As of October 2001, a general-purpose CPU costing $100 can perform nearly one million elliptic-curve additions per second. One billion CPUs, costing 100 billion dollars (never mind the wiring costs), can perform 2^111 elliptic-curve additions in roughly 100 billion years.
Special-purpose CPUs should be much faster. Furthermore, there are constant improvements in chip-building technology. But the cryptographic community would be astounded to see this computation actually carried out.
This computation is roughly 2^60 (a quintillion: a billion billion) times more difficult than the ECC2K-108 computation. The ECC2K-108 computation was a 109-bit characteristic-2 elliptic-curve discrete-logarithm computation. A team led by Robert Harley carried out the ECC2K-108 computation in time equivalent to a few hundred years on one CPU.
There is no known distinguishing algorithm faster than computing one of the two secret keys.
In 1985, when Miller and Koblitz proposed elliptic-curve cryptography, it was already known how to compute 224-bit elliptic-curve discrete logarithms in time comparable to 2^111 elliptic-curve additions. Since then, there have been successful attacks on special classes of elliptic curves, but nothing relevant to random curves such as NIST P-224.