Many types of Internet attacks utilize indirection as a means to hide their source. For example, the act of utilizing a chain of compromised machines in an attack is a common means of foiling a defender's attempts to locate the source of an attack. Similarly, distributed denial-of-service (DDoS) attacks are often launched from compromised computers, sometimes called ``zombies'', both to harness the power of many machines and to obfuscate where the true source of the attack lies. Today, such indirection is a highly successful means to provide anonymity to attackers.

In the Dragnet project, we take the position that the Internet architecture should be extended to include auditing mechanisms that enable the forensic analysis of network data, with a goal of identifying the true originator of each attack ---- even if the attacker recruits innocent hosts as zombies to propagate the attack.   We define an approach with the promise to dramatically change investigations of Internet-based attacks.  Our goal is to determine both the host responsible for originating an attack and the set of attack flows to reconstruct how an attack unfolded.  We argue that knowledge of both is important for combating attacks: knowledge of the origin supports law enforcement, and knowledge of the causal flows that advance the attack supports diagnosis of how network defenses were breached.

We proposed a random moonwalk algorithm that can find the origin and the initial propagation paths of a worm attack, either within an intranet or on the Internet as a whole, by performing post-mortem analysis on the traffic records logged by the networks. The algorithm works by repeatedly sampling paths on the host communication graph with random walks. Each walk randomly traverses the edges of the graph backwards in time, and hence the name random moonwalk.