Estimates of total Internet incident activity vary widely. The actual number of incidents reported to the CERT^®/CC can be considered the minimum estimate. For 1995, 1,168 actual incidents were reported to the CERT^®/CC (Figure 7.3). The largest estimate found during this research for this same year was 900 million attacks [Coh95:40]. Even though the CERT^®/CC estimate is of incidents, and this largest estimate is of attacks, this nearly six order of magnitude difference reflects how little is actually known about the total Internet activity.

Total Internet security activity could be measured by either the total Internet attack activity or the total Internet incident activity. This chapter examines simple estimates of Internet attack activity based primarily on projections from vulnerability studies by Defense Department organizations. The estimated number of attacks per year in 1995 ranged between 40,000 and 2.5 million based on these studies.

Estimates of total Internet incident activity were made by projecting data from Site A, and from estimating the percentage of incidents reported based on estimates of attacks per incident and the probability of an attack being reported. The estimated number of incidents per year in 1995 ranged between 1,200 and 22,800.

The final sections of this chapter show that a minimum of 96% of severe incidents (defined in Chapter 10) were reported to the CERT^®/CC, and the probability of an above average incident (in terms of duration and number of sites) being reported was a minimum of 1 out of 2.6 (and nearly all of them may have been reported).

12.1. Relationship of Attacks, Incidents and Total Activity

As discussed in Chapter 1, there is a difference between an attack and an incident. An attack is a single unauthorized access attempt, or unauthorized use attempt, regardless of success. An incident, on the other hand, involves a group of attacks that can be distinguished from other incidents because of the distinctiveness of the attackers, and the degree of similarity of sites, techniques, and timing. The CERT^®/CC records were of incidents, which were composed of numerous attacks.

Since attacks make up incidents, total Internet security activity could be measured by either the total Internet attack activity or the total Internet incident activity. Unfortunately, very little has been known about either of these. Consequently, as was stated in Chapter 1, our knowledge about total Internet security activity prior to this research has been incomplete and primarily anecdotal.

12.2. Estimates of Total Internet Attack Activity

In order to estimate the number of attacks, some sample of Internet activity is required. This is primarily because incidents (not attacks) are generally reported. There are three ways to obtain a sample of attack activity: 1) a representative site or series of sites could be monitored for attack activity, 2) a representative site or series of sites could be requested to report all attack activity, and 3) representative sites could be attacked in some systematic manner to determine the rate of reporting. The results of such experiments could be compared to actual attack reports to determine the total number of attacks. These three approaches will be discussed in the following three sections.

12.2.1. Monitoring Sites For Attack Activity - The first approach to determining total Internet attack activity would be to monitor a site, or several representative sites, for attack activity, and then to use information about the size of the Internet to project this site activity to total Internet attack activity. It is likely that such monitoring has been conducted at numerous sites, but by personnel at that site only. This is the type of information that most sites would be reluctant to have become public and it is unlikely that sites would allow monitoring of their network by outside agencies. It is also technically difficult to monitor the activity at one site from another site. As such, this does not appear to be a viable option to obtaining sample attack data. In addition, the results from any such monitoring program do not appear to have been published.

12.2.2. Reports of Attack Activity From Representative Sites - Instead of monitoring attack activity, representative sites could monitor for attacks at their own sites and then report all attack activity either publicly, or to some agency in confidence, such as to the CERT^®/CC. These data could then be used, along with information about the size of the Internet, to project this site activity to total Internet attack activity. A search of related literature has not indicated that this has taken place either spontaneously, nor as part of any scholarly research or program in this area.

Projections from the activity at a single site to the Internet as a whole would be highly dependent on the accuracy of the site information, and on how typical the site is. In other words, such a projection would be very sensitive to errors in the site information, and to assumptions about the size of the site compared to the size of the Internet.

One example of using the attack activity at a group of sites to estimate the total Internet attack activity was given by Cohen as follows:

Several authors have reported that once detection was put in place, over one incident per day was detected against their computers attached to the Internet. Other people have placed detection systems on the Internet to detect attacks and have privately reported similar figures. There are about 2.5 million computers on the Internet, so simple multiplication tells us that something like 900 million attacks per year take place on the Internet alone [Coh95:40].

This projection is in error for several reasons. First, the sites that reported an average of one attack per day were well-known, attractive sites. In this case, one of the sites was Bell Labs, as reported by Cheswick and Bellovin [ChB94]. The data on which the projection is based may, therefore, not be typical of Internet sites.

The second error is more serious. The reports of "one incident per day" are on sites, and not hosts. As such, the projection should not be done to the host level, but to the site level. An approximation to the number of sites is the estimate of the number of domains as discussed in Chapter 2. As shown in Table 2.5, the number of domains on the Internet in July, 1995, was around 120,000. This would indicate around 44 million attacks per year in 1995, not 900 million. However, given that this projection is based on data from well-known sites, and that the number of sites is most likely less than the number of domains, this estimate is likely to still be too high. Better estimates of individual site attack activity, however, do not appear to be published, and logically, they are unlikely to appear without a research program in this area.

With its position in the Internet community, the CERT^®/CC may be able to enlist the cooperation of representative sites on the Internet in order to gather these data in the future. This will be discussed further in Section 12.3.2.

12.2.3. Vulnerability Studies - A third approach to determining the rate of Internet attacks would be to estimate the rate of reporting through a program of attacks on Internet sites. Such a program is called a vulnerability study. The ratio of attacks to reports of these attacks during such a vulnerability study could be used, along with the total reports of attacks, to estimate the total Internet attack activity.

In general, however, such vulnerability studies would not be feasible. It would be against established rules and laws to attack sites without their consent. On the other hand, the reporting rate would likely be influenced if the site were notified of an attack ahead of time, which may make the results invalid. Such attacks have, however, been conducted against one group of hosts on the Internet: those belonging to the Department of Defense (DoD). In fact, because of these DoD studies, it appears the most common method used to estimate the number of attacks on the Internet is to project from vulnerability assessments.

12.2.3.1. DISA Vulnerability Studies - In order to test the vulnerability of a system, several methods could be used, such as examining the software on a system to ensure it is properly configured, or has the correct versions, etc. Sometimes, a vulnerability assessment program involves attempted penetrations of a system. An example of this is the Vulnerability Analysis and Assessment Program of the Defense Information Systems Agency (DISA). Under this program, DISA personnel have attempted to penetrate computer systems at various military service and Defense agency sites via the Internet since the program's inception in 1992 [GAO96:19].

The results of DISA vulnerability assessments from 1992 through 1995 are depicted in Figure 12.1. Over this period, DISA conducted 38,000 attacks. Protection on the systems attacked blocked 35% of these attacks. Of the 24,700 successful attacks (65% of all attacks), almost all of them (23,712, 62.4% of all attacks, 96% of successful attacks) went undetected. Of the relatively small number that were detected (988, 2.6% of all attacks, 4% of successful attacks), three quarters were not reported after detection (721, 1.9% of all attacks, 73% of detected attacks). This means that only 267 of the 38,000 attacks (0.7% of all attacks, 27% of detected attacks) were reported. This is around 1 out of 140 attacks. Stated another way, given an incident that consists of one attack only, the probability the incident would be reported is around 0.7%, based on these data.

According to the GAO, DISA estimates that DoD computers may have been attacked as many as 250,000 times during 1995 [GAO96:18]. Assuming the DoD represented 10% or less of the Internet during that year (see Figure 2.6), this would correspond with 2.5 million Internet attacks. Unfortunately, it is not clear where the DISA estimate comes from. The DISA data suggests 1 out of 140 attacks were reported, and the GAO report indicates that around 500 attacks were reported in 1995 [GAO96:21]. This would suggest a lower figure, 70,000, for the number of attacks on DoD systems in 1995, and 700,000 for the number of attacks on the Internet as a whole.

The 500 attacks reported by DISA in 1995, however, actually appear to be incidents, and not just attacks. This suggests the actual number of attacks may be higher, depending on the number of attacks per incident. This points out the fundamental problem with using vulnerability assessments to estimate total Internet activity: the vulnerability studies show the reporting rate of attacks, while the reports from sites are generally of incidents. More specifically, it is generally unclear whether a report of attack activity at a site is a report of one attack, or a report of several related attacks (i.e., an incident).

12.2.3.2. AFIWC Security Posture Studies - In a different study during 1995, the "security posture" of selected systems at 15 Air Force bases was evaluated by the Air Force Information Warfare Center (AFIWC), as part of their Computer Security Assistance Program (CSAP) [WhK96:slide19]. The results of their On-Line Survey during January, 1995 are shown in Figure 12.2. Of the 1,248 hosts attacked, 673 (54%) did not allow access. Access was gained at the root level on 291 hosts (23%), and to the account level on 284 hosts (23%). Of the 1,248 attacks, 156 were reported (13%), which means that around 1 out of every 8 attacks resulted in a report.

There are several potential reasons for the substantial difference between the DISA vulnerability assessment (1 out of 140 reported), and the AFWIC On-Line Survey (1 out of 8 reported). First, the AFWIC survey was over a small number of systems that could be similar in security posture, while the DISA assessment was over a larger, and potentially less homogeneous, number of DoD systems. Second, the DISA assessments were conducted over a four year period (1992 - 1995), while the AFWIC survey was all in the month of January, 1995. The higher probability of an attack being reported in the AFWIC survey may, therefore, reflect improved security during 1995 compared to the other years.

The third possible reason the two surveys differed so greatly was that the methods of attack may have been different. This has the potential to make this difference very large. For example, the more widely-known an attack technique is, the more likely it is to be detected and reported. In addition, some techniques, such as IP spoofing, are very difficult to detect.

A fourth reason may be a difference in reporting requirements. If the sites selected for the AFWIC survey had established procedures requiring reports of attacks, then the population they surveyed may have been more likely to report an incident that was detected than the DISA sites. This may account for some of the difference. For example, in the DISA assessment, 1 out of 38 sites detected the DISA attacks, which is a rate nearly four times the rate of reporting. Perhaps this reflects less of a reporting requirement in the DISA study population.

Finally, the large difference between the AWFIC and DISA studies may reflect a difference in the motivation or purpose of the studies. The AFWIC program was instituted to aid individual sites in their security. In fact, the AFWIC team provided technical assistance to the sites attacked in January, 1995, in order to help site administrators improve site security. This effort was reflected in a significant improvement shown at these sites when they were surveyed again in April, 1995. In this later survey, only 2% of attacks were successful at the root level, 10% at the account level, and 25% of the attacks were detected and reported (1 out of 4). On the other hand, the DISA assessment data were used in Congressional Hearings, reported in a GAO Report [GAO96], and reported in the Press. It is conceivable that the greater the perceived threat from Internet attacks reported by DISA, the greater the funding for DISA. This is a potential conflict of interest with respect to the DISA assessments.

If the AFIWC estimate of the rate of reporting (12.5%) were used instead of the DISA rate of reporting (0.7%) for a simple projection of total Internet attacks per year, the value is considerably lower. Assuming the 500 attacks reported by DISA in 1995 is correct, the AFIWC estimate of total Internet attacks per year for 1995 would be

Again, if the 500 attacks were actually 500 incidents made up of multiple attacks, then the number of estimated attacks would be higher.

The conclusion we can draw from these two studies is that the rate of reporting of individual Internet attacks is likely to be somewhere between 1 in 8, and 1 in 140. Stated another way, the probability that a site will report an individual attack is likely to be between approximately 0.7% and 12%. The estimates of the total number of attacks is highly speculative primarily because it is based on an uncertain estimate of the number of incidents. More specifically, an estimate of the total number of Internet attacks projected from vulnerability studies depends on accurate reports of Internet attacks and not incidents. This is information that is generally not available. If the number of attacks is to be estimated from incident reports, then information about the number of attacks per incident would be required. This is discussed in Section 12.3.3.

Table 12.1 summarizes the estimates of total Internet attack activity discussed in this section.

12.3. Estimates of Total Internet Incident Activity

Unlike attack activity, reports of Internet incidents are known to exist in various organizations. First, they probably exist at most Internet sites, because most of these sites probably keep records of security incidents involving that site. It is unlikely, however, that these reports would be publicly available for the same reasons that individual attacks would not be reported (discussed in the previous section). Second, some information has been reported publicly. As has been discussed in this dissertation, this information is limited and anecdotal in nature.

Finally, Internet response teams, particularly the CERT^®/CC, are known to have reports of incidents (as reported in this dissertation). These reports could be used to estimate total Internet incident activity if an estimate could be made of the percentage of incidents reported to the CERT^®/CC. This could be done in three different ways: 1) a representative site or series of sites could be monitored for incident activity, 2) a representative site or series of sites could be requested to report all incident activity, and 3) estimates of the rate of reporting of attacks, and of the number of attacks per incident, could be used to estimate the percentage of incidents reported. The results of such estimates could be compared to actual incident reports to estimate the total number of Internet incidents. These three approaches will be discussed in the following three sections.

12.3.1. Monitoring Sites For Incident Activity - The first approach to determining total Internet incident activity would be to monitor a site, or several representative sites, for incident activity, and then to use information about the size of the Internet to project this site activity to total Internet incident activity. As with monitoring for individual attacks (discussed in Section 12.2.1), it is likely that such incident monitoring has been conducted at numerous sites, but by personnel at that site only. This is also the type of information that most sites would be reluctant to have become public, and it is unlikely that sites would allow monitoring of their network by outside agencies. It is also technically difficult to monitor incident activity at one site from another site. As such, this does not appear to be a viable option to obtaining sample incident data. In addition, the results from any such monitoring program do not appear to have been published.

12.3.2. Reports of Incident Activity From Representative Sites - Instead of monitoring incident activity, a representative site or series of sites could be requested to report all incident activity. As discussed in Chapter 9, Site A did report all such activity to the CERT^®/CC. Estimates based on Site A activity are discussed in the following pages.

In Chapter 9, Table 9.1 gives estimates of the number of hosts on the Site A network. Figure 9.1 shows the number of incidents at Site A. These data can be combined to give an estimate of the number of Internet incidents.

Figure 12.3 shows an estimate of the number of incidents per host per year at Site A. The average incidents per host for the years 1992 through 1995 was 0.0048, and the range was 0.0033 to 0.0057. Figure 12.4 shows an estimate of the number of Internet incidents based on these Site A data and the number of Internet hosts (see Chapter 2). Using the total data at Site A, the estimate for 1989 through 1995 is that the total number of Internet incidents was between 46,000 and 62,000. In other words, based on the Site A data, an average of between 1 out of 14, and 1 out of 11 of the actual incidents on the Internet were reported to the CERT^®/CC (see Table 12.2).

The number of incidents reported to the CERT^®/CC are also plotted in Figure 12.4. This appears to show a decline in the percentage of incidents reported to the CERT^®/CC over this period. This is also indicated in Table 12.2, which shows the ratio of the number of total Internet incidents to the number reported to the CERT^®/CC over this period. There is, however, a significant difference between the Site A data and all of the data reported to the CERT^®/CC which may explain this. These differences are shown in Table 12.3.

If we make the assumption that Site A is representative of sites on the Internet, Table 12.3 may indicate that the more serious an incident is, the more likely it is to be reported to the CERT^®/CC. This was evident in all three levels of access incidents. In the record of all incidents (minus Site A), the number of root break-ins exceeded the number of account break-ins (1,159 root break-ins compared to 973 account break-ins). At Site A, however, the number of root break-ins was only half that of account break-ins (30 root break-ins compared to 61 account break-ins). In terms of percentage, access attempts at Site A were reported at more than twice the rate of all incidents (73.5% access attempts at Site A, compared to 33.6% overall). This may account for the decline in the ratio of reports to total incidents that was indicated in Figure 12.4. In other words, the CERT^®/CC may be receiving relatively less reports about attempts, but not necessarily less reports of successful attacks over time.

Because of its apparent diligence in reporting incidents to the CERT^®/CC, Site A may report root break-ins to the CERT^®/CC at a rate greater than that of other sites. Let us assume, however, that the rate of reporting root break-ins was approximately the same. Furthermore, let us assume the other levels were underreported to the extent that they actually took place in the approximate percentages reported by Site A. With these assumptions in mind, if all sites were as diligent in reporting as Site A, in terms of percentages, the approximate number of incidents that would have been 7% root break-ins, 14% account break-ins, 74% access attempts, and 5% unauthorized use incidents. This would correspond to around 1,200 root break-ins, 2,400 account break-ins, 12,700 access attempts, and 900 unauthorized access incidents, for a total of approximately 17,200 incidents. That would be around four times the 4,299 incidents actually reported to the CERT^®/CC over the period of this research.

The reporting of 1 out of 4 incidents is a rate higher than the values given in Table 12.2. Table 12.4 shows that none of the estimates based on the Site A data falls within the ranges of Table 12.2. The most suspicious assumption of Table 12.4 is the assumption that all root break-ins were reported. This is likely to be inaccurate because 1) not all root break-ins may be detected, either at Site A, or at all sites, and 2) not all incidents detected involving root break-ins may be reported. The data of Table 12.4 were, therefore, not considered to be a good estimate.

As discussed in Section 12.2.2, with its position in the Internet community, the CERT^®/CC may be able to enlist the cooperation of representative sites on the Internet in order to generate these data in the future. The CERT^®/CC is in a unique position within the Internet community. As such, the CERT^®/CC should lead the development and implement a program to better estimate total Internet incident activity. Such a program should involve the voluntary reporting of all incident activity at representative Internet sites and should include coordination and/or participation from other response teams and related organizations, such as DISA and AFIWC. This is discussed in Chapter 14.

12.3.3. Estimates of Attack Reporting Rate and Attacks per Incident - Estimates of the rate of reporting of attacks, and of the number of attacks per incident, could be used to estimate the total number of Internet incidents as follows:

(12.1)

where N_t = the total number of Internet incidents

N_r = the number of Internet incidents reported

P(I) = the probability (percentage) that an incident will be reported

P(A) = the probability that an attack will be reported

a = the number of attacks per incident

12.3.3.1. Estimates of Attack Reporting Rate - Section 12.2.3 gave two estimates of the probability of an attack being reported [P(A)]. The first, from DISA vulnerability assessments, was 1 out of 140 (0.7%). The second, from the AFIWC survey, was 1 out of 8 (12.5%). These estimates will be used as an upper and lower estimate of the probability of an attack being reported.

12.3.3.2. Estimates of Attacks per Incident Using All CERT^®/CC Incidents - The CERT^®/CC data gives some limits on an estimate of the number of attacks per incident (a). For a lower estimate, we could use the number of sites per incident. In this case, we assume that each site identified in the incident was attacked at least one time during the incident. Figure 12.5 shows the average number of sites per incident for the CERT^®/CC incidents in each year of this research. Throughout this period, this average was around six sites per incident. Because of the large number of incidents in 1994 and 1995, the overall average was higher, at 6.54 sites per incident. We can then figure the lower limit of the attacks per incident as follows:

If only the data from 1995 were used, the lower estimate would be 7.3 attacks per incident.

Even though this estimate is intended to be the lower estimate, it would be appropriate to round this figure up to 10. This is because, even though this estimate comes from incidents that were reported, there is most likely some attacks in each incident that went unreported..

Establishing an estimate of the upper limit of attacks per incident is more difficult. One way would be to assume each site was attacked once a day. Then, we could use the average duration of incidents in the entire CERT^®/CC data set to make following estimate:

An attacker is capable of making multiple attacks on the same day. In addition, there could be multiple attackers in an incident. For example, a 1996 GAO report describes an incident at Rome Laboratory, New York [GAO96:22] involving two attackers. One attacker was from the U.K. and was arrested in May, 1994, and the other attacker was unidentified. According to the GAO report, these attackers made more than 150 intrusions during March and April, 1994. This is an average of 2.5 attacks per day. Using this average, the estimate of attacks per incident increases as follows:

This particular incident was also recorded in the CERT^®/CC records. It involved the use of sniffers and over 1,500 sites.

On any particular day, an attacker is capable of perhaps dozens of attacks. They would have a tendency, however, to perform less attacks if they are successful. For example, an attacker would tend to take time exploring a computer after a successful attack. As stated earlier, there could also be multiple attackers. On the other hand, it would be unlikely that each attacker would be active on every day of an incident, and that all of the attackers would be equally active. Let us assume the following: 1) each attacker is capable, on average, of 5 attacks per day, 2) there were, on average, 3 attackers per incident, 3) each attacker was active, on average, 3 days each week, and 4) attackers were active half of the days the incident was open.

The first assumption was made by assuming that each attacker could perform a dozen or more attacks during a day, but would perform less if one or more attacks was successful. Regarding the second assumption, as was noted in Chapter 9, the CERT^®/CC incident records contain very little information about the identity or numbers of attackers. Assuming that each incident had at least one attacker, the CERT^®/CC records would appear to indicate the average number of attackers was a little more than one. Here we will assume the average is three attackers. The third assumption above is based upon a judgment that an attacker is not likely to be active every day. The last assumption comes from experience with the actual incidents in the CERT^®/CC records. These records show that attacks came primarily during the early part of an incident. Part of the reason for this is that the CERT^®/CC records were generally held open past the bulk of attacks in order to perform investigations, and administrative actions. In addition, as an incident progressed, sites took defensive measures which generally prevented some attacks.

Using these assumptions, the approximation for the number of attacks per incident is:

It should be noted that this estimate is sensitive to the assumed values. For example, if the average number of attackers involved in each incident is 5 instead of 3, the estimate of attackers per incident is nearly doubled to around 600.

Another way the upper limit to the number of attacks per incident could be estimated, is to give some consideration to the types of attacks. We would expect a similar answer, because the same data would be used, but it is interesting to note the distribution of data as shown in Table 12.5. The values in this table were determined by a judgment based on experience with the CERT^®/CC records. Using the estimates shown in Table 12.5, this results in an estimate of the number of attacks per incident as being around 1,000. Again, this estimate is sensitive to the estimates of the other parameters. For example, if the ratio of active time to duration (active/duration) for root break-ins is increased from 0.50 to 0.75, this results in the overall estimate increasing to over 1,500 attacks per incident.

Using this last estimate (Table 12.5), we have an "order of magnitude" estimate of the number of attacks per incident as being between 10 and 1,000. My experience with the CERT^®/CC records suggests that 100 attacks per incident might be a reasonable estimate of the mean.

The number of incidents reported to the CERT^®/CC during 1995 was approximately 1,200. Based on the number of attacks per incident being between 10 and 1,000, we could use Equation 12.1 to estimate the number of incidents on the Internet. This showed that if we assume the probability of reporting an attack was 0.7% (DISA estimate), the estimated number of incidents per year in 1995 is estimated to be between 1,200 and 17,350. This would correspond to an estimated number of attacks between 12,000 and 17.4 million. If we assume the probability of reporting an attack was 12.5% (AFIWC estimate), the estimated number of incidents per year in 1995 is estimated to be between 1,200 and 1,630. This would correspond to an estimated number of attacks between 12,000 and 1.6 million.

12.3.3.3. Estimates of Attacks per Incident Using CERT^®/CC Incidents by Type -

In the previous section, the number of attacks per incident was estimated using all the CERT^®/CC incidents together. As was discussed in Section 12.3.2, however, the likelihood that an Internet incident will be reported to the CERT^®/CC is greater the more severe the incident. Chapter 7 also discussed measures of severity which included the level of access or type of unauthorized use, number of sites involved, duration, and number of messages to and from the CERT^®/CC. These measures of severity give some indication of the number of attacks per incident. If estimates of the number of attacks per incident were made for each of the six categories of CERT^®/CC incidents (see Table 12.6) were made, perhaps this would yield a better estimate of the upper limit of attacks per incident. This could be done with the following formula:

(12.2)

As noted in the previous section, the estimate of the number of attacks is very sensitive to the estimates of the other parameters. The estimated values of the parameters were as shown in Table 12.6 (taken from Table 12.5). Using these assumed values, Equation 12.2 was used to estimate the number of attacks for each of the incidents in the CERT^®/CC data. The results are shown in Table 12.7, which shows an average number of attacks in an incident as being between 7 and 3,000. This is a wider range than was estimate in the previous section. Notice that the range depends strongly on the type of incident, with a high range of between 13 and 10,220 for root break-ins, and a low range of between 3 and 24 for denial-of-service attacks.

The estimates in Table 12.7 can be used to estimate the total number of Internet incidents. In order to do this, the probability of an individual attack being reported must be assumed. Most likely, this probability is dependent on the severity of an incident. For example, a site administrator may not be inclined to report to the CERT^®/CC attacks that were unsuccessful. On the other hand, this same site administrator might be highly likely to report an attack that resulted in a root break-in. Unfortunately, the only information available about the probability an attack will be reported are for overall averages and not for individual types of attack. These were presented in Section 12.2.3 (the DISA assessment of the probability of an individual attack being reported as 1/140 (0.7%), and the AFIWC study, with the probability of being reported as 1/8 (12.5%)).

We do, however, have information from Site A that may indicate a difference in the rate of reporting for each type of incident. Such an adjustment is given in Table 12.8. The middle column of this table shows the ratio of the percentage of all incidents in a type to the percentage of incidents in that type at Site A. This ratio was used to adjust the probability of report as shown.

In Table 12.8, the low estimates of the probability of report were based on the DISA assessments, and the high estimates of the probability of report were based on the AFIWC survey.

The results of using the higher estimated probabilities are given in Table 12.9. Overall, this process estimates the total number of Internet incidents for the period of this research to be between 6,600 and 16,600, and the total number of attacks to be between 53,000 and 133,000. Recalling that the total number of incidents in the CERT®/CC records was 4,299, experience with the CERT^®/CC records seems to indicate these estimates are probably too low. Evidence for this was seen particularly in the fact that there were generally far more sites involved in an incident than sites that reported the incident.

This can be seen more clearly in Table 12.10 which shows the average probability of report in a different form. These probabilities suggest that most incidents were reported to the CERT^®/CC during the period of this research, particularly root and account break-ins. Again, experience with the CERT^®/CC records indicates this was probably not the case.

The results of using the lower estimated probabilities are given in Table 12.11. Overall, this process estimates the total number of Internet incidents to be between around 60,000 and 260,000, and the total number of attacks to be between 8.4 million and 36.4 million.

The lower estimate of the average probability of report in Table 12.12 (1 out of 13) is within the average range estimate from the Site A (see Table 12.2). The high estimate still seems unrealistic compared to CERT^®/CC records. This may indicate that the number of sites was a poor choice for a lower limit of attacks per incident. On the other hand, this was a realistic choice because, if a site was identified as being involved in an incident, it was most likely attacked. The error is probably that, most likely, on average, sites were attacked more than once during an incident.

12.3.4. Summary of Incident Estimates - Table 12.13 summarizes the estimates of total Internet incident activity made in this section. These estimates are for one year in 1995.

12.4. Severe and Above Average Incidents

The 22 incidents identified in Chapter 10 as being the most severe in the CERT^®/CC records were given the same analysis as was done for all incidents in the last section. Using the DISA probability of reporting an attack, the probability of any incident meeting the Chapter 10 criteria not being reported to the CERT^®/CC was between 0% and 4%. Using the AFIWC probability of reporting an attack, the probability of any incident meeting Chapter 10 criteria not being reported to the CERT^®/CC was essentially zero. This confirms the impression the reports themselves give: that it is hard to conceive that a severe incident would not be reported to the CERT^®/CC.

There were 394 incidents in the CERT^®/CC records (9.2%) that were above average both in terms of duration (above 16.5 days) and number of sites (above 6.5). When these incidents were isolated and analyzed in the same manner as the previous section, it yielded the results of Table 12.14. If we assume the DISA probability of report, then a minimum of around 1 out of 2.6 of the above average incidents were reported to the CERT^®/CC (and nearly all of them may have been reported). If we assume the AFIWC probability, then it was estimated that less than 4% of these incidents were not reported to the CERT^®/CC (and nearly all of them may have been reported).

Estimates of attacks per incident, and therefore, estimates of total Internet incident activity, could be improved with better information about the average number of attackers per incident, and their typical activity. Estimates of average number of attackers per incident, and their typical activity, should be made by personnel from DISA, AFIWC, CERT^®/CC and other response teams, in order to improve estimates of total Internet incident activity. This is discussed in Chapter 14.

12.5. Estimated Number of Internet Denial-of-service Incidents

Tables 12.9 and 12.11 estimate that there were between approximately 160 and 3,800 denial-of-service incidents on the Internet between 1989 and 1995. There was, however, only one denial-of-service incident in the CERT^®/CC records that was in the 394 above average incidents identified in the previous section. This incident involved 21 sites.

There is general acknowledgment that the Internet is relatively defenseless against denial-of-service attacks [GaS96:759]. The small numbers of denial-of-service incidents, and their relatively small size, however, do not completely confirm this vulnerability. On the one hand, the records indicate that denial-of-service vulnerabilities have not been mitigated over this period. The same methods of attack used in the early incidents appear to be successful in the later incidents also. All of the incidents, however, were localized and small in scale.

The CERT^®/CC record of denial-of-service incidents show no large-scale incidents whatsoever. The only large-scale denial-of-service incident known to have occurred on the Internet remains the Internet Worm of 1988. This is an interesting finding. The CERT^®/CC was established in response to a large-scale denial-of-service attack, and yet, no other large-scale denial-of-service attack is known to have occurred.

CERT^®/CC records give no indication of why large-scale denial-of-service attacks do not occur on the Internet. Either potential attackers have not had enough motivation, or the Internet is not vulnerable to large-scale denial-of-service attack.

12.6. Summary of the Estimates of Total Internet Incident Activity

Since attacks make up incidents, total Internet security activity could be measured by either the total Internet attack activity or the total Internet incident activity. In order to estimate the number of attacks, some sample of Internet activity is required. Vulnerability studies by Defense Department agencies can be used for such an estimate. A vulnerability analysis by the Defense Information Systems Agency (DISA) showed that the probability of an individual attack being reported was around 1 out of 140 (0.7%). In a different study, the Air Force Information Warfare Center (AFIWC) estimated this probability to be 1 out of 8 (12.5%). Table 12.15 summarizes the estimates of total Internet attack activity based on these studies.

Site A was used to estimate total Internet incident activity based on estimates of incidents per host at this site. This was the only site reporting all incident activity to the CERT^®/CC. Because of its position in the Internet community, the CERT^®/CC may be able to enlist the cooperation of other representative sites on the Internet in order to generate these data in the future. As such, the CERT^®/CC should lead the development and implementation of a program to better estimate total Internet incident activity. Such a program should involve the voluntary reporting of all incident activity at representative Internet sites and should include coordination and/or participation from other response teams and related organizations, such as DISA and AFIWC.

Estimates of the rate of reporting of attacks, and of the number of attacks per incident, could be used to estimate the total number of Internet incidents as follows:

(12.1)

where N_t = the total number of Internet incidents

N_r = the number of Internet incidents reported

P(I) = the probability (percentage) that an incident will be reported

P(A) = the probability that an attack will be reported

a = the number of attacks per incident

The DISA and AFIWC studies gave low and high estimates of the probability of an attack being reported [P(A)]. The number of attacks per incident was estimated to be between 10 and 1,000 when all CERT^®/CC data was considered together. Better estimates were obtained when the types of incidents were considered separately. Table 12.16 summarizes the estimates of total Internet incident activity made by estimating attacks per incident, or from Site A projections. These estimates are for one year in 1995.

Using the DISA probability of reporting an attack, the probability of any severe incident meeting the Chapter 10 criteria not being reported to the CERT^®/CC was between 0% and 4%. Using the AFIWC probability of reporting an attack, the probability of any severe incident meeting the Chapter 10 criteria not being reported to the CERT^®/CC was essentially zero. This confirms the impression the reports themselves give: that it is hard to conceive that a severe incident would not be reported to the CERT^®/CC.

There were 394 incidents in the CERT^®/CC records (9.2%) that were above average both in terms of duration (above 16.5 days) and in terms of the number of sites (above 6.5). When these incidents were isolated and analyzed, it showed that if we assume the DISA probability of report, then a minimum of around 1 out of 2.6 of the above average incidents were reported to the CERT^®/CC (and nearly all of them may have been reported). If we assume the AFIWC probability, then it was estimated that less than 4% of these incidents were not reported to the CERT^®/CC (and nearly all of them may have been reported).

Estimates of attacks per incident, and therefore, estimates of total Internet incident activity, could be improved with better information about the average number of attackers per incident, and their typical activity. Estimates of average number of attackers per incident, and their typical activity, should be made by personnel from DISA, AFIWC, CERT^®/CC and other response teams, in order to improve estimates of total Internet incident activity.

Back to the Table of Contents
   [12]