Among the common targets are some names that come as no surprise: Amazon.com, America Online and Microsoft's Hotmail. However, a large number of individual users and small businesses were targeted by attacks as well, the researchers found.
"We believe our research provides the only publicly available data quantifying denial-of-service activity in the Internet," said David Moore, senior researcher with the San Diego Supercomputer Center's Cooperative Association for Internet Data Analysis and the primary author of the paper.
Denial-of-service attacks attempt to overload or crash computers connected to the Internet so people can't access them. A common type of attack, called a flood attack, aims to overload a targeted computer with so much data that it can no longer process legitimate access attempts.
In early May, vandals used just such an attack to swamp Whitehouse.gov, the public-relations Web site of President George W. Bush, essentially removing it from the Net. Online hooligans attacked Microsoft in January with a similar attack, causing headaches for the company over a two-day period.
While such incidents are occasionally reported in the media, no one had previously determined how prevalent the actual attacks were, Moore said.
The key to the research, he said, was a technique known as "back scattering."
When a computer is attacked, it generally can't determine that the sent data is bogus, so it attempts to reply to every incoming data packet. Yet, the most common denial-of-service attack programs randomize the address from which the data seem to have come. The result: The victim's computer will send replies to each of the random addresses, essentially "scattering back" responses, which can signal that it's under attack.
Moore and his colleagues collected such replies by listening to a large segment of the Internet--known as an A-class network and amounting to a collection of 1/256 of the total number of Internet addresses. While the researchers would not identify the large network, they did say that it harkens back to the founding of the Internet and today is essentially "dead space"--with no computers connected to it.
Because there aren't any live servers on the network, any replies sent to addresses there are either errors or evidence of randomized addresses--and thus an attack. By recognizing that several addresses are receiving replies from a single server, the researchers can peg the server and identify the victim.
"We saw an odd, disproportionate concentration of attacks towards a small group of countries," said Stefan Savage, a professor of computer science at UCSD, also an author of the paper. "Surprisingly, Romania, a country with a relatively poor networking infrastructure, was targeted nearly as frequently as the .net and .com top-level domains."
Geoff Volker, also a professor of computer science at UCSD, was the paper's third author.
Though more than 4,000 attacks were spotted in each of the three weeks during which the team monitored the Internet, more than half of those attacks lasted less than 10 minutes, Savage said.
Savage stressed that the study is not complete, but is the best estimate to date of the prevalence of such attacks. "There are a number of other attacks we cannot see," he said.