RE: Timing of DoS and Intrusion attempts.

[Patrick Andry <pandry () wolverinefreight ca>]

What I am definitely not saying is that by correlating times we will be able
to track down a script kiddie in China who took the day off of school.  I am
merely saying that I believe that a large proportion of intrusion attempts
(which are not worms) could be tracked between 11:00pm and 3:00am in the
country of origin (excluding weekends and holidays, of course).  I agree
that the sample would have to be immense.
Data like this could also be important to track the experience of the
hacker.  A script kiddie would most likely run attacks later at night,
whereas an experienced hacker would want to run his attempt when the target
sysadmin is sleeping, thereby giving him time to hide his tracks.  

As for the DoS attacks, most of the attacks require a little bit of
forethought, compromising servers and laying general groundwork.  If I were
to go through the trouble of setting up a DoS like the one that hit e-bay et
al, I would want to make sure it had the largest impact, yet minimized the
risk of my being caught (although I'm not sure of the best time to do that
would be).

I realize that this is no more than criminal profiling, and that it has been
used with varying success worldwide, and has been met with equally varying
skepticism.  I also realize that we as a security community will never get a
pure picture of why all attacks occur.  We can't break it down to one
definitive moment in a person's life and say "yep, that did it. Right
there!".  But it would be yet another thing to consider, to be bundled into
the sixty trillion things we already have to check out.

Just my thoughts and ramblings.
Patrick Andry
pandry () wolverinefreight ca