For the first time, researchers have carried out a large-scale analysis of victims of internet denial-of-service (DoS) attacks worldwide. And what they found is, in a phrase from their study, “an eye-opening statistic”.

Spanning two years, from March 2015 to February 2017, the researchers found that about one-third of the IPv4 address space was subject to some kind of DoS attacks, where a perpetrator maliciously disrupts services of a host connected to the internet. IPv4 is the fourth version of an Internet Protocol (IP) address, a numerical label assigned to each device participating in a computer network.

“We’re talking about millions of attacks,” said Alberto Dainotti, a research scientist at CAIDA (Center for Applied Internet Data Analysis), based at the San Diego Supercomputer Center (SDSC) at the University of California San Diego and the report’s principal investigator. “The results of this study are gigantic compared to what the big companies have been reporting to the public.”

Added the study’s first author, Mattijs Jonker, a researcher with the University of Twente in The Netherlands and former CAIDA intern: “These results caught us by surprise in the sense that it wasn’t something we expected to find. This is something we just didn’t see coming.”

The study – presented November 1, 2017 at the Internet Measurement Conference in London and published in the Proceedings of the Association for Computing Machinery (IMC ’17) – sheds light on most of the DoS attacks on the internet, its victims, and even the adoption of commercial services to combat these attacks.

Two predominant types of DoS attacks, intended to overwhelm a service by a sheer mass of requests, are highlighted:

“Direct” attacks, which involve traffic sent directly to the target from some infrastructure controlled by the attackers (e.g. their own machines, a set of servers, or even a botnet under their command.) These attacks often involve “random spoofing”, characterized by faking the source IP address in the attack traffic.

“Reflection” attacks, during which third-party servers are involuntarily used to reflect attack traffic toward its victim. Many protocols that allow for reflection also add amplification, causing the amount of reflected traffic sent toward the victim to be many times greater than that sent toward the reflector initially.

To detect attacks, the researchers – a collaborative effort from UC San Diego, University of Twente, and Saarland University in Germany – employed two raw data sources that complement each other: the UCSD Network Telescope, which captures evidence of DoS attacks that involve randomly and uniformly spoofed addresses; and the AmpPot DDoS (distributed denial-of-service) honeypots, which witness reflection and amplification of DoS attacks.

Their data revealed more than 20 million DoS attacks that targeted about 2.2 million “slash 24 or /24” internet addresses (part of a routing number that denotes bit-length of the prefix), which is about one-third of the 6.5 million /24 blocks estimated to be alive on the internet. A /24 is a block of 256 IP addresses, usually assigned to a single organization. If a single IP address in a /24 block is targeted by a sheer mass of requests or volumetric attack, it’s likely that the network infrastructure of the entire /24 block is affected.

“Put another way, during this recent two-year period under study, the internet was targeted by nearly 30,000 attacks per day,” said Dainotti. “These absolute numbers are staggering, a thousand times bigger than other reports have shown.”

That said, one of the researchers added she’s worried these statistics are likely “an under-estimation of reality.”

“Although our study employs state-of-the-art monitoring techniques, we already know we do not see some types of DoS attacks,” said Anna Sperotto, an assistant professor in the Design and Analysis of Communication Systems (DACS) department at the University of Twente. “In the future, we will need an even more thorough characterization of the DoS ecosystem to address this point.”

As might be expected, more than a quarter of the targeted addresses in the study came in the United States, the nation with the most internet addresses in the world. Japan, with the third most internet addresses, ranks anywhere from 14th to 25th for the number of DoS attacks, indicating a relatively safe nation for DoS attacks, while Russia is a prime example of a country that ranks higher than estimates for internet space usage, suggesting a relatively dangerous country for these attacks.

Several third-party organizations that offer website hosting were also identified as major targets; the three most frequently attacked “larger parties” over the two year-period were: GoDaddy, Google Cloud, and Wix. Others included Squarespace, Gandi, and OVH.

“Most of the times, it’s the customer who is being attacked,” explained Dainotti. “So if you have a larger number of customers, you’re likely to have more attacks. If you’re hosting millions of websites, of course, you’re going to see more attacks.”

Aside from quantifying the number of DoS attacks on the internet, the researchers also wanted to see if the attacks spurred website owners to purchase DoS protection services. Their study noted that people were more inclined to outsource protection to third parties following a strong attack. Depending on the intensity of the attack, the migration to a third-party service might take place even within 24 hours of an attack.

“One of the things we show is if a website is attacked, this creates an urgency for people to start outsourcing to protection services,” said Jonker.

Although the study does not address the causes for the well-recognized rise in DoS attacks in recent years, in an interview the researchers noted several strong possibilities including: cyber-extortion, cyber-crime, cyber-warfare, political protest aimed at governments, censorship from authoritative regimes, attacks relating to on-line gaming (e.g. to gain a competitive advantage), school kids who may attack to avoid taking an exam, and disgruntled former employees.

“Even non-technical people can launch significant attacks through DDoS-as-a-Service providers (i.e. Booters),” said Jonker. “People can pay others with a subscription in exchange for just a few dollars.”

As for future studies, the researchers said they wanted to assess the impact of the attacks, to see if they managed to take down the targeted network; they’re also studying political attacks similar to those witnessed in Egypt and Libya that were subject to a 2012 study led by CAIDA researchers.

Under a grant for the U.S. Department of Homeland Security (DHS), the CAIDA team also plans to continuously monitor the DoS ecosystem to provide data for analysis to agencies and other researchers in a timely fashion.

Also participating in the study were: Alistair King, a CAIDA researcher; and Johannes Krupp and Christian Rossow, both from CISPA, Saarland University.

Support for the study came from the DHS; the Air Force Research Directory; the Netherlands Organization for Scientific Research; and OpenINTEL, a joint project of the University of Twente, SURFnet, and SIDN.