Trends in Denial of Service Attacks

Jose Nazario, Arbor Networks, Ann Arbor, MI
Presented as a WIP at Usenix Security 2003 in Washington, DC.

We have been performing a long term study using blackhole collection and analysis techniques to observe denial of service activity. Using this method, we collect the backscatter from denial of service attacks which involve source address forgery. Collecting packets destined to a globally unused /8 network, we have been able to infer denial of service activity and observe trends over the past year and half.

Our findings demonstrate several trends in denial of service attacks. The primary change is in the protocols used in the attacks, which have shifted from being focused on TCP based attacks to primarily UDP based attacks. Secondly, we have observed that while the distribution of the duration of backscatter events has remained similar in this time period, packet and byte counts per event has been increasing, suggesting that attacks are increasing in severity. Lastly, while most attack targets are observed only a small number of times, a handful of networks are frequently attacked, with the cumulative effect equalling very long lived attacks.


Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8 Page 9 Page 10 Page 11 Page 12

Generated by MagicPoint