Upcoming Events

Cloud Connect
Santa Clara
Feb 13-16, 2012

Cloud Connect brings together the entire cloud eco-system to better understand the transformation we're experiencing and promises to be the defining event of the cloud computing industry. Learn about the latest cloud technologies and platforms from thought leaders in Cloud Connect’s comprehensive conference.

Register Now!

F E A T U R E

Don't Panic. Plan

May 1, 2003
By Mike Fratto

	Issue TOC
	Print full article
	Print this page
	Download as PDF
	E-Mail this URL
	Discuss this article
	Flame the author

	In this article
	Introduction
	Give 'Em an Inch ...
	Control the Things You Can
	Resources
	Full Disclosure Works
	Reduce the Danger

Network Computing Says Internet To Crash and Burn!

05/01/2003 Syracuse, N.Y. -- On July 17, 2003, the Internet will come to a crashing halt. The flow of goods and data, so critical to the digital economy, will dry up. E-friendships will languish without the transfer of bytes and nybbles.

Remember, you read it here first.

Got your attention, didn't we?

Of course, this isn't likely to happen. But read enough news reports and listen to enough war stories, and it's easy to imagine the worst. When you connect to the Internet, or to any external network, there are legitimate reasons for concern, including the threat of directed attacks and worms. The reality, though, is nowhere near as bleak as the media--and some aggressive security vendors--would have you believe. Yes, there are dangers, but if you pinpoint the sources and types of exposure, you can manage your risk.

The key is in understanding the attack types. After gathering and interpreting data from a variety of sources--including CAIDA (Cooperative Association for Internet Data Analysis), ISS (Internet Security Systems), NIST's ICAT and Security Focus--and conferring with people on the information-security front lines, we came to several conclusions about the real dangers your organization

faces from Internet-borne attacks and how you can minimize your risk.

Reconnaissance Mission

An attack's progression is straightforward, typically following a well-defined set of steps. Getting root or administrative privileges is often the attacker's goal (for a detailed account of an actual attack see "Anatomy of a Network Intrusion").

The first phase is network reconnaissance. The attacker discovers as much as he or she can about the target using public databases and documents, as well as more invasive scanners and banner grabbers. Once services have been identified, the attacker tries to discover vulnerabilities, either through more research or by using a tool designed to determine if the service is susceptible.

Know Who's Out There

Local & Remote Vulns / Loss Type

click to enlarge

Connect to the Internet and within moments you will see attack activity in the form of port and network scanners--a Network Intelligence customer who runs a relatively small network says he receives thousands of scans per week.

We charted the scan sources and targets for the top five active ports, as reported by the Internet Storm Center, on a specified date (see "Top 5 Port Scans for March 18, 2003"), and discovered that a relatively small pool of IP addresses scanned a large number of IP addresses. During this 24-hour period, ISC logged 9,598 unique IP addresses scanning for Port 445, which is used for file sharing (SMB) on Microsoft Windows 2000, and logged 161,532 targets of port scans for Port 445--roughly 16 times as many targets as sources.

From a damage point of view, scans typically are harmless. IDSs classify scans as low-level attacks, but they don't harm servers or services. Common wisdom says scans are precursors to attacks, and though that may be true, there isn't a 1:1 relationship. If Port 445 is open, that doesn't guarantee the attacker will return, but it does make it more likely that he or she will.