Stereotyping DoS and Don'ts

[<neal.krawetz () mac hush com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

While nobody likes to be stereotyped, there is always truth behind
the generic, nationality-based profiles. For example, I was
recently in Australia as part of a necessary trip. I was waiting
with a small crowd of people outside a grocery store, waiting for
it to open. I could instantly separate the tourists from the
locals. There was a large set of people standing by the door. They
didn't move; if it weren't for the occasional breath, I would have
thought they were statues. They were the local Aussies. They were
patiently waiting for the doors to open.

A minority of the people were more anxious. They would shuffle
their feet, constantly look around for a place to sit (benches are
a rarity outside of tourist areas), and check and recheck their
watches. They were the tourists.

The grocery store was supposed to open at 7:00am. At 6:59 and 28
seconds, a trio came down the escalator. They never checked their
watches and never looked for a clock, yet they appeared concerned
that the store was not open. I knew their nationality even before
they spoke: punctual to the second, knowing the time without a
watch? Jews.

All of this makes me wonder... could stereotyping by nationality
can act as a first-pass for identifying some cybercrimes, such as
denial-of-service attacks. For example:

 * Western Europe is usually punctual to the second and well
planned. A DoS should start at a precise time and last a precise
duration. It should not vary from the plan during the attack.

 * Chinese value punctuality and uniformity. A DoS should be
similar to Western Europe, but should not vary in attack methods.
For example, if there are 10,000 computers being used in an attack,
they will all be configured the same way and used the same way. You
won't see a variety of simultaneous attacks.

 * Latin America and Mexico value content over punctuality. It's OK
to be late as long as you contribute. A DoS may not start on time
or appear initially organized or even homogeneous, but all attack-
bots should contribute to the fray.

 * The USA and Canada are stereotypical in that they are not
extreme in any single dimension. An attack may not start precisely
at 1:00, but it will be "around 1:00", it may not be homogeneous,
but it will be close. And it may change as needed rather then
exhaust one attack method. Americans are also more solitary. You
won't see a hundred American hackers working in unison on the same
target as you would in China or Brazil.

Using these generic and empirical profiles, we can start
guestimating who is behind some known attacks. For example:

 * The recent DoS against the root level DNS servers started
exactly on the hour. At intervals of 1 hour, there were changes to
the attack method. Both the Western Europe and China match this
kind of attack: precisely timed, planned, homogeneous, and
exhaustive.

 * The attack against Blue Frog did not start at any particular
hour/minute, but it was well choreographed. Each time the attack
succeeded and Blue Frog moved on to an alternate safe haven, a new
attack method would be initiated. Planned, yet not long-term
planning. There was also only one type of attack at a time,
suggesting an individual or very small group. This sounds like an
American or Canadian.

 * Similar to Blue Frog, the Smurf attacks from Mafiaboy were not
precisely timed, but were exhaustive, showed short-term planning,
and were independent attacks. Mafiaboy was Canadian.

 * The recent DoS against GoDaddy was reportedly spread across a
few days, building as it went. It was a variety of attack methods
that all assisted in the total attack. This sounds like Latin
America and the hacker groups in Brazil immediately come to mind.

Stereotyping and profiling is commonly criticized for its
inaccuracy. Not every American is fat, self-absorbed, and eats
doughnuts for breakfast. Similarly, there is fuzziness since people
may not be located in their influencing country. For example, a
Brazilian who is married to a German and living in Canada may
appear as any one of the stereotypes, or as a combination. (Then
again, a Brazilian married to a German and living in Canada is
probably not stereotypical, since Germans are too intelligent to
marry coconuts.) However, profiling can be used to organize
information before wasting time in an exhaustive search for a
likely suspect. It will take time to develop this profile method
from empirical to practical. And it leaves me wondering: can
stereotyping network attacks be turned into something more
definitive?

Thanks to the Internet Storm Center for their feedback and valuable
comments.

- - Dr. Neal Krawetz, PhD
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.5

wpwEAQECAAYFAkYTo+oACgkQDpFP8dW5K4Z8LwP/Z04Uus6RzXhYGvvNZJzn6NJ9aEIc
nZw0WGrkT9kjtI+5EpGcIo08hHZefk7QI74kTwNsIFDT48KIBrGI1vRYHlCeBEEpd6zF
S0aJq2d4WcF7/+ceuQtQ4w3RcYJPCrLKOihzA3m/cKQx2F53Q1uiFKTonrzIaY0a837x
eN8xOs0=
=FoUM
-----END PGP SIGNATURE-----

--
Click for free info on discount teaching degrees programs
http://tagline.hushmail.com/fc/CAaCXv1Vsm82YIRNsFg7Pe20OSYIGyyR/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/