A Mathematical Characterization of DCAs

Top - Help
Copyright(c), 1996 - Management Analytics - All Rights Reserved

Mathematically, DCAs can be characterized by the following structure:

DCA:=(A,V,I,P:(A,I*,V) where:
        A:={a_1, ..., a_n}  a set of attackers
        V:={v_1, ..., v_m}  a set of victims
        I:={i_1, ..., i_h}  a set of intermediaries
        P:AxI*=>V           a set of paths from As to Vs

A few simple results appear to be immediately obvious. The first is that in order to track down the elements of A from V through audit trails of the attack, a set of paths from elements of V to each element of A have to be tracked. In symbols:

forall a in A, exists (i_{s_1}, ..., i_{s_x}) in I*
(a,(i_{s_1}, ..., i_{s_x}),v) in P
where x is a finite integer, v in V, and i_{s_?} in I

In practice today, the maximum size of I is about 20 million. A typical size of I for a Web site ranges from about 100 to 2,000 per day, and many of the elements of this population repeat over time because visitors to Web sites tend to include people who have been there before.

The size of V is most often small (i.e., 1 or perhaps a class C network which has 255 systems), the size of A usually ranges from 1-10, and the number of intermediary systems ranges from 1 to 3.

If these figures are right, this makes the number of possible Ps range from 100 in the minimal case to about (2,000^3)(255)(10), or about 180 billion per day. This is quite a range!

Some statistics from the incident at all.net may also be enlightening. In this case, out of about 250 sites emailed in real-time about the incident, only 2 responded within 8 hours with the information required to track down the attack. This means that only about 1 in 125 sites in I provided the information required to trace the attack. For the purposes of analysis, an I^1 attack was used against all.net, and the mean time for tracking the incident was 4 hours.

Realizing that this analysis is based on a sample size of 1, its accuracy is highly dubious. However, based on this information, if this were an I^2 attack, and if ever administrator that reported audit records also had a zero-tolerance response to the causes of these activities, only one in 125^2 paths would produced a sufficient P to track down the attacker.

At the rate of about 500 sites per day involved in the first step of the attack, and assuming that there were 20,000 preconfigured sites used in sequence for the second step of the attack (e.g., the ftp attack discussed earlier), the time till the source is identified is on the order of 15,000 attempts, or about 30 days. In the limit, each added intermediary degrades the ability to track down the source of a DCA exponentially.

An attacker with serious intentions could be expected to break into one Web site per month to create such an attack. In this case, the source of the attack would be different from the beneficiary. The effort in tracing the attack would likely result only in its location and removal, not in eliminating the attacker or the attack.

Now consider the implications of a Web site that signs up victims to mailing lists through intermediaries. Unless the mailing lists or victims have a mechanism for automatically defending against such attacks. Taking our previous numbers, 500 sites per day might sign up each of 3 victims to each of 3 mailing lists. The effective scale of the attack is 4,500 mailing lists per day. Assuming each mailing list sends an average of 10 mailings per day to its members, this comes to 45,000 more pieces of electronic mail per day created by a single individual using a DCA on a single Web page. Assuming it takes a week to undo all the subscriptions from a typical user, the average persistence of an unwanted subscription is about 3 days. Over the 30 day period before being tracked down, one individual could create (45,000)(15)(30)(3)/30 or just over 2 million pieces of electronic mail.