C AUDAL E COLÓGICO

The primary method⁹³ currently utilized for technical attribution of cyber-attacks is the tracing of Internet traffic associated with a cyber-attack from the site of the attack

91 Neil C. Rowe, The Attribution of Cyber Warfare 62, in, Cyberwarfare: A Multidisciplinary Analysis (James A. Green, ed. Kindle ed. 2016).

92 O’Connell, supra.

93 Vahid Aghaei-Foroushani and A. Nur Zincit-Heywood, Deterministic Flow Marking for IPV6 Traceback *1, Network and Service Management (CNSM), 11^th Int’l Conf. on IEEE (2015), https://www.semanticscholar.org/paper/Deterministic-flow-marking-for-IPv6-traceback-DFM6-Foroushani-Zincir-Heywood/ 49c12809fb3776bda0260aef561d3f8924463 517/pdf.

(“IP traceback is a mechanism which aims to identify the true source of an IP datagram.

However, as many current IP traceback schemes are proposed concerning IPv4 network, they

162 recursively to the original IP address responsible for the attack.⁹⁴ (There are a number of other techniques that may be utilized such as SMTP [Simple Mail Transfer Protocol], Ethernet protocols, and Dynamic Host Configuration Protocol [DHCP]⁹⁵ traceback techniques) but as the majority of attacks are IP-based, this study will focus on general IP protocol traceback. It must be noted that none of the other mentioned traceback schemes are able to truly technically attribute an attack standing alone, as they suffer from the same or similar limitations of IP traceback. All traceback schemes rely on the attribution of network traffic.

The majority of IP traceback mechanisms are designed to function against DoS/DDoS attacks,⁹⁶ such as those suffered by Georgia and Estonia. DoS/DDoS attacks are “flood”

attacks, where the operations of a server or information system are severely impacted by a flood of data requests made on the service by spoofed packets.⁹⁷ By flooding these systems with spoofed packets, the system cannot reply to legitimate requests, and the systems cease to function as designed. Most famous of these types of attacks are the attacks on Estonia (2007) and Georgia (2008), where large segments of both countries’ cyberinfrastructure were impacted by large-scale DDoS attacks over a period of days.

DoS/DDoS attacks are normally one-way attacks, that is, the packets that are requesting bogus services from a system are spoofed with false IP packet headers, so there is no packet data sent back to the author of the attack. In most instances, the author of the attack is far removed from the DoS/DDoS attacks, as the author will normally have set up a botnet which is a collection of zombie computers that have been infected by a worm that allows

cannot be directly used in IPv6 network. Implementing those techniques for IPv6 networks require modifications because of the technological differences…)

94 Xinyuan Wang and Douglas Reeves, Traceback and Anonymity 5-11 (2015). (Discussing the traceback model.) See also, Karanpreet Singh, Paramuir Singh, and Krishan Kumar, A Systematic Review of IP Traceback Schemes for Denial of Service Attacks, 56 Comp. & Sec.

111-139 (2016). Neil C. Rowe, The Attribution of Cyber Warfare 63, in, Cyberwarfare: A Multidisciplinary Analysis (James A. Green, ed. Kindle ed. 2016). (Discussing attack attribution.)

95 David A. Wheeler and Gregory N. Larsen, Techniques for Cyber Attack Attribution 3, Institute for Defense Analysis, IDA Paper P-3792 (Oct. 2003).

96 Naga Mani Tenali and Bala Savitha Jyosyula, IP Traceback Scenarios, 19 Global J. Comp. Science Tech.13(E) (2013).

97 Id.

163 the botmaster to use those machines to launch the DoS/DDoS attacks, while limiting the traceback options and exposure to the author of the attack.

Traceback techniques may fall into one of two broad categories: either preventive traceback or reactive traceback.⁹⁸ Preventive traceback focuses on preventing spoofed IP addresses or illegitimate IP addresses from accessing specific systems. Preventive traceback, per se, is not a traceback technique as it does not provide the recursive step-back (stepping stone) needed to identify the source of the attacks and as such, fail to provide a basis for identification of the attacker.⁹⁹

Reactive traceback techniques provide the best hope for actually tracing an attack to the source IP address. Reactive traceback techniques such as link testing,¹⁰⁰ work backward from the attacked system, querying each router along the line looking for the router that forwarded the spoofed packets. This is repeated until the source IP of the originating system is located.¹⁰¹ Other traceback variations rely on algorithms to calculate the path of a packet in which a marker has been inserted into, and others utilize a probabilistic packet marking algorithm.¹⁰²

For non-DoS/DDoS attacks, traceback techniques will attempt to reclusively step-back the attacks throughout the data packet’s route to the attacked system in an attempt to identify

98 Naga Mani Tenali and Bala Savitha Jyosyula, IP Traceback Scenarios, 20 Global J. Comp. Science Tech.13(E) (2013); Krishan Kumar, A.L. Sangal, and Abhinav Bhandari, Traceback Techniques Against DDOS Attacks: A Comprehensive Review, 491 Proceedings 2^nd IEEE Int’l Conf. on Computer and Comm. Tech. (2011). (Describing the two different categories of traceback schemes as pro-active and reactive), but cf., David A. Wheeler and Gregory N. Larsen, Techniques for Cyber Attack Attribution 9-11, Institute for Defense Analysis, IDA Paper P-3792 (Oct. 2003). (Discussing both preventive and reactive traceback techniques as a single category of techniques).

99 Tenali, id.

100 Id. See also, David A. Wheeler and Gregory N. Larsen, Techniques for Cyber Attack Attribution 9, Institute for Defense Analysis, IDA Paper P-3792 (Oct. 2003). (Discussing “[s]tore logs &

traceback queries...which is a similar technique to that posited by Tenali and Jyosyula); Ghao Gong, Trinh Le, T. Korkmaz, and K. Sarac, Single Packet IP Traceback in AS-Level Partial Deployment Scenario 1817, in Proceedings of the IEEE Globocom (2005).

101 Tenali, id. at n.98.

102 Id.

164 the source IP responsible for the attacks. Simply put, computer science will follow the breadcrumbs of the attack from one IP address to the next until they get to the original IP address responsible for the attack. However, this is not sufficient for technical or legal attribution as the malware responsible for installing the payload onto the infected system most likely will have originated from another source. The malware will have to then be analyzed through computer forensic analysis in an attempt to identify the author of the software/payload which may yield clues as to the origin.

Traceback techniques currently in operation appear to be able to trace a cyber-attack, either a DoS/DDoS or direct attack, to the originating IP address, however, this process is time-consuming, and its success has to do with the abilities of the attack author and sheer luck.

The IP address that the traceback technique resolves to will be linked to a specific geographic range. The IP address will not normally demonstrate the end user for that address. Thus, additional techniques will be needed to corroborate the findings of traceback techniques and develop a theory of who may be the authors of an attack.

Honeypots are related to traceback techniques but are different in that a honeypot may exist for multiple reasons including identifying an attack event,¹⁰³ identifying attack vectors, searching for new types of attacks, and tracking attacks by regions. Honeypots themselves are not necessarily an attribution tool but serve as a mechanism to assist in attribution. A honeypot is "[a] server that is configured to detect an intruder by mirroring a real production system.”¹⁰⁴ That is, a honeypot is a device running on the Internet that appears to be a real series of IP addresses that are set up to trap incoming attacks for various purposes.¹⁰⁵ There are two types of honeypots, “[p]roduction honeypots [which] capture only limited information, and are used primarily by companies or corporations; and research honeypots [which] are complex to deploy and maintain, capture extensive information, and are used primarily by researchers, military, or government organizations…”¹⁰⁶ Honeypots’ benefits

103 Van-Hau Pharm, Honeypot Traces Forensics by Means of Attack Event Identification 1-2, PhD Thesis, Telecom Paris Tech (2009).

104 Shantanu Shukla & Sonal Sinha, Use of Honeypot and IP Tracing Mechanism for Prevention of DDOS Attack, 3 Int’l J. Sci. Engineering & Res. 94, 95 (2015).

105 For a visual representation of what honeypot activity is, see, map.norsecorp.com.

106 Id. at n. 104.

165 lie in that they only collect malicious attacks and are not prone to false-positives.¹⁰⁷ Honeypots may be used to collect attacks that may then be traced back to the originating IP address,¹⁰⁸ giving researchers a source IP address which may be blacklisted or monitored. Honeypots may also be utilized as a defense against DDoS attacks by identifying zombie IP addresses associated with a DDoS attack and blocking said IP addresses from gaining access to the attack’s intended target.