A new class of attacks against information systems resulting from the increasingly networked nature of those systems has been identified, and we have started to explore the issues of attack and defense. Based on initial results, it appears that DCAs offer significant challenges for defenders, that tracking a DCA to its source is, in general, impossible without community-based defenses, and that community-based defenses against DCAs have substantial limitations.
On the good side, the DCA incident at all.net was quickly identified and successfully tracked to its source. Although this attack was only a very simple one, the fact that it was tracked down quickly and publicly will hopefully act as a deterrent to further attempts. The fact that it happened in the real-world should also act to energize the computing community toward improved defenses.
The statistical details are still not fully understood, but it appears that the DCA described in the appendices was launched by a total of no more than ten people, and that it was probably more like five. Of these, we have identified four individuals. These 5-10 people caused more than 2,000 attempted entries involving more than 800 computers from all over the world. Of the 800 sites we automatically tried to contact in the process of tracking the attack, only six people provided correlating information necessary to track down the sources of these attacks, and of those, only one was a site involving three or more entry attempts. Clearly, contacting all of the sites from which even a single entry was attempted was critical to tracking down the sources of these attacks.
Our initial mathematical characterization and very preliminary results indicate that the magnitude of the problem could be substantial and that defending against multi-hop DCAs is significantly harder and takes significantly longer than against single-hop DCAs, even in a mode where automated response with zero tolerance is universally used. This implies that a dramatic change in the way we handle incident response would be required in order to meet the challenge of DCAs if they become dominant modes of attack.
Based on our results to date, we believe strongly that the most effective DCA defense today is an automated zero-tolerance approach to reporting detected anomalies, and that such a defense will require community tolerance and vigilance. We also believe that DCAs in today's Internet environment provide a very rich environment for attack, and a very challenging environment for defense.