The Internet is quite a noisy environment. Underneath the mechanisms that we can perceive — such as access to a website, for example — there is a dense layer formed by the traffic of fragments of communication. This underground network generally comprises connection remnants that were unsuccessful, be it connection failures, bugs in applications that fire packets for erratic targets or denial of service (DoS) attacks.

For the last two years, six university researchers from the United States, the Netherlands and Germany analyzed this so called “noise” to identify patterns in denial-of-service attacks. The results, which were disclosed at a conference in London, shed some light on this type of attack.

The survey data, which was collected between March 2015 and February 2017, was obtained from four sources:

» From a traffic monitoring system at University of California at San Diego called UCSD Network Telescope;

» Second, from the log records of honeypots maintained by Saarland University, prepared to collect data from DDoS amplification attacks — in which the attacker abuses other machines to amplify the attack;

» Third, from data belonging to a platform used for measuring the domain name lifecycle, maintained by the University of Twente,

» Fourth, from the identification, through all this information, of the attacks that reached 10 DDoS Protection Services (DSPs).

The UCSD Network Telescope has the function of collecting deflections in communications, called backscatter, which consists of response packets to unsolicited communications, such as attempts to connect to addresses that are not bound to any device (unreachable destination). This type of response is very common in malformed, misconfigured systems and also in network scans, as well as in denial of service attacks.

After having collected the data, there was the need to separate information from DoS attacks from the other, later matching them with the honeypot data (AmpPot) from Saarland University. The set of 24 honeypots was then configured to simulate vulnerable computers that can be converted into attack amplifiers and which fool the attacker into believing that the alleged amplifier is contributing to the attack, when, in fact, it is collecting statistical information such as IP addresses from victims and attack intensity data, such as start and end date and time, as well as the requisition rate per minute.

Both the UCSD Network Telescope and the honeypots work with IP addresses. Because of that, it was also necessary to consider the relationship of these addresses with the changes of domain names throughout the two years of the research. In this case, the measurements of the OpenINTEL project by the University of Twente were essential to give more ground to the study.

Since the study aimed to measure the adoption of DDoS Protection Services, one of its features was the evaluation of how much communication arrived at the following providers of these solutions: Akamai, CenturyLink, CloudFlare, DOSarrest, F5 Networks, Incapsula, Level3, Neustar, VirtualRoad and Verisign.

Although researchers have demonstrated the increasing adoption of these services, the data related to them was eventually overshadowed in the survey by the number of attacks that were accounted for. According to Alberto Dainotti, one of the researchers, “We’re talking about millions of attacks. The results of this study are gigantic compared to what the big companies have been reporting to the public.”

The study found out that the average number of attacks per day amounts to 28.7 thousand; and that the United States and China are the highest targets for attacks, with respectively 25% and 10% of all direct attacks, and 29% and 10% of amplified attacks. In addition to this, the data showed that one-third of Internet websites were targeted in the period, and that quite frequently one target is a victim of two or more simultaneous attacks.