Return-Path: <sentto-279987-1270-991311182-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 by localhost with POP3 (fetchmail-5.1.0) for fc@localhost (single-drop); Thu, 31 May 2001 05:14:07 -0700 (PDT) Received: (qmail 4438 invoked by uid 510); 31 May 2001 11:14:23 -0000 Received: from n3.groups.yahoo.com (HELO hj.egroups.com) (216.115.96.53) by 204.181.12.215 with SMTP; 31 May 2001 11:14:23 -0000 X-eGroups-Return: sentto-279987-1270-991311182-fc=all.net@returns.onelist.com Received: from [10.1.4.55] by hj.egroups.com with NNFMP; 31 May 2001 12:13:02 -0000 X-Sender: fc@all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-7_1_3); 31 May 2001 12:13:00 -0000 Received: (qmail 57863 invoked from network); 31 May 2001 12:13:00 -0000 Received: from unknown (10.1.10.26) by l9.egroups.com with QMQP; 31 May 2001 12:13:00 -0000 Received: from unknown (HELO all.net) (65.0.156.78) by mta1 with SMTP; 31 May 2001 12:13:00 -0000 Received: (from fc@localhost) by all.net (8.9.3/8.7.3) id FAA31202 for iwar@onelist.com; Thu, 31 May 2001 05:13:00 -0700 Message-Id: <200105311213.FAA31202@all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL1] From: Fred Cohen <fc@all.net> Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Thu, 31 May 2001 05:13:00 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: [iwar] Fwd: Re: (ai) Study: Sites attacked 4,000 times a week (fwd) Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit >Here's a link to the study: >http://www.caida.org/outreach/papers/backscatter/usenixsecurity01.pdf Study: Sites attacked 4,000 times a week By Robert Lemos Online vandals intent on lashing out at companies and rivals stage denial-of-service attacks more than 4,000 times every week, researchers from the University of California at San Diego said Tuesday. Among the common targets are some names that come as no surprise: Amazon.com, America Online and Microsoft's Hotmail. However, a large number of individual users and small businesses were targeted by attacks as well, the researchers found. "We believe our research provides the only publicly available data quantifying denial-of-service activity in the Internet," said David Moore, senior researcher with the San Diego Supercomputer Center's Cooperative Association for Internet Data Analysis and the primary author of the paper. Denial-of-service attacks attempt to overload or crash computers connected to the Internet so people can't access them. A common type of attack, called a flood attack, aims to overload a targeted computer with so much data that it can no longer process legitimate access attempts. In early May, vandals used just such an attack to swamp Whitehouse.gov, the public-relations Web site of President George W. Bush, essentially removing it from the Net. Online hooligans attacked Microsoft in January with a similar attack, causing headaches for the company over a two-day period. While such incidents are occasionally reported in the media, no one had previously determined how prevalent the actual attacks were, Moore said. The key to the research, he said, was a technique known as "back scattering." When a computer is attacked, it generally can't determine that the sent data is bogus, so it attempts to reply to every incoming data packet. Yet, the most common denial-of-service attack programs randomize the address from which the data seem to have come. The result: The victim's computer will send replies to each of the random addresses, essentially "scattering back" responses, which can signal that it's under attack. Moore and his colleagues collected such replies by listening to a large segment of the Internet--known as an A-class network and amounting to a collection of 1/256 of the total number of Internet addresses. While the researchers would not identify the large network, they did say that it harkens back to the founding of the Internet and today is essentially "dead space"--with no computers connected to it. Because there aren't any live servers on the network, any replies sent to addresses there are either errors or evidence of randomized addresses--and thus an attack. By recognizing that several addresses are receiving replies from a single server, the researchers can peg the server and identify the victim. "We saw an odd, disproportionate concentration of attacks towards a small group of countries," said Stefan Savage, a professor of computer science at UCSD, also an author of the paper. "Surprisingly, Romania, a country with a relatively poor networking infrastructure, was targeted nearly as frequently as the .net and .com top-level domains." Geoff Volker, also a professor of computer science at UCSD, was the paper's third author. Though more than 4,000 attacks were spotted in each of the three weeks during which the team monitored the Internet, more than half of those attacks lasted less than 10 minutes, Savage said. Savage stressed that the study is not complete, but is the best estimate to date of the prevalence of such attacks. "There are a number of other attacks we cannot see," he said. ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-06-30 21:44:14 PDT