Mailbomb Early Warning System

As the SMTP filter used against the Langley Cyber Attack matured, SMTP mail denial-of-service (DoS) failures discontinued. However, the probability of overwhelming DoS attacks remained. Thousands of rogue e-mail messages continued to bombard Langley AFB servers. This bombardment created a pseudo steady-state condition of background noise. This steady state bombardment was the basis for the implementation of our e-mail bomb early warning system.

Using a standard mathematical process we were able to identify an ongoing attack and provide a reasonable basis for predicting non-random future attacks. Beginning with the initial version of the SMTP filter, the investigating team automatically collected e-mail statistics on the daily volume of e-mail (T_d), jailed e-mail (J_d), questionable e-mail, and other variables of interest.

By keeping the size of each weekly subgroup, n, constant (seven days), a pattern began to emerge as we graphed and analyzed the raw data. Clustering one-week averages of jailed e-mail as a percentage of total e-mail volume ( in equation one) led to the theory that a statistical process control chart with an upper and lower control limit might serve as an e-mail bomb early warning indicator.

Daily e-mail statistics were automatically collected and averaged over weekly periods. denotes the daily average jailed e-mail percentage based on a one week clustering interval. In addition, the range of the e-mail bomb volume, R, was calculated (equation three) from the computed average minimum and maximum.

The size of each weekly subgroups, n, remained constant (seven days). The total number of weeks analyzed was represented by K. The overall average daily e-mail bomb volume, , was also tracked (equation four).

From this simple statistical process, e-mail bomb upper and lower control limits were established. Figure eight illustrates ten weeks of these statistics as they were collected and analyzed.

 

Figure 8: Early Warning System: Event Trigger

The upper (UCL) and lower (LCL) control limits were calculated by taking a two percent standard deviation above and below the average traffic (including attack and legitimate e-mail) volume. The decision to use two standard deviations exceeds the generally accepted one percent for normal distributions. However, a control limit that is too narrow results in frequent searches for insignificant e-mail bomb attacks (false alarms) which is an inefficient use of human resources.

Control limits (Figure eight) that are too wide would permit undetected significant e-mail bomb attacks. We simply estimated the initial upper and lower control limits from inspection of the graphs. However, as an early warning process matures and each sample outside the prescribed limit is identified and eliminated, the variability from mean to mean should diminish from the initial value. At this point, new upper and lower limits should be calculated. These limits converge to a point where an alarm is sounded at the very start of an attack as the system matures.

A running average exceeding the UCL indicated that a significant e-mail bomb attack was occuring. If the average fell below the LCL, either the number of bogus e-mail had significantly dropped or the filters were failing. At this point, adjustments were made to the filter-rules to eliminate the process alarm.

The first indication of a control limit breech surprised the team. Instead of a massive counter attack from the mail bombers as had happened in the past, the first Action Trigger (Figure eight: Action Trigger) occurred on the Lower Control Limit. This caused the team to examine the queues in an attempt to determine what the hackers were up to. Because the Langley AFB MTA had been hard coded into several automated tools (see sidebar), those tools could no longer bomb victims because the Langley filter removed the illegitimate messages from the Internet. Langley investigators found that the authors of the tools had removed Langley AFB from the list of MTAs pre-configured into the bombing programs. The Black Hole Strategy proved to be an effective and proven countermeasure which we highly recommend.

We stopped experimenting with control charts at that point in time. However, our next step would have been to develop a control chart based on the variance, standard deviation, or the range. This is an excellent area for further research and analysis.