|
|
|
|
Don't Panic. Plan
|
 |
|
May 1, 2003
By Mike Fratto
|
>> continued from previous page
Give 'Em an Inch ...
If an attacker finds services with exploitable vulnerabilities, the attack phase begins. If your servers are vulnerable, attackers may be able to get access to the computer or to data stored on the computer. Attack methods fall into two categories: automated and targeted. Much like scanning, automated attack tools are easy to build and will blindly try attacks against every host in a netblock or find hosts using a port scan and then attack. Either way, these brute-force attacks count on the probability that vulnerable servers will be running. Check your Web server logs and you'll likely see Unicode-encoded URL strings, regardless of the operating system or Web server running.
Automated attacks and worms are opportunistic and, like scans, are part of daily life on the Internet. There isn't much you can do to block these attempts, and unless you can track their origins and get someone at the source organization or upstream ISP to intervene on your behalf, you can't really stop the attacks. Some ISPs and many college campuses will cut off users if they receive enough complaints coupled with evidence that an attack has originated from their networks. Filing a report with the owner of the netblock or its upstream provider is an option if you are under a concerted scan or automated attack.
|
|
Fast-spreading worms are particularly vicious. The authors of an analysis published by CAIDA, "The Spread of the Sapphire/Slammer Worm", estimate that a single instance of a worm could infect seven hosts per minute, plus or minus one minute, with the resulting infected population doubling every 8.5 seconds, plus or minus one second. Sapphire, for example, peaked in about three minutes at 55 million scans per second, eventually exhausting the available bandwidth of various networks and leveling out its scan rate. "Top Five Security Events" (below) shows the startling effect of worm activity. The number of attack events for common protocols remains relatively stable. The attacks on Port 1434, used by Sapphire/Slammer, show the impact. Worm writers are getting better at building propagation methods and as a result, worms are picking up many of the reconnaissance techniques used by targeted attackers.
Writing a smart worm is a challenge, and we should consider ourselves lucky that common worms and viruses don't really do any serious harm. One of the surprising conclusions of the CAIDA report is that, even for applications with deployments of fewer than 20,000 nodes on the Internet, a worm still can spread very fast. It's not just widespread software that can be used to wreak havoc. If you develop software and want to perform in-depth security testing, check out our review of Cenzic's Hailstorm Protocol Modeler on page 103.
An Easy Mark?
Targeted attacks are much more dangerous than random scans because your organization has been singled out for a takeover. Whether the coup succeeds depends on a number of variables, but knowing you've been targeted is crucial. Finding out the goal of the attack is the next step.
The bad news: The more skilled the attacker, the less likely he or she will be noticed during the attack. The good news: Targeted attacks comprise a small portion of overall attacks, and successful targeted attacks are rarer still. For example, in 2002, ISS Managed Security Service noted 5,052 incidents, encompassing port scans to severe attacks, but only about 80--1.6 percent--were severe enough that ISS' Emergency Response Service needed to deal with the attack.
A whopping 82.53 percent of all attacks originated on North American computers, according to ISS' "Top Attacking Regions From October 28, 2002, to December 31, 2002". Perhaps it's the high U.S. per-capita connectivity rate or the number of unpatched and unmaintained systems on campus and broadband networks that are used as relay points by attackers trying to cover their tracks. The truth is there's no way to tell if the attacker is sitting at the keyboard of the attacking computer or if he or she is hopping through multiple systems.
You could try to track the attacker by starting at the system that's directly attacking you, asking the person who administers that system to track the attack to the next hop, contact that administrator, get him or her to track the connection to the next hop, and so on. Of course, you will have to deal with multiple languages, convince others to help you, hope they have the technical experience to ferret out the next hop, and so on. Unless you're planning to prosecute the attacker and are willing to call in the feds, this is a fruitless pursuit.
|
|
|
|
|
|
|
|
RSS
