Full Disclosure mailing list archives
Stereotyping DoS and Don'ts
From: <neal.krawetz () mac hush com>
Date: Wed, 04 Apr 2007 08:12:26 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 While nobody likes to be stereotyped, there is always truth behind the generic, nationality-based profiles. For example, I was recently in Australia as part of a necessary trip. I was waiting with a small crowd of people outside a grocery store, waiting for it to open. I could instantly separate the tourists from the locals. There was a large set of people standing by the door. They didn't move; if it weren't for the occasional breath, I would have thought they were statues. They were the local Aussies. They were patiently waiting for the doors to open. A minority of the people were more anxious. They would shuffle their feet, constantly look around for a place to sit (benches are a rarity outside of tourist areas), and check and recheck their watches. They were the tourists. The grocery store was supposed to open at 7:00am. At 6:59 and 28 seconds, a trio came down the escalator. They never checked their watches and never looked for a clock, yet they appeared concerned that the store was not open. I knew their nationality even before they spoke: punctual to the second, knowing the time without a watch? Jews. All of this makes me wonder... could stereotyping by nationality can act as a first-pass for identifying some cybercrimes, such as denial-of-service attacks. For example: * Western Europe is usually punctual to the second and well planned. A DoS should start at a precise time and last a precise duration. It should not vary from the plan during the attack. * Chinese value punctuality and uniformity. A DoS should be similar to Western Europe, but should not vary in attack methods. For example, if there are 10,000 computers being used in an attack, they will all be configured the same way and used the same way. You won't see a variety of simultaneous attacks. * Latin America and Mexico value content over punctuality. It's OK to be late as long as you contribute. A DoS may not start on time or appear initially organized or even homogeneous, but all attack- bots should contribute to the fray. * The USA and Canada are stereotypical in that they are not extreme in any single dimension. An attack may not start precisely at 1:00, but it will be "around 1:00", it may not be homogeneous, but it will be close. And it may change as needed rather then exhaust one attack method. Americans are also more solitary. You won't see a hundred American hackers working in unison on the same target as you would in China or Brazil. Using these generic and empirical profiles, we can start guestimating who is behind some known attacks. For example: * The recent DoS against the root level DNS servers started exactly on the hour. At intervals of 1 hour, there were changes to the attack method. Both the Western Europe and China match this kind of attack: precisely timed, planned, homogeneous, and exhaustive. * The attack against Blue Frog did not start at any particular hour/minute, but it was well choreographed. Each time the attack succeeded and Blue Frog moved on to an alternate safe haven, a new attack method would be initiated. Planned, yet not long-term planning. There was also only one type of attack at a time, suggesting an individual or very small group. This sounds like an American or Canadian. * Similar to Blue Frog, the Smurf attacks from Mafiaboy were not precisely timed, but were exhaustive, showed short-term planning, and were independent attacks. Mafiaboy was Canadian. * The recent DoS against GoDaddy was reportedly spread across a few days, building as it went. It was a variety of attack methods that all assisted in the total attack. This sounds like Latin America and the hacker groups in Brazil immediately come to mind. Stereotyping and profiling is commonly criticized for its inaccuracy. Not every American is fat, self-absorbed, and eats doughnuts for breakfast. Similarly, there is fuzziness since people may not be located in their influencing country. For example, a Brazilian who is married to a German and living in Canada may appear as any one of the stereotypes, or as a combination. (Then again, a Brazilian married to a German and living in Canada is probably not stereotypical, since Germans are too intelligent to marry coconuts.) However, profiling can be used to organize information before wasting time in an exhaustive search for a likely suspect. It will take time to develop this profile method from empirical to practical. And it leaves me wondering: can stereotyping network attacks be turned into something more definitive? Thanks to the Internet Storm Center for their feedback and valuable comments. - - Dr. Neal Krawetz, PhD -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wpwEAQECAAYFAkYTo+oACgkQDpFP8dW5K4Z8LwP/Z04Uus6RzXhYGvvNZJzn6NJ9aEIc nZw0WGrkT9kjtI+5EpGcIo08hHZefk7QI74kTwNsIFDT48KIBrGI1vRYHlCeBEEpd6zF S0aJq2d4WcF7/+ceuQtQ4w3RcYJPCrLKOihzA3m/cKQx2F53Q1uiFKTonrzIaY0a837x eN8xOs0= =FoUM -----END PGP SIGNATURE----- -- Click for free info on discount teaching degrees programs http://tagline.hushmail.com/fc/CAaCXv1Vsm82YIRNsFg7Pe20OSYIGyyR/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Stereotyping DoS and Don'ts neal.krawetz (Apr 04)
- Re: Stereotyping DoS and Don'ts Michal Zalewski (Apr 04)
- Re: Stereotyping DoS and Don'ts J. Oquendo (Apr 04)
- Re: Stereotyping DoS and Don'ts Valdis . Kletnieks (Apr 04)
- Re: Stereotyping DoS and Don'ts J. Oquendo (Apr 04)
- Re: Stereotyping DoS and Don'ts Valdis . Kletnieks (Apr 04)