses.  While
the researchers would not identify the large network, they did say that
it harkens back to the founding of the Internet and today is essentially
"dead space"--with no computers connected to it. 

Because there aren't any live servers on the network, any replies sent
to addresses there are either errors or evidence of randomized
addresses--and thus an attack.  By recognizing that several addresses
are receiving replies from a single server, the researchers can peg the
server and identify the victim. 

"We saw an odd, disproportionate concentration of attacks towards a
small group of countries," said Stefan Savage, a professor of computer
science at UCSD, also an author of the paper.  "Surprisingly, Romania, a
country with a relatively poor networking infrastructure, was targeted
nearly as frequently as the .net and .com top-level domains."

Geoff Volker, also a professor of computer science at UCSD, was the
paper's third author. 

Though more than 4,000 attacks were spotted in each of the three weeks
during which the team monitored the Internet, more than half of those
attacks lasted less than 10 minutes, Savage said. 

Savage stressed that the study is not complete, but is the best estimate
to date of the prevalence of such attacks.  "There are a number of other
attacks we cannot see," he said. 


Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 

This archive was generated by hypermail 2.1.2 : 2001-06-30 21:44:14 PDT