Disclaimer: This methodology would be for a country that has few actual international connections and poor topology so I feel assured it would not happen in any advanced western country.
I feel safe in posting this as it is merely theoretical, since no country of any real world significance has sufficiently few international connections and poor topology.
A typical malware activity is hindered by its own capacity. As soon as it brings down a network it then has that inability to spread. Authors of malware then use timers to start the attack. As these authors are often unsure of where the bots are they must hesitantly test the bots and determine which servers and switching will be effected.
So as you see the malware authors or hacker networks have difficulty in bringing down a network as such. Hence most malware attacks bots are aimed at a specific server on the Internet and use denial of service attacks which repeatedly make so many requests to a system that the system is unable to respond to legitimate requests.
What we are talking about here is definitely a different form of attack.
There are four characteristics of such an attackThere are four characteristics of such an attack on a network.
- The attack is internal in nature. It comes from within the network.
- The nodes on the network have been strategically placed, with often the location masked.
- The nodes are arranged in a cascading tier topology that allows control from one node even while most of the network is down.
- The attack strategy follows a phase approach of stress testing the network.
Next lets look at how these 4 characteristics are achieved.
Internal attack.
Using a fictitious entity, the conspirator would lease blades or servers on data farms around the country. Alternatively they would organize to have high speed internet connections placed at various locations (Residential, Commercial, Industrial). Or they could mask as an IT company and have the malware placed on their customers IT systems. With remote access capabilities this is very easy to achieve, and then remove if suspicion falls on the customer.
Strategic placing.
Some areas of the country are more vulnerable than others, some ISPs are more vulnerable as well. Some switches are certainly more vulnerable. Also remember that with advanced spoofing, an IP address of Joe Person can appear to be the malware host while it is not.
Tier Topology.
Controlling an attack is vital, especially to test the network. Thus one node would control all the nodes (Sounds a bit like Lord of The Rings). The attacking nodes could either use a check-back system for new instructions, or automatedly die off, like TTL(Time To Live) if they don’t receive confirmation to continue. Analysis of the attack would thus show it as appearing in waves.
Strategy.
The attack could follow a strategy of testing various parts of the network to find bottlenecks. For example, the locally based DNS servers are often used to control all Port 80 or 81 requests, so these are a good alternative. As ISPs get users to change the DNS settings, (if they can without a techno) the top tiered node can record this for the next attack.
As you can see any such attack is not so complex to create, and is really dependent on the resources a constitutional agency is prepared to put into it.
A country’s internet can protect itself by having a better topology and multiple gateways.
The last questions to this must be who and why would this be done?
And the one answer has to be a conspiratorial type entity who wants to deny Internet and other communication's access for a specific event.
No comments:
Post a Comment