C.4. Observations and Experiences Tracking Denial-of-Service Attacks across a Regional ISP

Researchers associated with the University of Michigan were able to observe all network activity on a regional ISP that offered service to most of the state of Michigan's educational institutions for an extended period. They used Netflow to sample packets from this network and looked for misuse patterns. They gathered data for six months. Unfortunately, this data has not been collated into a formal publication, to date, but a Powerpoint presentation delivered in May 2001 that was based on the data is available on Arbor Networks' Web site, http://www.arbornetworks.com/downloads/research37/nanogSlides4.pdf. This discussion is based on that presentation.

Overall, the researchers observed nearly 2,000 DoS attacks in the six months covered by their study. Around 75% of the attacks flowed from their network to the outside world, with the remainder being directed at targets attached to their ISP. (Not surprisingly, given that the ISPs major customers were schools and universities, there was a strong correlation between the frequency of attacks and the academic year.) They observed an average of 12 attacks per day, significantly more than was observed in the USC/ISI study.

These researchers observed flooding attacks based on various kinds of TCP, ICMP, and UDP packets. Some attacks clearly were performing fully random IP spoofing, while others were spoofing within a /24 subnet. Analysis of the packets allowed the researchers to deduce that a number of well-known DDoS toolkits were being used by attackers.

Over the course of the study, the researchers observed increasing sophistication on the part of the attackers. Subnet spoofing attacks dominated fully random spoofing attacks by a 3 to 1 ratio. 60 90% of the attacks they observed lasted 15 minutes or less, but, like the CAIDA/ UCSD study, they observed some very long-lasting attacks.

In terms of magnitude, the largest 5% of the attacks they observed filled the pipes of their ISP, indicating that these attacks probably caused serious trouble for many people other than the target.

The targets of the attacks varied, with .net, .com, and .edu addresses dominating. Again, this finding is largely consistent with the CAIDA/UCSD results. Also like the CAIDA/UCSD study, they found many attacks were targeted at autonomous systems that provided cable modem or DSL services to home customers.

This study turned up a much higher incidence of DDoS attacks than the USC/ISI study 2,000 in six months versus 80 in three months. One possible explanation for the difference is that the USC/ISI study was unable to capture data from all points in the ISP under consideration. It is also likely that the ISP studied here was larger in scope than the ISP studied by USC/ISI. On the other hand, the presentation of the data from the Michigan regional study is somewhat sketchy, so it is hard to find the same level of detail as in the USC/ISI study. Thus, from only these two data points, it is hard to generalize whether your ISP will see 25 to 30 attacks per month or, more likely, 350 per month.

While it is tempting to compare the results of this study (11 attacks per day) with the results of the backscatter study (20 attacks per hour), these datasets were obtained at a different time, using different techniqes, and are not directly comparable. The University of Michigan study observed only attacks that were either (1) launched from compromised hosts within their network, or (2) were sourced from outside their network and targetting victim systems within their network, while the CAIDA backscatter study observed only the effects of attacks that used random spoofing and required the victim to generate a reply. It is obvious that while both studies can advance our knowledge of current trends in the DDoS field, neither of them can yield high-confidence estimates of attack frequency. At best, we get a lower bound on the frequency of specific attack types, but no data on how prevalent these types of attacks are as opposed to other types. There is promise in future research that combines both of these sources of data: actual attack traffic from DDoS agents and blackhole monitor data.

This presentation suggests that the researchers, some of whom are now associated with Arbor Networks, are deploying their observation technology in other networks, and have observed an increase in attack severity and sophistication. They also suggest that they are observing more attacks directed against network infrastructure, though this presentation provides few details.