San Diego Supercomputer Center researchers track Web site attack

Researchers David Moore and Colleen Shannon of the Cooperative Association for Internet Data Analysis (CAIDA) at the San Diego Supercomputer Center (SDSC) have tracked the progress of a denial-of-service (DoS) attack on the Internet against The SCO Group, a software company in Lindon, Utah. The CAIDA Network Telescope project monitors distributed DoS attacks across the entire Internet using a novel "backscatter" analysis technique. Over the past two years the project has surveyed the extent of DoS attacks against large and small computer systems and has monitored the spread of malicious software such as the "Code Red" and "Sapphire/Slammer" worms. At 3:20 a.m. PST on Wednesday, December 10, 2003, the CAIDA Network Telescope began to receive backscatter traffic indicating a distributed denial-of-service attack against The SCO Group. Early in the attack, unknown perpetrators targeted SCO's Web servers with a SYN flood of approximately 34,000 packets per second. A SYN flood consists of a stream of TCP SYN packets -- requests to open a connection -- directed to a victim machine's listening TCP port; for each request, the victim must search through existing connections and if necessary allocate a data structure for a new connection. The flood can disable a server by overloading the machine's processing ability with connection requests or by using up the bandwidth of the server's link to the Internet. "In real-world terms, this kind of attack is analogous to SCO's phone number receiving so many incoming prank calls that their switchboard is flooded and their line is always busy," said Shannon, a Senior Security Researcher at CAIDA. Almost a day later, at 2:50 a.m. PST Thursday morning, the attacker(s) also began to bombard SCO's ftp (file transfer protocol) servers. Together, www.sco.com and ftp.sco.com experienced a SYN flood of over 50,000 packets per second early Thursday morning, according to the backscatter analysis. By 9:00 a.m. PST that day, the attack rate had subsided to around 3,700 packets per second. Throughout Thursday morning, the ftp server received the brunt of the attack, although the high-intensity attack on the ftp server lasted for a considerably shorter duration than the Web server attack. (A graph of the attack on the two servers is available at http://www.caida.org/analysis/security/sco-dos/.) At 10:40 a.m., SCO removed their Web servers from the Internet and stopped responding to the incoming attack traffic. Their Internet Service Provider (ISP) appears to have filtered all traffic destined for the Web and ftp servers until they came back on line at 5:00 p.m. PST on Thursday. Over the course of 32 hours, the CAIDA Network Telescope received more than 2.8 million response packets from SCO servers, indicating that SCO responded to more than 700 million attack packets. The outage also was documented by Netcraft Ltd., an Internet services company based in Bath, England, in an article and analysis graphs (see below). The attack successfully blocked access to SCO's Web and ftp servers. A 50,000 packet-per-second SYN flood yields approximately 20 Mbits/second of Internet traffic in each direction, comparable to the capacity of a DS3 line (roughly 45 MBits/second). The use of load balancers or proxies, SYN cookies, and Content Delivery Networks (CDNs) can help distribute the load of a denial-of-service attack, making it more difficult to saturate available network and server resources, but it is not known to what extent (if any) these strategies might have been used by SCO to mitigate the attack. "There is always kind of an arms race between how much money you are willing to spend and how much the attacker wants to bring down your network," said Moore, who is Assistant Director of CAIDA and a Ph.D. Candidate in the UCSD Computer Science Department. The CAIDA Network Telescope makes use of a portion of Internet address space in which little or no legitimate traffic exists. To conceal their identities, attackers typically forge ("spoof") the IP source address of each packet they send, so the packets appear to the victim to be arriving from third parties. Most of the software packages to conduct denial-of-service attacks select source addresses at random for each packet sent. When the victim responds, some of the randomly directed replies will be sent to addresses monitored by the Internet Telescope. CAIDA researchers record these responses and detect ongoing attacks across the entire Internet. Unfortunately, the technique allows the identities of victims to be determined, but cannot identify the attackers. Among the events that the technique can detect are various forms of flooding DoS attacks, infection of hosts by Internet worms, and network scanning. A recent study examined three week-long datasets to assess the number, duration, and focus of attacks and to characterize their behavior. The CAIDA researchers observed more than 12,000 attacks against more than 5,000 distinct targets, ranging from well known e-commerce companies such as Amazon and Hotmail to small foreign ISPs and even the dial-up connections of home computer users.