«Untangling Attribution David D. Clark* and Susan Landau** I. Introduction In February 2010, former Director of the National Security Agency Mike ...»
Distributed denial of service (DDoS) attacks, in which a large number of machines from all over the Internet attack a site or a small set of sites, have the goal of disrupting service by overloading a server or a link.
They have a unique character: visible and intrusive. DDoS attacks are designed to be detected. The attack is done by first penetrating and subverting a large stock of attack machines, forming them into what is called a “bot-net.” A DDoS attack is thus a multi-step activity, first building
WILLIAM A. OWENS ET AL., TECHNOLOGY, POLICY, LAW, AND ETHICS REGARDING U.S.
the bot-net, then instructing the subverted machines to launch some sort of simultaneous attack on the target system. This step of the attack may be the sending of floods of packets or just overloading the server with apparently legitimate requests.
Before the attack, it may be possible to take active steps to reduce its potency. There are at least two approaches to degrading the attack's strength — making it harder to penetrate and keep control of a machine and identifying machines that are apparently infected, so they can be isolated if they participate in an attack. Machines that are seen as likely ultimate targets for DDoS attack can also prepare themselves by replicating their content on distributed servers, so that an attack must diffuse itself across multiple machines.8 During an attack, the relevant mitigation techniques involve turning off traffic from attacking hosts or discarding the traffic before it reaches the point of overload. This response requires knowing the identity of the attacking machines to identify the traffic. Note that it is not necessary to know all of the machines, just enough to reduce the attack to manageable proportions. And depending on what steps are taken to block traffic from the attacking machines, there may be minimal harm from the occasional misidentification of an attacker.9 After the fact, DDoS attacks represent a challenge for the objective of retribution. The attacker (the so-called bot-master or the client who has rented the bot-net from the bot-master) has usually taken care to be several degrees removed from the machines doing the actual attack. Tracing back through the attacking machines to find the responsible attacker may involve crossing jurisdictional boundaries, which adds complexity and delay. If the actual attack involved falsified source addresses, such trace-back may be very difficult or even impossible. However, the range of attacks that can be For example, a content provider might choose to outsource the hosting of its content to a Content Delivery Network (CDN). A leading provider of CDN service, Akamai, specifically claims that its infrastructure is massive enough that DDoS attacks will be ineffective against
it. See AKAMAI SECURITY CAPABILITIES: PROTECTING YOUR ONLINE CHANNELS AND WEBAPPLICATIONS 6–7 (2010).
9 For example, if the mitigation technique involved blocking traffic coming from a source for a few minutes, then if an innocent machine were misidentified as part of the attack, the only consequence would be that the user of that machine could not reach the web site for that short time. That sort of failure can occur for many reasons and might well be the outcome that the user perceived in any case while the target machine was under attack.
2011 / Untangling Attribution executed without a two-way exchange of packets is very limited, and for many attacks today, the source address is not forged.10 Because of these factors, there is a question as to whether after-the-fact-retribution is a useful part of dealing with bot-net-based DDoS attacks.
Bot-nets are also used to send bulk unsolicited email — spam. From an attribution perspective, this application is different from DDoS attacks.
When bot-nets are used for sending spam, spam provides trace-back.
Because merchants have to identify themselves in order to be paid, some attribution is possible. Spammers' protection comes not from anonymity, but from jurisdictional distance or legal ambiguity.
B. Identity Theft
The term “identity theft” has received much attention in the press recently, but it is worth separating the different activities that are sometimes lumped together under a single term. The Identity Theft and Assumption Deterrence Act of 199811 criminalized identity theft, which the Federal Trade Commission describes as “someone us[ing] your personally identifying information, like your name, Social Security number, or credit card number, without your permission, to commit fraud or other crimes.”12 Under this definition, up to nine million Americans suffer identity theft annually.13 This broad definition encompasses everything from the theft of a single credit-card number or misuse of a single account to a full-scale impersonation of an identity (involving the establishment of new credit accounts or identity documents in a person's name). The former constitutes the majority of identity theft. In 2006, for example, according to an FTC This statement does not imply that forged source addresses are never seen in current attacks. For example, some attacks are based on the use of the Domain Name System (DNS) as a vector, and those attacks are one-way and involve falsified source addresses. By sending a query to a DNS server with the source address of the machine to be attacked, the server will reply with a packet sent to that machine. See, e.g., Daniel Weseman, DNS Queries, INTERNET STORM CENTER, http://isc.sans.edu/diary.html?storyid=5713 (last visited Feb.
11 Pub. L. No. 105-318, 112 Stat. 3007 (1998).
12 About Identity Theft, FEDERAL TRADE COMMISSION, http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/about-identity-theft.html (last visited April 13, 2010).
Harvard National Security Journal / Vol. 2 report, 6.5 million Americans suffered theft of their credit or account information, while 1.8 million had their identity information used to establish fraudulent accounts,14 a ratio of about three-and-a-half to one.
Thus the nine million number somewhat overstates the number of people subjected to full impersonation. The serious case of identity theft, in which new documents are established in someone else's name, happens about two million times a year in the United States.
Identity theft is an interesting crime for a number of reasons. It is a multi-step crime — the identity in question must be stolen and then exploited. The theft can occur in many ways. It may involve infiltration of a computer and installation of spyware that captures identifiers and passwords used for application-level authentication or the penetration of a merchant server and the theft of billing records. Such information may then be used by the original thief or sold to other criminals. Next, the identity must be exploited. If the exploit is on the Internet, this generally involves the use of the stolen credentials to mislead some sort of application-level authentication scheme, e.g., logging in as the user to lay a false attribution trail. Perhaps as a final step, some sort of money-laundering scheme is required to convert the exploit into money that is useful to the criminal.
Early Internet-based identity theft used “phishing,” an attack in which a user is tricked into going to a web site that imitates a legitimate one (e.g., a bank) and typing in his name and password. Phishing attacks surfaced in 1996,15 and by 2005, there were reports of as many as 250,000 phishing attempts being made daily against just one financial institution.16 More lucrative than attempts at obtaining records about single individuals are efforts that download identity information about many individuals at once and then use that information to commit crimes.
One such incident involved a group from Russia and Estonia that, with the help of an insider, broke into a server at RBSWorldPay, an Atlantabased card-processing company. Taking information on customer accounts FEDERAL TRADE COMMISSION, 2006 IDENTITY THEFT SURVEY REPORT 4 (2007), available at http://www.ftc.gov/os/2007/11/SynovateFinalReportIDTheft2006.pdf.
15 GUNTER OLLMANN, THE PHISHING GUIDE: UNDERSTANDING AND PREVENTINGPHISHING ATTACKS 4 (2004), available at http://www.windowsecurity.com/uplarticle/privacy/NISR-WP-Phishing.pdf.
16 Christopher Abad, The Economy of Phishing: A Survey of the Operations of the Phishing Market, 10 FIRST MONDAY, no. 9, Sept. 2005, available at http://firstmonday.org/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/1272/1192.
2011 / Untangling Attribution — the card numbers and associated PINs and decrypting the protected information — the thieves created counterfeit debit cards, raised withdrawal limits on these accounts, and hired people for the day who withdrew 9 million dollars from 21,000 ATMs in 49 cities.17 Another attack involved Heartland Payment Services, a major processor of credit-card and debitcard transactions. Heartland's systems were penetrated, and unencrypted data in transit between merchant point-of-sale devices and Heartland was sniffed (that is, read by the unauthorized software that had penetrated the network). The data collected included account numbers, expiration dates, and sometimes the account holder's name;18 allegedly over 130 million accounts were compromised.19 The fact that internal bank and credit-card account records can now be accessed over the network has made theft of such records much easier.
The pattern such as was employed in the RBSWorldPay case, in which a single insider transferred sensitive personal data to accomplices overseas, appears to be increasing in frequency.20
C. Data Exfiltration and Espionage
Foreign military and industrial espionage have long been problems for the United States. Prior to the ubiquitous use of the network in modern enterprises, such espionage required people-in-place to make contacts at target facilities, receive the stolen information, etc. Moles needed to be in place for years before they had access to desired information. Such an enterprise was an expensive and time-consuming proposition. For example, in order to acquire Western technical expertise, hundreds of Soviet case officers were involved in Soviet-U.S. collaborative working groups in Press Release, U.S. Dep’t of Justice, Office of Public Affairs, Alleged International Hacking Ring Caught in $9 Million Fraud (Nov. 10, 2009), available at http://www.justice.gov/opa/pr/2009/November/09-crm-1212.html.
18 Kevin Poulsen, Card Processor Admits to Large Data Breach, WIRED (Jan. 20, 2009, 12:40 PM), http://www.wired.com/threatlevel/2009/01/card-processor.
19 Press Release, U.S. Dep’t of Justice, Office of Public Affairs, Alleged International Hacker Indicted for Massive Attack on U.S. Retail and Banking Networks (Aug. 17, 2009), available at http://www.justice.gov/opa/pr/2009/August/09-crm-810.html.
20 Dan Schutzer, Research Challenges for Fighting Insider Threat in the Financial Services Industry, in
agriculture, civil aviation, nuclear energy, oceanography, computers, and the environment.21 The Internet has greatly simplified this process. Information that was once clearly inside a large enterprise may now be relatively easily accessible to people on the outside. Instead of all the work devoted to developing people-in-place, competitors, whether corporate or foreign governments, have discovered that the theft of secrets can be done over the network.
Developing contacts, planting moles, and touring U.S. factories and development sites are efforts much less needed than once they were.
The first public reports of massive network-based data exfiltration surfaced in 2005. Time magazine reported a 2004 exploit in which U.S.
military computers at four sites — Fort Huachuca, Arizona, Arlington, Virginia, San Diego, California, and Huntsville, Alabama — were, in a matter of six-and-a-half hours, scanned, and large numbers of sensitive files were taken. These materials were then apparently shipped to Taiwan, South Korea, and Hong Kong, and from there, to mainland China.22 Since then numerous reports have surfaced of similar cyberexploitations, with the attempted intrusion method growing increasingly sophisticated over time.23 The highly publicized intrusion into Google in 2009-2010 apparently followed this pattern.24 Attacks of this sort are stealthy and often of small scale. Frequently they are individually tailored. Their preparation may involve taking over insecure intermediate machines, but only in small quantities, and perhaps only those highly suited to the task. These machines are used to transit the stolen information and hide its ultimate destination. The first step in the theft is to carefully scope out the target, learning where the files of interest Matthew French, Tech Sabotage During the Cold War, FEDERAL COMPUTER WEEK, Apr. 26, 2004, http://fcw.com/articles/2004/04/26/tech-sabotage-during-the-cold-war.aspx.
22 Nathan Thornburgh, The Invasion of the Chinese Cyberspies, TIME, Aug. 29, 2005, http://www.time.com/time/magazine/article/0,9171,1098961,00.html,
23 THE U.S.-CHINA ECONOMIC AND SECURITY REVIEW COMMISSION, CAPABILITY OF THE
PEOPLE'S REPUBLIC OF CHINA TO CONDUCT CYBER WARFARE AND CYBER NETWORKEXPLOITATION (2009), available at http://www.uscc.gov/researchpapers/2009/NorthropGrumman_PRC_Cyber_Paper_FIN AL_Approved%20Report_16Oct2009.pdf.
24 See John Markoff & David Barboza, Inquiry Is Said to Link Attack on Google to Chinese Schools, N.Y. TIMES, Feb. 19, 2010, http://query.nytimes.com/gst/fullpage.html?res=9505E7DA1730F93AA25751C0A9669D 8B63.
2011 / Untangling Attribution are, and then, once target material has been located, to quickly pack and exfiltrate them, often in a matter of hours. The downloading may involve intermediate machines — “dead drops” — perhaps in South Korea, Taiwan, or Hong Kong, before the files are downloaded to their final destination (perhaps southern China). The multi-stage nature of the attack helps confound definitive knowledge of the ultimate destination of the files.