Characteristics of DCAs
Copyright(c), 1996 - Management Analytics - All Rights Reserved
We have found a few common characteristics of DCAs that are
noteworthy and may be useful in understanding them better.
- The first and perhaps most important characteristic is that the
source of the attack is only indirectly related to the site that appears
to be launching the attack. This means that it may be impossible to
track down the real source of the attack without the cooperation of
people at two or more sites. When combined with the one-per-site
variation described above, this means that such attacks may only be
reliably tracked to their source by cooperation between two or more
sites where a single case of potentially illicit behavior occurs in
the vector sites.
- Another important characteristic of a DCA is that, unlike other
concerted attacks, a DCA will likely involve a high overall rate of
attacks even though the contribution to this rate by each vector site
may be low or even singular. Although cleaver DCA attackers may keep
rates below the detection threshold of the victim, it is likely that
most perpetrators will select higher rates of attack believing that they
are adequately shielded by indirection.
- Vectors in DCAs are likely to be completely unaware that their
system is being exploited. It may be difficult to explain this to
systems administrators who have innocent users that are unwittingly made
to participate in an attack which doesn't lead to any outward indication
on their system.
- To date, most DCAs have been open loop. This is primarily because
the systems they exploit as intermediaries provide only limited function.
With the introduction of Java and similar loadable scripts, this is likely
These properties of DCAs appear to make prevention, detection,
and response to DCAs quite difficult, but they also lead to a better
understanding of defenses.