http://www.zdnet.com/pcweek/stories/printme/0,4235,360254,00.html
Low-flying hackers pose growing threat
By Jim Kerstetter
A new type of network hacking is confounding administrators by slipping
under the radar of traditional firewalls.
Low-bandwidth, or group, hacking involves numerous hackers working
together from different locations. Together, they intermittently send sets
of IP packets against a network to test for vulnerabilities.
Because the packets come from different hosts and at varying intervals,
they come in, in effect, "under the radar" of most intrusion-detection
applications currently on the market.
This type of attack has been rumored about for several years, but it
wasn't until last month that it was documented by the Shadow project of
the U.S. Department of the Navy's Surface Warfare Center. Now other users
are surfacing with their own hacking stories.
"We're still not sure," said an administrator at a Midwestern bank. "Our
logs seemed to indicate that someone had been poking at us over a couple
of weeks. I don't think they got in, but if they had found any
[vulnerabilities], I don't think we would have known about it."
But vendors such as Network Associates Inc. and Internet Security Systems
Inc., as well as freeware makers, aren't waiting for the horror stories to
increase. Each is planning to have software available by the end of the
year that can respond to the problem. The two companies will be
demonstrating their respective solutions at NetWorld+Interop in Atlanta
next week.
With these new low-bandwidth attacks, hackers have found a way to make the
most obvious part of their attacks--probing for vulnerabilities--virtually
undetectable. That frees them up to do the real damage by racing through
those holes to capture data before they can be shut down.
"Most intrusion detection systems are set up to look for activity from a
single host," said Al Huger, director of vulnerability research at Network
Associates' research laboratory, in Santa Clara, Calif. "They are not
designed for this sort of attack."
Security experts say low-bandwidth attacks take advantage of another
weakness. If intrusion detection software is adjusted to catch the packets
used in such an attack, then normal IP traffic will set off false alarms.
So in order to detect a low-bandwidth attack, intrusion detection software
has to have pattern recognition or neural network technologies.
ISS officials in Atlanta said the agent technology due in RealSecure 3.0
will be able to deal with low-bandwidth attacks. RealSecure 3.0, shipping
in the late fall for $8,995, includes attack detection agents that run on
individual computers.
One of the attack patterns the agents look for is an attempt to connect to
a nonexistent service. When an attacker checks the server for something
that isn't there, such as an FTP connection, the agents detect the attack
pattern, even if it is conducted slowly and from different locations.
Network Associates officials, in turn, said the company's Active Firewall
technology, due in January, will be able to do such tracking and logging
and pinpoint low-bandwidth attacks before they're completed.
The company will ship Event Orchestrator, which integrates with the
Gauntlet firewall and the rest of the company's security suite, including
intrusion detection software. Event Orchestrator will be able to analyze
seemingly disparate data and determine if there is a pattern, according to
company officials.
There is also freeware in development from the Navy's Shadow research
project. And several developers are rumored to be coming up with a
solution based on commercial firewall inventor Marcus Raynham's free
Network Flight Recorder code.
Several security experts who have looked at the Navy tool kit have one
concern: performance. Navy developers decided to trade off performance for
the sake of catching the low-bandwidth attacks. It is not necessarily
aggregating data and then looking for patterns. It is looking at the data
as it comes in, looking for potential aggression.
Until such products are on the market, network administrators can do one
thing: make sure internal IP addresses are hidden by firewalls. If they
don't, they're inviting a low-bandwidth attack.
"This allows hackers to find out everything about your network," said
Network Associates' Huger, "without knocking on the front door."
Low-bandwidth attacks: Three scenarios
* Slow scans for machines and services: Attacker intermittently checks
for machines and services to develop a picture of the target network.
Once vulnerabilities are mapped, attacker can go back through that
hole.
* Multisourced attack: Attacker tries to access or crash a server, also
known as denial of service, from multiple points of origin.
* Multisourced attacks to multiple targets: Attacker dilutes the
so-called attack density, making it look like normal traffic that is
converging on the same data.
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Wed Oct 14 08:19:38 1998