Tracing sources of DOS and DDOS attack: evidential recovery

Authors

Brian Cusack, Digital Forensic Research Laboratories, Auckland
Cary Ho, Digital Forensic Research Laboratories, Auckland

Document Type

Conference Proceeding

Publisher

secau Security Research Centre, Edith Cowan University, Perth, Western Australia

Abstract

The ability to trace back to the network source of a computer service attack is an important step in locating evidence that may be used to identify and to prosecute those responsible. The instability of the internetwork environments however makes both tracing and justifying the credibility of evidence obtained challenges for investigators. In this research four methods for tracing the sources of attacks are reviewed and one selected for testing in public and open networks. Specifically the Time-To-Live (TTL) field is to be investigated for trace back potential in a method called the hop count distance method. The results show that within the limitations discussed it is possible to locate the origin of an attack back to the nearest router from the source. Furthermore it may be theorised from population demographic data the general location of the attack origin. The purpose of this paper is to demonstrate what may be achieved but then more importantly to mitigate any claims arising for generalisations.

Comments

9th Australian Digital Forensics Conference, Edith Cowan University, Perth Western Australia, 5th -7th December 2011

DOI

10.4225/75/57b2bb5340ceb