The National Academies Press

Currently Skimming:

Untangling Attribution--David D. Clark and Susan Landau
Pages 25-40

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.

From page 25... ... 3 David Wheeler and Gregory Larson, "Techniques for Cyber Attack Attribution," Institute for Defense Analyses, October 2003, p. Read the entire page →
From page 26... ... are more useful than is often thought as a starting point for attribution, in those cases where attribution is relevant.4 • Redesigning the Internet so that all actions can be robustly attributed to a person would not help to deter the sophisticated attacks we are seeing today, such as the multi-stage attacks mentioned above. At the same time, such a change would raise numerous issues with respect to privacy, freedom of expression, and freedom of action, a trait of the current Internet valued by many including intelligence agencies. Read the entire page →
From page 27... ... Some applications such as banking require robust mutual identity. Other sites need robust identity, but rely on third parties to do the vetting, e.g., credit card companies do so for online merchants. Read the entire page →
From page 28... ... If the actual attack involved falsified source addresses, such traceback may be very difficult or even impossible. However, the range of attacks that can be executed without a two-way exchange of packets is very limited, and for many attacks today, the source address is not forged.10 Because of these factors, there is a question as to whether after the fact retribution is a useful part of dealing with bot-net-based DDoS attacks. Read the entire page →
From page 29... ... your personally identifying information, like your name, Social Security number, or credit card number, without your permission, to commit fraud or other crimes." 12 Under this definition, up to 9 million Americans suffer identity theft annually. 13 This broad definition encompasses everything from the theft of a single credit-card number or misuse of a single account to a full-scale impersonation of an identity (involving the establishment of new credit accounts or identity documents in a person's name) Read the entire page →
From page 30... ... Their preparation may involve taking over insecure intermediate machines, but only in small quantity, and perhaps highly suited to the task. These machines are used to transit the stolen information and hide its ultimate destination. Read the entire page →
From page 31... ... 24 One legitimate example of this occurs in federated identity management systems: the Identity Provider knows that Service Provider A and Service Provider B (for example, a hotel and a car-rental agency) are both providing services for the same customer, but through the judicious use of pseudonyms, no one else, including the two service providers, can determine that fact. Read the entire page →
From page 32... ... Since residential Internet service is almost always provided by commercial Internet Service Providers (ISPs) , they have billing informa tion for all of their customers. Read the entire page →
From page 33... ... 27 The restriction of encrypted communication is critical here. If the observer is using technology called Deep Packet Inspection, or DPI, he can observe anything not encrypted, including identity credentials being exchanged end-to-end. Read the entire page →
From page 34... ... A more dramatic change might be the introduction of a virtualized network infrastructure, which would permit multiple simultaneous networks to co-exist, each with its own approach to attribution. A future network that provides an information dissemination and retrieval service as part of its core function would imply some sort of binding between user and information that would be visible "in the network." We believe that our general conclusions will apply across a range of possible future network designs -- the linkage between machine-level attribution and higher-level attribution (e.g. Read the entire page →
From page 35... ... Different approaches will be needed to stop a DDoS attack and data exfiltration while it is happening. After the Fact: Retribution The traditional discussion of deterrence focuses on what would happen after the fact, when some sort of retribution would be exacted. Read the entire page →
From page 36... ... This suggests that even if we were to push for a variant of the Internet that demanded very robust identity credentials to use the network, tracing would remain subject to barriers that would arise from variation in jurisdictions. Unless we imagine that all countries would agree to the election of a single, global identity authority, credentials would be issued by individual countries, where the quality of the process would be highly variable. Read the entire page →
From page 37... ... However, the only sort of attack where a forged address is effective is a DDoS attack, where the goal is just to flood the destination with useless traffic. Any more sophisticated exchange, for example in support of espionage, will neces 30 Current recommended practice for ISPs is for the ISP hosting the infested machine to verify that the machine appears to be part of a bot-net, then use its billing records to translate from machine to person, and send the person a letter. Read the entire page →
From page 38... ... Would it make sense to hold owners of intermediate machines in a multi-stage attack responsible to some (perhaps minor) degree for the resulting harm of the attack? Read the entire page →
From page 39... ... CONCLuSIONS Our fundamental conclusion is that "the attribution problem" is not actually a technical issue at all, but a policy concern with multiple solutions depending on the type of technical issue -- e.g., DDoS attack, criminal activity, or data exfiltration -- to be solved. Our conclusions are that, not surprisingly, solutions to the "attribution problem" lie outside the technical realm. Read the entire page →
From page 40... ... The efforts for top-down control of user identity and attribution, while appropriate and valid for critical-infrastructure domains such as the power grid, and financial and government services, have little role to play in the broader public network. Such efforts can be avoided, leading ultimately to better public safety, security, and privacy. Read the entire page →

From page 25...

... 3 David Wheeler and Gregory Larson, "Techniques for Cyber Attack Attribution," Institute for Defense Analyses, October 2003, p.

Read the entire page →

From page 26...

... are more useful than is often thought as a starting point for attribution, in those cases where attribution is relevant.4 • Redesigning the Internet so that all actions can be robustly attributed to a person would not help to deter the sophisticated attacks we are seeing today, such as the multi-stage attacks mentioned above. At the same time, such a change would raise numerous issues with respect to privacy, freedom of expression, and freedom of action, a trait of the current Internet valued by many including intelligence agencies.

Read the entire page →

From page 27...

... Some applications such as banking require robust mutual identity. Other sites need robust identity, but rely on third parties to do the vetting, e.g., credit card companies do so for online merchants.

Read the entire page →

From page 28...

... If the actual attack involved falsified source addresses, such traceback may be very difficult or even impossible. However, the range of attacks that can be executed without a two-way exchange of packets is very limited, and for many attacks today, the source address is not forged.10 Because of these factors, there is a question as to whether after the fact retribution is a useful part of dealing with bot-net-based DDoS attacks.

Read the entire page →

From page 29...

... your personally identifying information, like your name, Social Security number, or credit card number, without your permission, to commit fraud or other crimes." 12 Under this definition, up to 9 million Americans suffer identity theft annually. 13 This broad definition encompasses everything from the theft of a single credit-card number or misuse of a single account to a full-scale impersonation of an identity (involving the establishment of new credit accounts or identity documents in a person's name)

Read the entire page →

From page 30...

... Their preparation may involve taking over insecure intermediate machines, but only in small quantity, and perhaps highly suited to the task. These machines are used to transit the stolen information and hide its ultimate destination.

Read the entire page →

From page 31...

... 24 One legitimate example of this occurs in federated identity management systems: the Identity Provider knows that Service Provider A and Service Provider B (for example, a hotel and a car-rental agency) are both providing services for the same customer, but through the judicious use of pseudonyms, no one else, including the two service providers, can determine that fact.

Read the entire page →

From page 32...

... Since residential Internet service is almost always provided by commercial Internet Service Providers (ISPs) , they have billing informa tion for all of their customers.

Read the entire page →

From page 33...

... 27 The restriction of encrypted communication is critical here. If the observer is using technology called Deep Packet Inspection, or DPI, he can observe anything not encrypted, including identity credentials being exchanged end-to-end.

Read the entire page →

From page 34...

... A more dramatic change might be the introduction of a virtualized network infrastructure, which would permit multiple simultaneous networks to co-exist, each with its own approach to attribution. A future network that provides an information dissemination and retrieval service as part of its core function would imply some sort of binding between user and information that would be visible "in the network." We believe that our general conclusions will apply across a range of possible future network designs -- the linkage between machine-level attribution and higher-level attribution (e.g.

Read the entire page →

From page 35...

... Different approaches will be needed to stop a DDoS attack and data exfiltration while it is happening. After the Fact: Retribution The traditional discussion of deterrence focuses on what would happen after the fact, when some sort of retribution would be exacted.

Read the entire page →

From page 36...

... This suggests that even if we were to push for a variant of the Internet that demanded very robust identity credentials to use the network, tracing would remain subject to barriers that would arise from variation in jurisdictions. Unless we imagine that all countries would agree to the election of a single, global identity authority, credentials would be issued by individual countries, where the quality of the process would be highly variable.

Read the entire page →

From page 37...

... However, the only sort of attack where a forged address is effective is a DDoS attack, where the goal is just to flood the destination with useless traffic. Any more sophisticated exchange, for example in support of espionage, will neces 30 Current recommended practice for ISPs is for the ISP hosting the infested machine to verify that the machine appears to be part of a bot-net, then use its billing records to translate from machine to person, and send the person a letter.

Read the entire page →

From page 38...

... Would it make sense to hold owners of intermediate machines in a multi-stage attack responsible to some (perhaps minor) degree for the resulting harm of the attack?

Read the entire page →

From page 39...

... CONCLuSIONS Our fundamental conclusion is that "the attribution problem" is not actually a technical issue at all, but a policy concern with multiple solutions depending on the type of technical issue -- e.g., DDoS attack, criminal activity, or data exfiltration -- to be solved. Our conclusions are that, not surprisingly, solutions to the "attribution problem" lie outside the technical realm.

Read the entire page →

From page 40...

... The efforts for top-down control of user identity and attribution, while appropriate and valid for critical-infrastructure domains such as the power grid, and financial and government services, have little role to play in the broader public network. Such efforts can be avoided, leading ultimately to better public safety, security, and privacy.

Read the entire page →

← Previous Chapter Skim

Next Chapter Skim →

This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More information on Chapter Skim is available.

Untangling Attribution--David D. Clark and Susan Landau Pages 25-40

Untangling Attribution--David D. Clark and Susan Landau
Pages 25-40