What I am definitely not saying is that by correlating times we will be able to track down a script kiddie in China who took the day off of school. I am merely saying that I believe that a large proportion of intrusion attempts (which are not worms) could be tracked between 11:00pm and 3:00am in the country of origin (excluding weekends and holidays, of course). I agree that the sample would have to be immense. Data like this could also be important to track the experience of the hacker. A script kiddie would most likely run attacks later at night, whereas an experienced hacker would want to run his attempt when the target sysadmin is sleeping, thereby giving him time to hide his tracks. As for the DoS attacks, most of the attacks require a little bit of forethought, compromising servers and laying general groundwork. If I were to go through the trouble of setting up a DoS like the one that hit e-bay et al, I would want to make sure it had the largest impact, yet minimized the risk of my being caught (although I'm not sure of the best time to do that would be). I realize that this is no more than criminal profiling, and that it has been used with varying success worldwide, and has been met with equally varying skepticism. I also realize that we as a security community will never get a pure picture of why all attacks occur. We can't break it down to one definitive moment in a person's life and say "yep, that did it. Right there!". But it would be yet another thing to consider, to be bundled into the sixty trillion things we already have to check out. Just my thoughts and ramblings. Patrick Andry pandryat_private
This archive was generated by hypermail 2b30 : Mon May 28 2001 - 21:08:05 PDT