Who Goes There? Comparing Attribution Methods’ Effectiveness

By Dustin Vandenberg

The news is filled with reports of cyber attacks being “traced” back to various nations, organizations, and individuals. A wide variety of methods exist for tracing cyber attacks, and many of the policy decisions today surrounding cyber security pivot around the ability to attribute attacks. 

Law enforcement, intelligence gathering, and cyber deterrence all rely upon the ability to know who is attacking you. For these reasons, this summer I worked to try and identify and compare various methods for attributing common internet-based cyber attacks. This blog post will be part of a 3-part series where I will discuss some of what I found. 
        
When researching this issue, I found 10 primary attribution methods, which I broke up into 3 separate categories: route-based, packet-based, and target-based. “Route-based” methods change the way that packets are routed on the Internet. “Packet-Based” methods change how internet packets are formatted or logged on various systems and routers. “Target-Based”methods use data or tools available on the target’s system to attribute attacks. 
 
Here are the 10 methods I examined, and some links for more information:

Route-Based:

1. Hop-by-hop IP Traceback

2. Ingress Filtering

3. Backscatter Traceback

Packet-Based:

4. Packet Logging

5. Hashed Packet Logging

6. Modify Transmitted Messages

7. iTrace

Target-Based:

8. Attack Analysis

9. Hack Back

10. Honeypots


I was able to compile a list of advantages, disadvantages, and implementation challenges for each of these methods. This was a necessary first step for the analysis which I will discuss in my second and third blog posts. The following chart summarizes what I found.
             
The final report is still a work in progress, so please feel free to leave any comments or questions below relating to this project!

Transient