Re: Timing of DoS and Intrusion attempts.

[Brian Mitchell <brian () atlanta-bsd org>]

On Mon, 28 May 2001, Patrick Andry wrote:

> I am trying to get a profile of a typical DoS and intrusion attempt, and
> would like input on the times which these attacks occur.  Invariably they
> will follow Murphy's Law, being when the administrators are gone home for
> the night, or stuck in an elevator, and I understand that the Internet is a
> 24/7 Superstore, but there must be some correlation to the timing of these
> attacks.

Remember, there are three kinds of lies: lies, damn lies, and statistics.
That said, there is a lot of work that could be done in this area. I think
a large-scale time based statistical study would be interesting, the
problem is how to get a large enough sample size of data.

In many cases, the victim does not really know when the attack took place.
Unsuccessful intrusion detection logs are another possibility. Also, time
of year is relevant too, along with weekend/holiday vs normal business
day. There are a large number of factors which should be considered.


>       Assuming we can find some form of correlation between the time of
> the attack on both the target computer and the source computer, the possible
> damage (A DoS attack is not as effective when your target audience is
> asleep), and the type of attack, it may make it easier to guess where the

This, i tend to disagree with. DoS attacks are typically sustained
attacks. When a sustained attack starts is probably not really relevant, I
tend to think it would not be during main business hours, though.

> attacker originated from, if they are relaying through a server somewhere
> else, etc...


Maybe. Have you read Firewalls & Internet Security and/or the papers
relating to the attack it discusses? They might be interesting, if
somewhat dated.