Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Tracking an attack often provides little benefit
- From: Paul Howell
- Date: Tue Jun 27 07:20:46 2000
At http://www.infoworld.com/articles/op/xml/00/06/26/000626opswatch.xml
Published at: Friday, Jun. 23, 2000 1:01 pm PT
Tracking an attack often provides little
benefit; top deterrent is secure systems
everywhere
By Stuart McClure &
EVER SINCE JACK installed his personal firewall on his cable modem, he's seen
hundreds of port scans hitting the box. At first he took them seriously,
worrying about what these cybermiscreants were up to. As Jack quickly learned,
finding out the answers to these questions requires enormous investigative work
and can lead to absolutely nothing.
Trying to track down the knocks on your cyberdoor can quickly turn into a
passion. But each ping, trace route, port scan, Whois, and American Registry
of Internet Numbers (ARIN) search often reveals only what little can be done
to stop these preludes to an attack. The final desperate act will inevitably be
the abuse@whateverisp.com inbox black hole that is ISP abuse reporting. Now
imagine that every single computer banging away at your door is the end of a
long string of computers being used to channel an attack. Tracking down this
last hop reveals only the tail of an enormous, multiheaded dragon.
The days of direct computer attacks are long gone. Today, only hacker
wanna-bes use their own computers to direct the attack at the target system.
More than a decade ago, the serious malicious hackers broke into vulnerable
systems not to collect credit card numbers or turn off the power grid to a
city neighborhood. Instead, they gained access to these systems simply to use
them for further attacks on the Internet. Just as the distributed DoS (denial
of service) attacks in February required a number of compromised "zombie"
machines to generate the necessary traffic to disable e-commerce sites, these
zombie machines can also be used as jumping-off points for malicious attacks.
To build this elaborate diving platform, attackers will scan for vulnerable
systems on the Internet. DSL and @Home customers such as those with AT&T and
Pacific Bell are easy targets. To find these juicy targets, attackers will
look up subnets on ARIN and Network Solutions, looking for netblocks that
house high-speed, poorly secured home systems. Another popular target is
educational institutions. Using automated attack scripts, attackers can
literally break into these systems overnight and "own" more than a hundred
systems within hours.
Attacking Windows NT home users begins with port scanning on TCP ports 135
and/or 139. Once the ports are open, the attackers will launch the typical
Windows NT-based assaults, including simple password guessing, input validation
attacks, and buffer overflow attacks. NT systems tend to be juicier targets
than are Windows 9x systems simply because NT's remote control capabilities
are far superior. Using programs such as netcat, NTRK remote, and
RemotelyAnywhere, attackers can control an NT system with ease -- and then
upload and kick off the same attacks from that system.
Attacking and controlling Unix systems such as Red Hat and Mandrake Linux can
be even simpler using numerous remote buffer overflow attacks. Vulnerabilities
such as those in several Unix daemons can be trivially exploited with publicly
available source code. Once owned, the attackers will set up backdoors and
remote control capabilities, kicking off the same Linux attack scripts to
further invade systems.
And let's not forget about open proxy relays, often unwittingly left dangling
by customers of those very same consumer-oriented services. With the growing
focus on application-layer vulnerabilities, most attacks nowadays take the
form of a maliciously malformed URL; it's point-and-shoot simply to bounce
these off of a proxy if it isn't properly configured. We recently visited a
site that had been compromised by just such a bullet, a single URL anonymously
relayed by a misconfigured SOHO (small office/home office) proxy device out in
the void. Does anyone remember the infamous Wingate and squid proxy-scanning
tools that circulated the Net about a year ago? Try turning WinScan (one of
the most popular Wingate scanners) loose on your favorite network and see what
pops up. How many of those do you think were run by unwitting end-users who
thought they were improving the security of the Internet? Or just browse to
proxys4all.cgi.net and take your pick.
All an attacker needs to begin a reign of terror is that first vulnerable
system. Each subsequent attack will actually be coming from a compromised
system and not the original attacker. And that is what makes security-incident
response an enormously difficult and often fruitless task. Tracking down an
attempted hack may turn up your grandmother's computer rather than the real
culprit. Can you see yourself knocking on the door of an @Home user asking to
look at the computer? The fact is, unless the crime causes more than $5,000 in
damage, the FBI won't get involved, and without the FBI, knocking on the door
during Sunday brunch will have little motivational impact for cooperation.
The solution to the problem of island-hopping is not trivial, requiring
nothing less than absolute security on all systems attached to the Internet --
not a small task. So what is the stopgap measure? Tell us what you think about
a resolution at security_watch@infoworld.com.
|
