Related links: http://www.cs.columbia.edu/~smb/blog/2008-09/2008-09-04.html http://www.itu.int/osg/csd/cybersecurity/WSIS/3rd_meeting_docs/Rutkowski_IPtraceback_callerID_rev0.pdf --- Traceback Use cases and Requirements Use Cases 1.1 Virus application traceback A target's system has been infected with an email virus downloaded through a "drive-by" downloaded when the target system was used to access an infected site. When the virus initializes it sends spam to all the addresses on the target's address list. The virus remains resident in memory and as new addresses are added, they in turn are also sent spam. In this case, while the target system is the source of an individual piece of spam, it is really the source of the virus and in turn the source of the web site's infection that is the true source for all the spam delivered. 1.2 Bot net DDoS A target system has been infected with a Trojan which connects to an IRC server to receive instructions. On receipt of a specific instruction, the Trojan client repeatedly tries to connect to a designated server. The results of numerous Trojan clients all trying to connect to the target server cause the server to run out of available connections leading to a denial of service situation. In this case, a network server is attacked my numerous requests being received simultaneously from numerous infected systems but the true source of the attack remains "hidden" behind the zombie slaves. 1.3 Application macro infection A document file with an embedded executable macro is distributed causing any application which opens the file to become infected leading to more and more infected document files to be created and distributed. In this case, the application is infected but the source of the infection may be difficult to determine over time. 1.4 Proxy "Pirate cove" Physical threats against a person are made in a discussion forum on a web site. The poster of the threats connected to the site through a proxy server which hides the origination of the threats. 1.5 Proxy "Safe harbor" A political opponent to a government publishes articles putting the government in an unfavorable light. The government, having a law against any opposition, tries to identify the source of the negative articles but the articles having been published via a proxy server, is unable to do so protecting the anonymity of the author. 1.6 Non-participating A hacker connects to the Internet via a connection from an ISP that provides no traffic source information and takes no action on abuse reports received.