Inferring Internet Denial-of-Service Activity
-- David Moore, Geoffrey M. Voelker and Stefan Savage

(Best paper at the Usenix Security Symposium, Aug 2001)

Summary:

This paper presents "backscatter analysis", a technique for estimating
the worldwide denial-of-service activity on the Internet.  Since
(some classes of) denial-of-service attacks operate by flooding the
target host with large amounts of data that the host tries to reply to,
and since most of this data has spoofed IP source addresses, it is
possible to detect denial-of-service activity by monitoring unsolicited
response IP packets.  The authors monitor a large subset of the IP
address space over three weeks, and use this technique to try to
quantify the denial-of-service activity observed.

An assumption is that the (fake) source addresses selected by the attack
tools are uniformly distributed; they verified this for some of the
popular attack tools available at the time. 

The paper provides interesting information about the extent and nature
of denial-of-service attacks in the Internet today.  They discovered
large numbers of fairly-short attacks, and while many of the targets were large
e-commerce sites, many others were directed at home machines.

Discussion:

Why would you want to measure the amount of Internet DoS attacks?
-- To detect the attacks, to defend against them, to plan infrastructure
that would be resilient to such attacks.

Another technique for doing this would be measuring at the target;
this would add a bias based on target-selection.  It would also be
harder to get large numbers of sites to co-operate.

There were some questions about whether all unsolicited packets were
indeed due to DoS attacks.  Some could be due to misconfigured routers.

There were also questions about whether the assumption of uniform source
addresses was justified, and whether the Anderson-Darling statistic was
a good enough test to confirm this.