A report just released by Wheelgroup and NetSolve that tracked network attack trends over a five month period. -- Craig -- Begin Report -- ProWatch Secure Network Security Survey (May-September 1997) This report is the first of its kind because it focuses on actual network security events, as detected by the NetRanger intrusion detection system and the ProWatch Secure monitoring service. Other studies, although valuable in their own right, concentrate on the results of written surveys from organizations asked to provide security event information from their corporate network. Because most organizations have little to no visibility inside their network's electronic datastream, answers to these surveys often deal with assumptions of what is believed to occur within the network instead of what actually occurs. Because NetRanger is designed to provide visibility into the network datastream, perform detailed security analyses, and report results to a centralized network operations center-in this case operated by NetSolve as part of the ProWatch Secure monitoring service-the system is well-suited to provide both granular and big picture perspectives throughout a geographically distributed electronic environment. About the Study: The following perceptions are the result of an analysis of 556,464 security alarms from May to September 1997 taken from across the NetSolve ProWatch Secure customer base. The information has been sanitized for public dissemination because of standard ProWatch Secure/client non-disclosure arrangements. Thorough trend analysis of the data is not attempted because of the short length of the study. Such information will, however, be included in future reports from NetSolve and WheelGroup. ProWatch Secure is a network security monitoring service provided by NetSolve using WheelGroup's NetRanger intrusion detection system. The security alarms are generated by NetRanger Sensors, which have been installed at customers' critical network chokepoints-chokepoints from the perspective of information entering and leaving a customer's corporate network. These Sensors implement and maintain the security policy desired by the customer. If the security policy is violated, the Sensor sends an alarm to the NetRanger Director, a computer workstation, located at NetSolve's facility in Austin, Texas. There, security professionals maintain a 24-hour, 7-day a week vigil to ensure the customer's network remains secure. Although the Sensors and Director provide visibility, initial analysis, and response to the activity on the network, more detailed analysis must occur to determine what is really happening on the network. There are some events, such as "Syn flooding," "pings of death," "cgi-bin web exploitation," and "sendmail exploitation" that are obviously blatant attacks. [Ed note: See Appendix A for more details.] There is no good reason why someone, whether friendly or hostile, would perform these kinds of activities on the network unless they wanted to get unauthorized access to a particular network or system. These are identified below as Serious Confirmed Attacks. There are other events such as "port sweeps," "ping sweeps" and "high zone transfers" that may or may not be malicious in nature. The person sitting at the Director must take into account where the activity is originating, what time of day it is, the intensity and extent with which the event is occurring, and so forth. The results of this analysis are presented below. Although NetRanger can detect the event as it is occurring, it cannot determine the motive or intent of the system/person initiating the activity. The results presented here are the events that occurred are our perceptions of what they mean. However, feel free to draw your own conclusions. Perceptions: Frequency of Attacks: Serious attacks occur 0.5 to 5.0 times per month per customer. E-commerce sites fall at upper end of range. Confirmed Serious Attacks (i.e. attempt at unauthorized access) from external sources against a corporate network ranged from 0.5 to 5.0 instances per month; heavy probing, which is often the precursor to attacks, were not included in this figure. Corporations with e-commerce applications, such as permitting customers to order products via the Internet, fell on the high end of the range. All ProWatch Secure customers experienced at least one serious attack and heavy probing on a monthly or near monthly basis. Attack Du Jour: Recent large increases in attacks exploiting the IMAP vulnerability appear to be tied to Usenet discussion groups and associated development of automatic tools that exploit the vulnerability. Majority of attacks are coming from unsophisticated hackers. There are a sufficient number of attacks to achieve trend status. ICMP Storm aka Smurf attack is resurfacing. Details of the Internet Message Access Protocol (IMAP) vulnerability was originally published by the Carnegie Mellon CERT team in April 97. [IMAP is used to permit manipulation of remote access folders. Some versions of this protocol have an inherent vulnerability that, when exploited, permits users to gain unauthorized root access on some systems.] ProWatch Secure detected no usage of this attack in May and minimal usage in June. In July, August, and September, however, usage skyrocketed to 285 detected attempts distributed throughout the PWS monitored network. This timeframe closely parallels the wide distribution of hacking software that exploits the IMAP vulnerability, via simple UNIX scripts, on security and hacking mailing lists and user groups on the Internet in late June 97. Because the large increase in attacks against this vulnerability occurred after the distribution of the automated tools, as opposed to after the earlier CERT announcement, it can be assumed that most attacks originated from sources with malicious intent but without the requisite knowledge or initiative to exploit the vulnerability themselves. In essence, automated tools that enable "copy-cat" attacks are increasing the total number of hackers, so specialized hacking expertise/education/experience is no longer a precursor to hacking activity. These less sophisticated hackers, called "Script Kiddies" in computer slang, are easier to detect and eradicate than educated ones because of standardized behavior and because they do not have experience to know when to abort a hacking attempt and often make repeated attempts at re-entry. However, this category of hackers is also more prone to use destructive acts if they are caught on a system. Organizations that promptly reacted to CERT team warnings would be protected from the IMAP attempts, but procrastination when installing the appropriate patches or taking the necessary precautions would put the network at risk. Although ramifications may not be severe immediately, if the attack develops a "trendy" status for any particular reason-discussion on user groups, presentations at hacker conferences, or even publicity about the potential for damage-an organization will be affected immediately. All but one ProWatch Secure site had this attack attempted. With visibility into the datastream, attack trends can be easily countered, thereby protecting a network from a surge of potential attacks. Similarly, ICMP Storm is a relatively old denial of service attack that has recently gained a resurgence of popularity after it was integrated into an exploitation program called "Smurf." By spoofing an origination address and leveraging a standard "ping" network protocol, the ICMP storm can, in essence, turn the target network in upon itself, thereby generating an enormous amount of network activity and eating bandwidth for legitimate network operations. Since the Smurf program was circulated among hacker discussion groups in late Summer, ProWatch Secure has detected 30 instances of ICMP storms, compared to 0 incidents from April through July. Origin of Attacks: Source of attacks included: * U.S. Government * Major Financial Institution * Business Partners * Universities * Renowned Security Expert 48% of attacks originate from ISPs as opposed to independently registered addresses. The sources of attacks and heavy probes ranged from a US government department, a major financial institution, business partners of the targeted company, and a number of universities worldwide. ProWatch Secure also detected a well-known information security expert, who, after initially denied involvement, admitted he was attempting to map out the entire Internet. Although he was well into his study, he claimed only three organizations to date had detected his automated network probing. By far, the largest number of attacks (48 percent of the total) came from addresses belonging to Internet service provider network addresses. Such a statistic indicates most attacks originate from residential or small business locations instead of established businesses with their own registered network addresses. Web commerce attacks: 100% of detected web attacks were targeted against e-commerce sites. 72% of web attacks originated from sites outside the U.S. CGI-bin attacks, which focus on web servers and attempt to extract or modify information on the server, were most prevalent on e-commerce sites - 100% of the detected attempts were focused on web sites with business functionality. Approximately 72% of the CGI-bin attacks were launched against US web sites from foreign IP addresses, including locations in France, Sweden, Finland, Spain, and Barbados. This statistic is not only indicative of the global nature of the Internet, but also certainly incorporates an unknown number of U.S. hackers using innocent foreign systems to implement proxy hacking attacks. U.S.-based hackers use this method to conceal their location and to avoid or complicate jurisdiction under U.S. law. Foreign attacks: 39% of all attacks detected originated outside the U.S. Of all the serious attacks throughout the network, 39% originated from outside the U.S. [Because of the nature of the IP protocol, NetRanger is able to determine the origination of the last segment or "hop" of the connection, which may or may not be the actual origination point. If a Swedish hacker broke into a French system and from there attempted to hack into a US system, the attack is registered as coming from France instead of Sweden. The assistance of the respective French network administrator would be required to assist further tracking.] Event Resolution: The primary purpose of ProWatch Secure is to protect the customer's network. Of 556,464 security events, none resulted in compromise of customer systems. But beyond basic security monitoring, several customers task NetSolve with resolving security events. This process begins with determining who owns the offending system. Once determined, a telephone call is made to the owning system administrator. Response can vary because the administrator of the system may be the "attacker". However, in most cases, administrators have been very cooperative with ProWatch Secure staff in assisting with the tracking of hackers, mostly because they are often victims of the same hacker. During this survey period, several system administrators admitted that their systems had been compromised and were being used as a launch point against the ProWatch customer. Some network administrators are not so cooperative-when asked for assistance in determining the source of an attack coming from a university in the southern United States, the network administrator brushed off the request stating, "A hacker? That's just the price of doing business on the Internet, son." (Ed. Note: WheelGroup and NetSolve strongly believe otherwise.) Conclusion: It is hard to argue with the facts. There is a lot of suspicious activity occurring on the network every minute of every day-in fact, at a much higher rate than most people understand. The NetRanger system and ProWatch Secure monitoring service have begun to provide visibility into the datastream and insight into the activity that is occurring. Although it may be impossible to determine the intent of this activity, there is no doubt, based on the level and type of activity, that the threat is very real. This is the first survey of its type. As more data is collected and more sites are added to the program more in-depth trend analysis will be performed. Appendix A: attack description cgi-bin The common gateway interface or "cgi" is an interface that allows a user to remotely execute programs on a web server. A flaw in the cgi code can allow a user to extract or modify information on the server. The alarms registered at NetSolve have been attempts to extract password files from the server. ping of death "Ping" is a command that can be sent across a network to determine if another computer is active. The target computer will respond with "I am alive". The ping command can be (mis)configured by the user to send an unusually large ''packet" of information to the target computer. This unexpected large packet of information will cause some computer systems to crash. tcp port sweep Computers establish communications across networks with "ports". Each port on a computer can offer a known service such as e-mail, web, file transfer, and so forth. Users will often conduct a probe or sweep of ports on a target computer to determine what services are available. This probe is often used in the reconnaissance portion of an attack or potential attack because it reveals vulnerable services. old wiz mail attack Sendmail is a common e-mail program found on many machines. Old versions of Sendmail contained a hidden command that allowed remote users to gain unauthorized access on the local host. ping sweep Similar to a port sweep, a ping sweep will identify all the computer hosts that are active on the network. Like the TCP port sweep, this probe is often used in the reconnaissance portion of an attack. Probes are very valuable for the internal use of system administrators; however, when attempted by an unauthorized user, it is an indication of potentially hostile activity. Syn Attack Computers must ensure that data is transferred reliably across a network. They do this by "synchronizing" and "acknowledging" that data and commands have been successfully transferred. In the Syn attack (also known as Syn flooding), the attacking computer continually sends synchronization packets to the target computer without any acknowledgment. The victim system keeps trying to respond but is unsuccessful. In addition, it cannot communicate with other systems. This is an example of a denial of service attack. IP Spoofing Internet Protocol (IP) spoofing occurs when one computer attempts to imitate another on the network. The victim computer will communicate with the imposter, possibly exposing valuable data. TCP/IP Hijacking[PARA] Computers on the Internet communicate via Transmission Control Protocol/ Internet Protocol. During TCP/IP Hijacking, a third computer attempts to break into an existing communication session between two legitimate users. The victim system will begin communications with the imposter and the other will be disconnected. e-mail recon Any user can issue a verify command to e-mail servers. This command verifies the validity of e-mail addresses thereby allowing attackers to discover possible login IDs. udp port sweep This type of reconnaissance activity is similar to the TCP port sweep, but gives additional port and potential vulnerability information about the target computer system. DNS high zone transfer The Domain Name Service provides computer addresses on the network so computers can find each other's addresses and communicate. A DNS High Zone Transfer is a probe in which a DNS server is queried for all hostnames associated with specific IP addresses. This is similar to a ping sweep in that it provides the attacker with a map of the network. imap vulnerability The Internet Message Access Protocol (or "imap") is another protocol used to manage e-mail. Mail servers running certain versions of imap have a flaw that allow a remote user to gain unauthorized access. -- End report More information on NetRanger can be obtained from: http://www.wheelgroup.com More information on the ProWatch Secure service can be obtained from: http://www.netsolve.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:32:36 PDT