Network Attack Trend Analysis

Craig H. Rowland (crowland@WHEELGROUP.COM)
Wed, 19 Nov 1997 17:20:10 -0600

A report just released by Wheelgroup and NetSolve that tracked
network attack trends over a five month period.

-- Craig

-- Begin Report --

ProWatch Secure Network Security Survey (May-September 1997)

This report is the first of its kind because it focuses on actual network
security events, as detected by the NetRanger intrusion detection system
and the ProWatch Secure monitoring service. Other studies, although
valuable in their own right, concentrate on the results of written
surveys from organizations asked to provide security event information
from their corporate network. Because most organizations have little to
no visibility inside their network's electronic datastream, answers to
these surveys often deal with assumptions of what is believed to occur
within the network instead of what actually occurs. Because NetRanger is
designed to provide visibility into the network datastream, perform
detailed security analyses, and report results to a centralized network
operations center-in this case operated by NetSolve as part of the
ProWatch Secure monitoring service-the system is well-suited to provide
both granular and big picture perspectives throughout a geographically
distributed electronic environment.

About the Study:

The following perceptions are the result of an analysis of 556,464
security alarms from May to September 1997 taken from across the NetSolve
ProWatch Secure customer base. The information has been sanitized for
public dissemination because of standard ProWatch Secure/client
non-disclosure arrangements. Thorough trend analysis of the data is not
attempted because of the short length of the study. Such information
will, however, be included in future reports from NetSolve and
WheelGroup.

ProWatch Secure is a network security monitoring service provided by
NetSolve using WheelGroup's NetRanger intrusion detection system. The
security alarms are generated by NetRanger Sensors, which have been
installed at customers' critical network chokepoints-chokepoints from the
perspective of information entering and leaving a customer's corporate
network. These Sensors implement and maintain the security policy
desired by the customer. If the security policy is violated, the Sensor
sends an alarm to the NetRanger Director, a computer workstation, located
at NetSolve's facility in Austin, Texas. There, security professionals
maintain a 24-hour, 7-day a week vigil to ensure the customer's network
remains secure.

Although the Sensors and Director provide visibility, initial analysis,
and response to the activity on the network, more detailed analysis must
occur to determine what is really happening on the network. There are
some events, such as "Syn flooding," "pings of death," "cgi-bin web
exploitation," and "sendmail exploitation" that are obviously blatant
attacks. [Ed note: See Appendix A for more details.] There is no good
reason why someone, whether friendly or hostile, would perform these
kinds of activities on the network unless they wanted to get unauthorized
access to a particular network or system. These are identified below as
Serious Confirmed Attacks. There are other events such as "port sweeps,"
"ping sweeps" and "high zone transfers" that may or may not be malicious
in nature. The person sitting at the Director must take into account
where the activity is originating, what time of day it is, the intensity
and extent with which the event is occurring, and so forth. The results
of this analysis are presented below. Although NetRanger can detect the
event as it is occurring, it cannot determine the motive or intent of the
system/person initiating the activity. The results presented here are
the events that occurred are our perceptions of what they mean. However,
feel free to draw your own conclusions.

Perceptions:

Frequency of Attacks:
Serious attacks occur 0.5 to 5.0 times per month per customer.
E-commerce sites fall at upper end of range.

Confirmed Serious Attacks (i.e. attempt at unauthorized access) from
external sources against a corporate network ranged from 0.5 to 5.0
instances per month; heavy probing, which is often the precursor to
attacks, were not included in this figure. Corporations with e-commerce
applications, such as permitting customers to order products via the
Internet, fell on the high end of the range. All ProWatch Secure
customers experienced at least one serious attack and heavy probing on a
monthly or near monthly basis.

Attack Du Jour:

Recent large increases in attacks exploiting the IMAP vulnerability
appear to be tied to Usenet discussion groups and associated development
of automatic tools that exploit the vulnerability.

Majority of attacks are coming from unsophisticated hackers.

There are a sufficient number of attacks to achieve trend status.

ICMP Storm aka Smurf attack is resurfacing.

Details of the Internet Message Access Protocol (IMAP) vulnerability was
originally published by the Carnegie Mellon CERT team in April 97. [IMAP
is used to permit manipulation of remote access folders. Some versions
of this protocol have an inherent vulnerability that, when exploited,
permits users to gain unauthorized root access on some systems.]
ProWatch Secure detected no usage of this attack in May and minimal usage
in June. In July, August, and September, however, usage skyrocketed to
285 detected attempts distributed throughout the PWS monitored network.
This timeframe closely parallels the wide distribution of hacking
software that exploits the IMAP vulnerability, via simple UNIX scripts,
on security and hacking mailing lists and user groups on the Internet in
late June 97. Because the large increase in attacks against this
vulnerability occurred after the distribution of the automated tools, as
opposed to after the earlier CERT announcement, it can be assumed that
most attacks originated from sources with malicious intent but without
the requisite knowledge or initiative to exploit the vulnerability
themselves. In essence, automated tools that enable "copy-cat" attacks
are increasing the total number of hackers, so specialized hacking
expertise/education/experience is no longer a precursor to hacking
activity. These less sophisticated hackers, called "Script Kiddies" in
computer slang, are easier to detect and eradicate than educated ones
because of standardized behavior and because they do not have experience
to know when to abort a hacking attempt and often make repeated attempts
at re-entry. However, this category of hackers is also more prone to use
destructive acts if they are caught on a system.

Organizations that promptly reacted to CERT team warnings would be
protected from the IMAP attempts, but procrastination when installing the
appropriate patches or taking the necessary precautions would put the
network at risk. Although ramifications may not be severe immediately,
if the attack develops a "trendy" status for any particular
reason-discussion on user groups, presentations at hacker conferences, or
even publicity about the potential for damage-an organization will be
affected immediately. All but one ProWatch Secure site had this attack
attempted. With visibility into the datastream, attack trends can be
easily countered, thereby protecting a network from a surge of potential
attacks.

Similarly, ICMP Storm is a relatively old denial of service attack that
has recently gained a resurgence of popularity after it was integrated
into an exploitation program called "Smurf." By spoofing an origination
address and leveraging a standard "ping" network protocol, the ICMP storm
can, in essence, turn the target network in upon itself, thereby
generating an enormous amount of network activity and eating bandwidth
for legitimate network operations. Since the Smurf program was
circulated among hacker discussion groups in late Summer, ProWatch Secure
has detected 30 instances of ICMP storms, compared to 0 incidents from
April through July.

Origin of Attacks:
Source of attacks included:

* U.S. Government
* Major Financial Institution
* Business Partners
* Universities
* Renowned Security Expert

48% of attacks originate from ISPs as opposed to independently registered
addresses.

The sources of attacks and heavy probes ranged from a US government
department, a major financial institution, business partners of the
targeted company, and a number of universities worldwide. ProWatch
Secure also detected a well-known information security expert, who, after
initially denied involvement, admitted he was attempting to map out the
entire Internet. Although he was well into his study, he claimed only
three organizations to date had detected his automated network probing.
By far, the largest number of attacks (48 percent of the total) came from
addresses belonging to Internet service provider network addresses. Such
a statistic indicates most attacks originate from residential or small
business locations instead of established businesses with their own
registered network addresses.

Web commerce attacks:

100% of detected web attacks were targeted against e-commerce sites.
72% of web attacks originated from sites outside the U.S.

CGI-bin attacks, which focus on web servers and attempt to extract or
modify information on the server, were most prevalent on e-commerce sites
- 100% of the detected attempts were focused on web sites with business
functionality. Approximately 72% of the CGI-bin attacks were launched
against US web sites from foreign IP addresses, including locations in
France, Sweden, Finland, Spain, and Barbados. This statistic is not only
indicative of the global nature of the Internet, but also certainly
incorporates an unknown number of U.S. hackers using innocent foreign
systems to implement proxy hacking attacks. U.S.-based hackers use this
method to conceal their location and to avoid or complicate jurisdiction
under U.S. law.

Foreign attacks:

39% of all attacks detected originated outside the U.S.

Of all the serious attacks throughout the network, 39% originated from
outside the U.S. [Because of the nature of the IP protocol, NetRanger is
able to determine the origination of the last segment or "hop" of the
connection, which may or may not be the actual origination point. If a
Swedish hacker broke into a French system and from there attempted to
hack into a US system, the attack is registered as coming from France
instead of Sweden. The assistance of the respective French network
administrator would be required to assist further tracking.]

Event Resolution:

The primary purpose of ProWatch Secure is to protect the customer's
network. Of 556,464 security events, none resulted in compromise of
customer systems. But beyond basic security monitoring, several
customers task NetSolve with resolving security events. This process
begins with determining who owns the offending system. Once determined,
a telephone call is made to the owning system administrator. Response
can vary because the administrator of the system may be the "attacker".
However, in most cases, administrators have been very cooperative with
ProWatch Secure staff in assisting with the tracking of hackers, mostly
because they are often victims of the same hacker. During this survey
period, several system administrators admitted that their systems had
been compromised and were being used as a launch point against the
ProWatch customer. Some network administrators are not so
cooperative-when asked for assistance in determining the source of an
attack coming from a university in the southern United States, the
network administrator brushed off the request stating, "A hacker? That's
just the price of doing business on the Internet, son." (Ed. Note:
WheelGroup and NetSolve strongly believe otherwise.)

Conclusion:

It is hard to argue with the facts. There is a lot of suspicious
activity occurring on the network every minute of every day-in fact, at a
much higher rate than most people understand. The NetRanger system and
ProWatch Secure monitoring service have begun to provide visibility into
the datastream and insight into the activity that is occurring. Although
it may be impossible to determine the intent of this activity, there is
no doubt, based on the level and type of activity, that the threat is
very real.

This is the first survey of its type. As more data is collected and more
sites are added to the program more in-depth trend analysis will be performed.

Appendix A:

attack description

cgi-bin The common gateway interface or "cgi" is an interface that
allows a user to remotely execute programs on a web server. A flaw in the
cgi code can allow a user to extract or modify information on the server.
The alarms registered at NetSolve have been attempts to extract password
files from the server.

ping of death "Ping" is a command that can be sent across a network to
determine if another computer is active. The target computer will respond
with "I am alive". The ping command can be (mis)configured by the user
to send an unusually large ''packet" of information to the target
computer. This unexpected large packet of information will cause some
computer systems to crash.

tcp port sweep Computers establish communications across networks with
"ports". Each port on a computer can offer a known service such as
e-mail, web, file transfer, and so forth. Users will often conduct a
probe or sweep of ports on a target computer to determine what services
are available. This probe is often used in the reconnaissance portion of
an attack or potential attack because it reveals vulnerable services.

old wiz mail attack Sendmail is a common e-mail program found on many
machines. Old versions of Sendmail contained a hidden command that
allowed remote users to gain unauthorized access on the local host.

ping sweep Similar to a port sweep, a ping sweep will identify all
the computer hosts that are active on the network. Like the TCP port
sweep, this probe is often used in the reconnaissance portion of an
attack. Probes are very valuable for the internal use of system
administrators; however, when attempted by an unauthorized user, it is an
indication of potentially hostile activity.

Syn Attack Computers must ensure that data is transferred reliably
across a network. They do this by "synchronizing" and "acknowledging"
that data and commands have been successfully transferred. In the Syn
attack (also known as Syn flooding), the attacking computer continually
sends synchronization packets to the target computer without any
acknowledgment. The victim system keeps trying to respond but is
unsuccessful. In addition, it cannot communicate with other systems.
This is an example of a denial of service attack.

IP Spoofing Internet Protocol (IP) spoofing occurs when one computer
attempts to imitate another on the network. The victim computer will
communicate with the imposter, possibly exposing valuable data.

TCP/IP Hijacking[PARA] Computers on the Internet communicate via
Transmission Control Protocol/ Internet Protocol. During TCP/IP
Hijacking, a third computer attempts to break into an existing
communication session between two legitimate users. The victim system
will begin communications with the imposter and the other will be
disconnected.

e-mail recon Any user can issue a verify command to e-mail servers.
This command verifies the validity of e-mail addresses thereby allowing
attackers to discover possible login IDs.

udp port sweep This type of reconnaissance activity is similar to the TCP
port sweep, but gives additional port and potential vulnerability
information about the target computer system.

DNS high zone transfer The Domain Name Service provides computer
addresses on the network so computers can find each other's addresses and
communicate. A DNS High Zone Transfer is a probe in which a DNS server
is queried for all hostnames associated with specific IP addresses. This
is similar to a ping sweep in that it provides the attacker with a map of
the network.

imap vulnerability The Internet Message Access Protocol (or "imap")
is another protocol used to manage e-mail. Mail servers running certain
versions of imap have a flaw that allow a remote user to gain
unauthorized access.

-- End report

More information on NetRanger can be obtained from:

http://www.wheelgroup.com

More information on the ProWatch Secure service can be obtained from:

http://www.netsolve.com