[Infowarrior] - FW: Researchers Challenge DOS Attack Data

Thu Sep 7 08:19:07 EDT 2006

(c/o DK)

http://www.darkreading.com/document.asp?doc_id=103049&f_src=darkreading_sect
ion_296

Researchers Challenge DOS Attack Data

SEPTEMBER 6, 2006 | Conventional wisdom about the sources and causes of
denial-of-service (DOS) attacks -- and the best methods for preventing them
-- could be completely wrong, a group of researchers said this week.

Researchers at the University of Michigan, Carnegie Mellon University, and
AT&T Labs-Research said they have completed a study that debunks the
widely-held belief that DOS attack traffic is usually generated by a large
number of attack sources disguised by spoofed IP addresses.

In its study, the group found that 70 percent of DOS attacks are generated
by less than 50 sources, and a relatively small number of attack sources
account for nearly 72 percent of total attack volume. IP spoofing, long
thought to be the most popular vector for launching a DOS attack, was found
in only a few instances, the researchers said.

In the past, sources of DOS attacks were tracked by measuring
"backscatter," the amount of unwanted traffic sent to unused address
blocks, the researchers observed. Examining this type of traffic helps
expose conversations generated between spoofed IP addresses and unknown
recipients. But because this measurement technique assumes the DOS attack
was launched through spoofed IP addresses, it doesn't account for DOS
attacks launched via botnets, which have become a much more attractive
vector for attackers, the research team said.

The new study combines traditional indirect measurement of backscatter with
direct measurement of Netflow and alarms from a commercial DOS detection
system. The resulting data suggests the vast majority of DOS traffic is
coming not from hundreds of sources across the Web, but from a few sources
that can be pinpointed and eliminated from everyday traffic flows,
significantly reducing the impact of DOS traffic on a network or server.

The new data also suggests that current methods of preventing DOS, which
assume large numbers of sources using IP spoofing, need some rethinking.
"Less than 1 percent of the directly measured attacks produced
backscatter," according to the paper. "Most attacks (83 percent) consist
only of packets smaller than 100 bytes." The directly measured attack
volume was highly predictable and often came from the same sources, which
suggests that enterprises and service providers could solve a big chunk of
the DOS problem simply by blocking traffic from those sources.

Enterprises and service providers "can reduce a substantial volume of
malicious traffic with targeted deployment of DOS defenses," the group
said. Makers of DOS defense tools said they could not comment until they
had a chance to review the research.

— Tim Wilson, Site Editor, Dark Reading

------ End of Forwarded Message