[ISN] Low-flying hackers pose growing threat

From: mea culpa (jerichot_private)
Date: Wed Oct 14 1998 - 00:07:40 PDT

  • Next message: mea culpa: "[ISN] NDSS '99 Registration Now Taking Place!!"

      This message is in MIME format.  The first part should be readable text,
      while the remaining parts are likely unreadable without MIME-aware tools.
      Send mail to mimet_private for more info.
    Content-Type: TEXT/PLAIN; CHARSET=us-ascii
    Content-ID: <Pine.SUN.3.96.981014010629.2786Pt_private>
    Low-flying hackers pose growing threat
    By Jim Kerstetter
    A new type of network hacking is confounding administrators by slipping
    under the radar of traditional firewalls. 
    Low-bandwidth, or group, hacking involves numerous hackers working
    together from different locations. Together, they intermittently send sets
    of IP packets against a network to test for vulnerabilities. 
    Because the packets come from different hosts and at varying intervals,
    they come in, in effect, "under the radar" of most intrusion-detection
    applications currently on the market. 
    This type of attack has been rumored about for several years, but it
    wasn't until last month that it was documented by the Shadow project of
    the U.S.  Department of the Navy's Surface Warfare Center. Now other users
    are surfacing with their own hacking stories. 
    "We're still not sure," said an administrator at a Midwestern bank. "Our
    logs seemed to indicate that someone had been poking at us over a couple
    of weeks. I don't think they got in, but if they had found any
    [vulnerabilities], I don't think we would have known about it." 
    But vendors such as Network Associates Inc. and Internet Security Systems
    Inc., as well as freeware makers, aren't waiting for the horror stories to
    increase. Each is planning to have software available by the end of the
    year that can respond to the problem. The two companies will be
    demonstrating their respective solutions at NetWorld+Interop in Atlanta
    next week. 
    With these new low-bandwidth attacks, hackers have found a way to make the
    most obvious part of their attacks--probing for vulnerabilities--virtually
    undetectable. That frees them up to do the real damage by racing through
    those holes to capture data before they can be shut down. 
    "Most intrusion detection systems are set up to look for activity from a
    single host," said Al Huger, director of vulnerability research at Network
    Associates' research laboratory, in Santa Clara, Calif. "They are not
    designed for this sort of attack." 
    Security experts say low-bandwidth attacks take advantage of another
    weakness. If intrusion detection software is adjusted to catch the packets
    used in such an attack, then normal IP traffic will set off false alarms.
    So in order to detect a low-bandwidth attack, intrusion detection software
    has to have pattern recognition or neural network technologies. 
    ISS officials in Atlanta said the agent technology due in RealSecure 3.0
    will be able to deal with low-bandwidth attacks. RealSecure 3.0, shipping
    in the late fall for $8,995, includes attack detection agents that run on
    individual computers. 
    One of the attack patterns the agents look for is an attempt to connect to
    a nonexistent service. When an attacker checks the server for something
    that isn't there, such as an FTP connection, the agents detect the attack
    pattern, even if it is conducted slowly and from different locations. 
    Network Associates officials, in turn, said the company's Active Firewall
    technology, due in January, will be able to do such tracking and logging
    and pinpoint low-bandwidth attacks before they're completed. 
    The company will ship Event Orchestrator, which integrates with the
    Gauntlet firewall and the rest of the company's security suite, including
    intrusion detection software. Event Orchestrator will be able to analyze
    seemingly disparate data and determine if there is a pattern, according to
    company officials. 
    There is also freeware in development from the Navy's Shadow research
    project. And several developers are rumored to be coming up with a
    solution based on commercial firewall inventor Marcus Raynham's free
    Network Flight Recorder code. 
    Several security experts who have looked at the Navy tool kit have one
    concern: performance. Navy developers decided to trade off performance for
    the sake of catching the low-bandwidth attacks. It is not necessarily
    aggregating data and then looking for patterns. It is looking at the data
    as it comes in, looking for potential aggression. 
    Until such products are on the market, network administrators can do one
    thing: make sure internal IP addresses are hidden by firewalls. If they
    don't, they're inviting a low-bandwidth attack. 
    "This allows hackers to find out everything about your network," said
    Network Associates' Huger, "without knocking on the front door." 
    Low-bandwidth attacks: Three scenarios
       * Slow scans for machines and services: Attacker intermittently checks
         for machines and services to develop a picture of the target network.
         Once vulnerabilities are mapped, attacker can go back through that
       * Multisourced attack: Attacker tries to access or crash a server, also
         known as denial of service, from multiple points of origin.
       * Multisourced attacks to multiple targets: Attacker dilutes the
         so-called attack density, making it look like normal traffic that is
         converging on the same data.
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:07:32 PDT