Appendix C. DDoS Data

Relatively little reliable data is available on the DDoS problem. Because of its distributed nature and the difficulties of measuring Internet-wide phenomena, direct measurements of the most important characteristics of DDoS attacks (how often they occur, how long they typically last, how heavy the attack flow is, how many agent sites are typically used, the composition of the attack traffic, etc.) are difficult to obtain.

Here, we summarize the reliable data that is publicly available that addresses such questions. Most of the sources we discuss were mentioned earlier in this book, but here we gather all the information into a single place, for the purpose of drawing the best picture possible of the measurable characteristics of DDoS attacks. We do not include reports about particular attacks, with the exception of a small amount of data concerning the combined attack on the DNS root servers that was perpetrated on October 21, 2002. We include some details on this attack because it was one of the larger attacks, its characteristics have been published by a reliable source, and it was an attack on the Internet as a whole, rather than on a single machine.

By its nature, the data provided here is a snapshot. We hope that more data of this kind will be published, as new techniques for gathering it are developed and more sites provide assistance in data gathering.

We present data from the following sources here:

• The 2004 CSI/FBI Computer Crime and Security Survey

• A paper on the use of the backscatter technique to infer DDoS attacks [MVS01]

• A paper describing the use of several techniques to analyze a number of observed actual attacks [HHP03]

• A presentation on data gathered by researchers on DDoS activity on a moderately large network over the course of six months

• A brief report on characteristics of the attack perpetrated on the DNS root servers in October 2002

Each is discussed in a separate section.