Re: Stereotyping DoS and Don'ts

["J. Oquendo" <sil () infiltrated net>]

neal.krawetz () mac hush com wrote:

I infer you're under the impression that this may some form of
de-facto profiling of DoS kiddiots. But ask yourself, how hard
would it be to take any of the given information you disclosed
for an attacker in say America to be punctual in his attacks
so that they may now mimic your mentioned Western European or
Chinese attackers.

>  * The USA and Canada are stereotypical in that they are not
> extreme in any single dimension. An attack may not start precisely
> at 1:00, but it will be "around 1:00", it may not be homogeneous,
> but it will be close. And it may change as needed rather then
> exhaust one attack method. Americans are also more solitary. You
> won't see a hundred American hackers working in unison on the same
> target as you would in China or Brazil.

Assumptions. Back in the mid to late 90's American script kiddiot
groups were known for throwing their tags all over webpages.
Groups ranged in size and judging by some of the IRC channels
and forums of those times, some of these channels and groups
were rather large. If you take a look at say Electronic Disturbance
Theater, the numbers could have exceeded your best guesses, they
were coordinated on a worldwide scale and they were on time.
Regardless of the fact that they may have been American
or Chinese.

>  * The recent DoS against the root level DNS servers started
> exactly on the hour. At intervals of 1 hour, there were changes to
> the attack method. Both the Western Europe and China match this
> kind of attack: precisely timed, planned, homogeneous, and
> exhaustive.

It's nice to assume but I could spend a day poking holes in
your theory.

>  * Similar to Blue Frog, the Smurf attacks from Mafiaboy were not
> precisely timed, but were exhaustive, showed short-term planning,
> and were independent attacks. Mafiaboy was Canadian.

What you think you "may know" based on media accounts just might
be wrong. For those on the greyhat scene in tune to what was
going down at the time, most will know mafiaboy wasn't the sole
culprit albeit he took the brunt of it all. I won't get into
more than that.

> Stereotyping and profiling is commonly criticized for its
> inaccuracy.

"Assumptions" should be criticized for providing vague
information however, its a nice idea but filled with too many
holes. While your idea sounds interesting, you're missing many
of the essential FACTS to quantify the whole case on building
"Who is DoS'ing Your Servers" movement.

So to help you a bit more... Here are some profiles to add:

Swedish attackers:
They will ponder if they want to actually partake in the DoS.
They'll sit back and think whether it is a fair war to get
into, or whether they should sit back and let others attack
as to not involve themselves in that war.

Spaniards: They'll plan to attack at 1PM their time but
the attack won't begin until 4PM as an attack will end up
interfering with their siesta. A Spaniard will never
attack during siesta time.

Irish attackers. Although they'll meticulously plan the
attack, due to the fact they sidestepped into a pub, by
the time the attack is set to start, they'll likely be
too drunk to initiate it.

Nigerian attackers. They'll plan out a massive DoS
attack but sidestep it in order to offer their victims
a wire transfer of $10,000,000,000.00 from their
deceased uncle Jimbobzinunu.

On a serious note, I find it a bit strange that many
who haven't been on "the scene" for quite some time
point out modified histories of what occurred. Perhaps
its time for a tell all book to be written about the
so called hacker/cracker scene from the mid nineties
through now.

--
====================================================
J. Oquendo
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743
sil . infiltrated @ net http://www.infiltrated.net

The happiness of society is the end of government.
John Adams

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/