A "network telescope" operated by the Cooperative Association for Internet Data Analysis (CAIDA), in San Diego, has gathered statistics about DoS attacks and the 2001 Code Red and Code Red 2 worm attacks through monitoring of the traffic that hits part of the Internet.
The technique may produce more accurate information about attacks according to David Moore, a technical manager at CAIDA, who discussed the technique at the Usenix Security Symposium in San Francisco last week.
CAIDA monitors traffic directed toward any one of a large block of IP (Internet protocol) addresses at the University of California at San Diego, a block so big that it makes up some 0.4% of the world's addresses.
The behaviour of typical large-scale DoS attacks and worms is almost bound to involve some of those addresses, he said. It has also monitored two smaller blocks of addresses for comparison.
In most DoS attacks, the source address is faked by software that makes it look as if the attack is coming from another IP address. Those fake source addresses are generated more or less randomly, so they are likely to include at least some from the large block that CAIDA monitors.
When DoS attack messages hit their target, the victim machine automatically sends packets back to the "source" address. CAIDA looks for those unsolicited responses, or "backscatter" packets, and records patterns.
Worms such as Code Red cause infected systems to forward the worm to IP addresses chosen more or less at random. A widely spread worm is likely to go out to addresses in the address block studied by CAIDA at a rate and time that reflects how it is spreading across the Internet as a whole.
So far, tracking the spread of worms and determining the severity of DoS attacks from outside the targeted site have been difficult, according to Moore.
A network telescope has some limitations, Moore warned. In most cases, it cannot track "reflector" DoS attacks because they cause systems to respond to the target.
The bigger the telescope, the better, he said. Smaller telescopes - ones that monitor a smaller set of addresses - tend to both underestimate the peak intensity of an attack and detect it later than a bigger telescope, he added.
Would-be Internet astronomers who do not have access to a chunk of the Internet as big as CAIDA's can organise distributed telescopes that scan several smaller blocks of addresses, he said.
The findings CAIDA has gleaned through its Internet telescope have serious implications for Internet security, according to Moore. For one thing, they suggest that home and small-office users on DSL (digital subscriber line) and cable modem connections played a big role in spreading Code Red and also are the targets of many DoS attacks.
In addition, many of the systems that were infected and inadvertently helped to spread Code Red and Code Red 2 were on DSL and cable modem accounts, he said. CAIDA determined this by looking at the owner of the block of addresses from which the traffic came.
"These machines are an important aspect of Internet health. There are a lot of machines out there that are not well maintained that can be broken into," Moore said.
Home users and most small businesses don't have full-time network administrators to update software and take other steps to maintain security, he explained.
"We're going to have to find solutions to help [non-professional] people manage the security of their boxes," Moore said. Developers could take three key actions to help this occur, he added.
How developers can help small firms and home users
- Make security products easier to use
- Make security understandable to non-professional users
- Automate some aspects of security