{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,10]],"date-time":"2026-03-10T04:32:11Z","timestamp":1773117131099,"version":"3.50.1"},"reference-count":29,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2006,5,1]],"date-time":"2006-05-01T00:00:00Z","timestamp":1146441600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Comput. Syst."],"published-print":{"date-parts":[[2006,5]]},"abstract":"<jats:p>\n            In this article, we seek to address a simple question: \u201cHow prevalent are denial-of-service attacks in the Internet?\u201d Our motivation is to quantitatively understand the nature of the current threat as well as to enable longer-term analyses of trends and recurring patterns of attacks. We present a new technique, called \u201cbackscatter analysis,\u201d that provides a conservative estimate of\n            <jats:italic>worldwide<\/jats:italic>\n            denial-of-service activity. We use this approach on 22 traces (each covering a week or more) gathered over three years from 2001 through 2004. Across this corpus we quantitatively assess the number, duration, and focus of attacks, and qualitatively characterize their behavior. In total, we observed over 68,000 attacks directed at over 34,000 distinct victim IP addresses---ranging from well-known e-commerce companies such as Amazon and Hotmail to small foreign ISPs and dial-up connections. We believe our technique is the first to provide quantitative estimates of Internet-wide denial-of-service activity and that this article describes the most comprehensive public measurements of such activity to date.\n          <\/jats:p>","DOI":"10.1145\/1132026.1132027","type":"journal-article","created":{"date-parts":[[2006,7,25]],"date-time":"2006-07-25T14:14:26Z","timestamp":1153836866000},"page":"115-139","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":540,"title":["Inferring Internet denial-of-service activity"],"prefix":"10.1145","volume":"24","author":[{"given":"David","family":"Moore","sequence":"first","affiliation":[{"name":"University of California San Diego, La Jolla, CA"}]},{"given":"Colleen","family":"Shannon","sequence":"additional","affiliation":[{"name":"University of California San Diego, La Jolla, CA"}]},{"given":"Douglas J.","family":"Brown","sequence":"additional","affiliation":[{"name":"University of California San Diego, La Jolla, CA"}]},{"given":"Geoffrey M.","family":"Voelker","sequence":"additional","affiliation":[{"name":"University of California San Diego, La Jolla, CA"}]},{"given":"Stefan","family":"Savage","sequence":"additional","affiliation":[{"name":"University of California San Diego, La Jolla, CA"}]}],"member":"320","published-online":{"date-parts":[[2006,5]]},"reference":[{"key":"e_1_2_1_1_1","volume-title":"Proceedings of the 1999 USENIX\/ACM Symposium on Operating System Design and Implementation. 45--58","author":"Banga G.","unstructured":"Banga , G. , Druschel , P. , and Mogul , J . 1999. Resource Containers: A New Facility for Resource Management in Server Systems . In Proceedings of the 1999 USENIX\/ACM Symposium on Operating System Design and Implementation. 45--58 .]] Banga, G., Druschel, P., and Mogul, J. 1999. Resource Containers: A New Facility for Resource Management in Server Systems. In Proceedings of the 1999 USENIX\/ACM Symposium on Operating System Design and Implementation. 45--58.]]"},{"key":"e_1_2_1_2_1","unstructured":"Bellovin S. M. 2000. ICMP Traceback Messages. Internet Draft: draft-bellovin-itrace-00.txt.]]  Bellovin S. M. 2000. ICMP Traceback Messages. Internet Draft: draft-bellovin-itrace-00.txt.]]"},{"key":"e_1_2_1_3_1","volume-title":"Proceedings of the 2000 USENIX LISA Conference","author":"Burch H.","unstructured":"Burch , H. and Cheswick , B . 2000. Tracing Anonymous Packets to Their Approximate Source . In Proceedings of the 2000 USENIX LISA Conference . New Orleans, LA, 319--327.]] Burch, H. and Cheswick, B. 2000. Tracing Anonymous Packets to Their Approximate Source. In Proceedings of the 2000 USENIX LISA Conference. New Orleans, LA, 319--327.]]"},{"key":"e_1_2_1_4_1","unstructured":"Cisco Systems. 1997. Configuring TCP Intercept (Prevent Denial-of-Service Attacks). Cisco IOS Documentation.]]  Cisco Systems. 1997. Configuring TCP Intercept (Prevent Denial-of-Service Attacks). Cisco IOS Documentation.]]"},{"key":"e_1_2_1_5_1","unstructured":"Cisco Systems. 1999. Unicast Reverse Path Forwarding. Cisco IOS Documentation.]]  Cisco Systems. 1999. Unicast Reverse Path Forwarding. Cisco IOS Documentation.]]"},{"key":"e_1_2_1_6_1","unstructured":"Cisco Systems. 2004. Cisco NetFlow. Cisco IOS Documentation. http:\/\/www.cisco.com\/warp\/public\/732\/Tech\/netflow.]]  Cisco Systems. 2004. Cisco NetFlow. Cisco IOS Documentation. http:\/\/www.cisco.com\/warp\/public\/732\/Tech\/netflow.]]"},{"key":"e_1_2_1_8_1","unstructured":"Computer Emergency Response Team. 1996. CERT Advisory CA-1996-21 TCP SYN Flooding Attacks. http:\/\/www.cert.org\/advisories\/CA-1996-21.html.]]  Computer Emergency Response Team. 1996. CERT Advisory CA-1996-21 TCP SYN Flooding Attacks. http:\/\/www.cert.org\/advisories\/CA-1996-21.html.]]"},{"key":"e_1_2_1_9_1","unstructured":"Computer Security Institute and Federal Bureau of Investigation. 2004. 2004 CSI\/FBI Computer Crime and Security Survey. Computer Security Institute report.]]  Computer Security Institute and Federal Bureau of Investigation. 2004. 2004 CSI\/FBI Computer Crime and Security Survey. Computer Security Institute report.]]"},{"key":"e_1_2_1_10_1","unstructured":"Darmohray T. and Oliver R. 2000. Hot Spares For DoS Attacks. ;login: 25 7 (July).]]  Darmohray T. and Oliver R. 2000. Hot Spares For DoS Attacks. ;login: 25 7 (July).]]"},{"key":"e_1_2_1_11_1","volume-title":"Proceedings of the 2001 Network and Distributed System Security Symposium","author":"Dean D.","unstructured":"Dean , D. , Franklin , M. , and Stubblefield , A . 2001. An Algebraic Approach to IP Traceback . In Proceedings of the 2001 Network and Distributed System Security Symposium . San Diego, CA.]] Dean, D., Franklin, M., and Stubblefield, A. 2001. An Algebraic Approach to IP Traceback. In Proceedings of the 2001 Network and Distributed System Security Symposium. San Diego, CA.]]"},{"key":"e_1_2_1_12_1","doi-asserted-by":"crossref","unstructured":"Ferguson P. and Senie D. 2000. Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing. RFC 2827.]]   Ferguson P. and Senie D. 2000. Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing. RFC 2827.]]","DOI":"10.17487\/rfc2827"},{"key":"e_1_2_1_13_1","volume-title":"Proceedings of the 2000 USENIX LISA Conference","author":"Fullmer M.","unstructured":"Fullmer , M. and Romig , S . 2000. The OSU Flow-tools Package and Cisco Netflow logs . In Proceedings of the 2000 USENIX LISA Conference . New Orleans, LA.]] Fullmer, M. and Romig, S. 2000. The OSU Flow-tools Package and Cisco Netflow logs. In Proceedings of the 2000 USENIX LISA Conference. New Orleans, LA.]]"},{"key":"e_1_2_1_14_1","volume-title":"Proceedings of the 1983 IEEE Symposium on Security and Privacy","author":"Gilgor V.","year":"1983","unstructured":"Gilgor , V. 1983 . A Note on the Denial-of-Service Problem . In Proceedings of the 1983 IEEE Symposium on Security and Privacy . Oakland, CA.]] Gilgor, V. 1983. A Note on the Denial-of-Service Problem. In Proceedings of the 1983 IEEE Symposium on Security and Privacy. Oakland, CA.]]"},{"key":"e_1_2_1_16_1","doi-asserted-by":"crossref","unstructured":"Hussain A. Heidemann J. and Papadopoulos C. 2003. A Framework for Classifying Denial-of-Service Attacks. Karlsruhe Germany 99--110.]]  Hussain A. Heidemann J. and Papadopoulos C. 2003. A Framework for Classifying Denial-of-Service Attacks. Karlsruhe Germany 99--110.]]","DOI":"10.1145\/863955.863968"},{"key":"e_1_2_1_17_1","volume-title":"Photuris: Session-Key Management Protocol. RFC 2522.]]","author":"Karn P.","year":"1999","unstructured":"Karn , P. and Simpson , W . 1999 . Photuris: Session-Key Management Protocol. RFC 2522.]] Karn, P. and Simpson, W. 1999. Photuris: Session-Key Management Protocol. RFC 2522.]]"},{"key":"e_1_2_1_18_1","volume-title":"Network Telescopes: Technical report","author":"Moore D.","year":"2003","unstructured":"Moore , D. and Shannon , C . 2003 . Network Telescopes: Technical report . http:\/\/www.caida.org\/analysis\/security\/sco-dos\/.]] Moore, D. and Shannon, C. 2003. Network Telescopes: Technical report. http:\/\/www.caida.org\/analysis\/security\/sco-dos\/.]]"},{"key":"e_1_2_1_19_1","volume-title":"Network Telescopes: Tech. Rep. CS2004-0795","author":"Moore D.","unstructured":"Moore , D. , Shannon , C. , Voelker , G. M. , and Savage , S . 2004 . Network Telescopes: Tech. Rep. CS2004-0795 , UC San Diego. July.]] Moore, D., Shannon, C., Voelker, G. M., and Savage, S. 2004. Network Telescopes: Tech. Rep. CS2004-0795, UC San Diego. July.]]"},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/188280.188294"},{"key":"e_1_2_1_21_1","volume-title":"J","author":"Postel","year":"1981","unstructured":"Postel , Editor, J . 1981 . Internet Control Message Protocol. RFC 792.]] Postel, Editor, J. 1981. Internet Control Message Protocol. RFC 792.]]"},{"key":"e_1_2_1_22_1","unstructured":"Poulsen K. 2004. FBI busts alleged DDoS Mafia. http:\/\/www.securityfocus.com\/news\/9411.]]  Poulsen K. 2004. FBI busts alleged DDoS Mafia. http:\/\/www.securityfocus.com\/news\/9411.]]"},{"key":"e_1_2_1_23_1","unstructured":"Romig S. and Ramachandran S. 1999. Cisco Flow Logs and Intrusion Detection at the Ohio State university. login; magazine 23--26.]]  Romig S. and Ramachandran S. 1999. Cisco Flow Logs and Intrusion Detection at the Ohio State university. login; magazine 23--26.]]"},{"key":"e_1_2_1_24_1","volume-title":"Proceedings of the 2002 USENIX\/ACM Symposium on Operating System Design and Implementation.]]","author":"Saroiu S.","unstructured":"Saroiu , S. , Gummadi , K. P. , Dunn , R. J. , Gribble , S. D. , and Levy , H. M . 2002. An Analysis of internet content delivery systems . In Proceedings of the 2002 USENIX\/ACM Symposium on Operating System Design and Implementation.]] Saroiu, S., Gummadi, K. P., Dunn, R. J., Gribble, S. D., and Levy, H. M. 2002. An Analysis of internet content delivery systems. In Proceedings of the 2002 USENIX\/ACM Symposium on Operating System Design and Implementation.]]"},{"key":"e_1_2_1_25_1","volume-title":"Proceedings of the 2000 ACM SIGCOMM Conference","author":"Savage S.","unstructured":"Savage , S. , Wetherall , D. , Karlin , A. , and Anderson , T . 2000. Practical Network Support for IP Traceback . In Proceedings of the 2000 ACM SIGCOMM Conference . Stockholm, Sweden, 295--306.]] 10.1145\/347059.347560 Savage, S., Wetherall, D., Karlin, A., and Anderson, T. 2000. Practical Network Support for IP Traceback. In Proceedings of the 2000 ACM SIGCOMM Conference. Stockholm, Sweden, 295--306.]] 10.1145\/347059.347560"},{"key":"e_1_2_1_26_1","volume-title":"Proceedings of the 2001 IEEE INFOCOM Conference","author":"Song D.","unstructured":"Song , D. and Perrig , A . 2001. Advanced and Authenticated Marking Schemes for IP Traceback . In Proceedings of the 2001 IEEE INFOCOM Conference . Anchorage, AK.]] Song, D. and Perrig, A. 2001. Advanced and Authenticated Marking Schemes for IP Traceback. In Proceedings of the 2001 IEEE INFOCOM Conference. Anchorage, AK.]]"},{"key":"e_1_2_1_27_1","volume-title":"Proceedings of the 1999 USENIX\/ACM Symposium on Operating System Design and Implementation. 59--72","author":"Spatscheck O.","unstructured":"Spatscheck , O. and Peterson , L . 1999. Defending Against Denial of Service Attacks in Scout . In Proceedings of the 1999 USENIX\/ACM Symposium on Operating System Design and Implementation. 59--72 .]] Spatscheck, O. and Peterson, L. 1999. Defending Against Denial of Service Attacks in Scout. In Proceedings of the 1999 USENIX\/ACM Symposium on Operating System Design and Implementation. 59--72.]]"},{"key":"e_1_2_1_28_1","volume-title":"Proceedings of the 2000 USENIX Security Symposium","author":"Stone R.","year":"2000","unstructured":"Stone , R. 2000 . CenterTrack: An IP Overlay Network for Tracking DoS Floods . In Proceedings of the 2000 USENIX Security Symposium . Denver, CO, 199--212.]] Stone, R. 2000. CenterTrack: An IP Overlay Network for Tracking DoS Floods. In Proceedings of the 2000 USENIX Security Symposium. Denver, CO, 199--212.]]"},{"key":"e_1_2_1_29_1","unstructured":"Vijayan J. 2004. E-Biz sites hit with targetedattacks extortion threats. http:\/\/www.computerworld.com\/securitytopics\/security\/story\/0 10801 96%9 00.html?SKC=security-96149.]]  Vijayan J. 2004. E-Biz sites hit with targetedattacks extortion threats. http:\/\/www.computerworld.com\/securitytopics\/security\/story\/0 10801 96%9 00.html?SKC=security-96149.]]"},{"key":"e_1_2_1_30_1","volume-title":"Proceedings of the 2nd USENIX Symposium on Internet Technologies and Systems (USITS)","author":"Wolman A.","unstructured":"Wolman , A. , Voelker , G. M. , Sharma , N. , Cardwell , N. , Brown , M. , Landray , T. , Pinnel , D. , Karlin , A. , and Levy , H . 1999. Organization-based analysis of web-object sharing and Caching . In Proceedings of the 2nd USENIX Symposium on Internet Technologies and Systems (USITS) . Boulder, CO.]] Wolman, A., Voelker, G. M., Sharma, N., Cardwell, N., Brown, M., Landray, T., Pinnel, D., Karlin, A., and Levy, H. 1999. Organization-based analysis of web-object sharing and Caching. In Proceedings of the 2nd USENIX Symposium on Internet Technologies and Systems (USITS). Boulder, CO.]]"},{"key":"e_1_2_1_31_1","volume-title":"Internet Intrusions: Global Characteristics and Prevalence.","author":"Yegneswaran V.","year":"2003","unstructured":"Yegneswaran , V. , Barford , P. , and Ullrich , J . 2003 . Internet Intrusions: Global Characteristics and Prevalence. San Diego, CA .]] Yegneswaran, V., Barford, P., and Ullrich, J. 2003. Internet Intrusions: Global Characteristics and Prevalence. San Diego, CA.]]"}],"container-title":["ACM Transactions on Computer Systems"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1132026.1132027","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/1132026.1132027","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T16:18:49Z","timestamp":1750263529000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1132026.1132027"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2006,5]]},"references-count":29,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2006,5]]}},"alternative-id":["10.1145\/1132026.1132027"],"URL":"https:\/\/doi.org\/10.1145\/1132026.1132027","relation":{},"ISSN":["0734-2071","1557-7333"],"issn-type":[{"value":"0734-2071","type":"print"},{"value":"1557-7333","type":"electronic"}],"subject":[],"published":{"date-parts":[[2006,5]]},"assertion":[{"value":"2006-05-01","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}