One of the greatest challenges in cracking / strategic components of cyberwarfare for information and national security is called the ‘attribution problem’. The attribution problem simply refers to the fact that tracing back an attack is not that difficult but tracing it back to its original source of attack and also being able to find out who really started it is – let me phrase it optimistically – difficult.
One of the most common reasons for this challenges is ‘tunneling’. It basically means that the attacker either through proxies, virtual privacy networks (VPN) or even compromised machines hides his traces. So he between the usual ‘hops’ (network, ISP, backbone …) it adds a level which makes it more difficult to traces. If several of these new hops come between his machine and the victimized computer, it will make it a lot more difficult to trace him. If you catch him while he is currently doing his magic, you can try running the ‘trace’ command to figure out where he really sits. You might be successful with that. If, however, you try to make forensics work and backtrack an already accomplished attack – good luck with that one. The problem here is, that getting logfiles from a foreign server or ISP might be more difficult than you think. If he hops through a compromised machine and most probably has admin rights to do so, he is also able to tweak the logs that either they do not shot that he was there or even lead you in the wrong direction by not erasing information but adding noise to the logs or just faking a different access IP. This all might leave you very annoyed and with not a lot to go about. Of course honeypots, active monitoring or other tools and mechanisms might be applied to facilitate the tracing but this has to be in place already. Otherwise it would not fly.
What is not that often discussed is that tracing a denial-of-service (more specific a distributed-DoS) attack is more difficult to trace. The ‘zombies’ that attack you receive their command from a central command-and-control server (might be an IRC chatroom). The zombies themselves are compromised machines and therefore do not tell you anything about the attacker (if he was careful when he compromised the machine). Then you have to figure out the CnC server – which might also display obstructed traces due to afore-mentioned tools. If you finally found the CnC server you still have to track back the commands and from where they were inserted into the CnC. This, again, leaves you with a potentially whole lot of hops which renders is virtually impossible to backtrack it and make someone very unhappy. Even if all of that works in your favor (and you are a lucky bastard – pardon my English – if that works), knowing that the attacker was sitting in an internet shop in Mexico city does not give you a lot to go about. If they do not have CCTV installed and consequently are happy to hand it over to you, good luck another time. You would not even know whether it was some kid or group or company of government mercenaries or even contracted cyber-soldiers.
The beauty of that: We can always blame Russia or China. ‘The attack originated in China and came from an ISP who is serving also the university of Beijing which is said to be closely affiliated with…’. What a bullshit. First: How can you figure that it was the last hop? Second: How can you figure that it was not an intended forged log that led you there? Third: How difficult is it to get an American intelligence officer over to China and tell him to initiate a hack from that very internet shop? I do not fall for that.
Of course there are things we like to believe. And government officials which look for a higher budget are always happy to trace back persistent and dangerous threats to state-backed hacker groups but who tells you that none of the above is true? Then again, no one cares – but we should. This time it is about national perception management. However, if we are going to (violently) react – we need more than just a hunch. In cyberwarfare, there must not be a smoking gun. If there is, it might be placed in the wrong hands. It is not like a battleship carrying the national flag of its origin which just destroyed your freighter. It is a strategic challenge.