Activity increases on the Irish Honeynet
1 April 2005 | 0
April 2003 saw a continued increase in the number of attacks on the Irish Honeynet, with a total of 876 attacks being launched against it over the course of the month.
The Irish Honeynet, set up by Espion, Deloitte & Touche and Data Electronics, operational since April 2002, is designed to mimic the Internet infrastructures commonly used by organisations, but it is ‘wired’ with detection sensors that capture all activity to and from the system. The Honeynet is not advertised in any way so any traffic to it from the Internet is suspicious by nature, as it arises from hackers and crackers who are deliberately attempting to identify and attack systems that are vulnerable.
Three port numbers (445, 80 and 1434) were the main targets against which hackers launched their scans and probes. The experience of the Irish Honeynet corresponds to the international experience, such as that tracked by DShield.org (www.dshield.org), although in a slightly different order.
For the operators of the Irish Honeynet, the target of most interest was Port 445, as this was the first time they had seen such a high volume of attacks (nearly 31 per cent of the April total) against this port. This port is associated with Microsoft’s Directory Services, an implementation of distributed directory services, built upon the industry standard, LDAP, and the Windows 2000 version of Server Message Block. Hence, this port is vulnerable to similar vulnerabilities as the old favourites, ports 135-137, (for example, denial of service attempts, username guessing and brute force password guessing).
Port 1434 on UDP, which is associated with Microsoft SQL Server Monitor, continued to feature heavily in the attacks, with 12.5 per cent of the total in April. The SQL Slammer worm, which caused havoc on the Internet earlier this year, is the main vulnerability which makes use of this port. The source of these attacks is almost certainly machines that are already infected with the Slammer worm.
As one would expect, a large percentage of the attacks (24 per cent) targeted vulnerable Web services, predominantly on port 80. The rapid growth of e-commerce has exposed new opportunities for hackers to target Web based applications. Many in-house Web applications are wide open to compromise, reflecting the lack of priority given to security.
Many developers who have not received training in security methods may not realise that any information sent to a browser can be manipulated by users. Whether or not SSL, the secure form of HTTP, is used, malicious users can intercept the communication between the browser and Web server, and inject any information they wish. Attackers can manipulate Web applications using techniques such as state manipulation and SQL injection to compromise e-commerce sites.
The experience of the Irish Honeynet suggests that the tools available to carry out these kinds of attacks are getting simpler to use and more difficult to detect. Old style command lines have given way to attractive and easy to use Graphical User Interfaces (GUIs) and the proliferation of rootkits is becoming a huge concern for security officers and system administrators.
Rootkits evolved into sophisticated kernel modules in the mid 1990s. At that time, administrators using Sun’s Solaris operating system observed strange server behaviour such as missing disk space, CPU cycles and network connections that strangely did not show up using normal monitoring tools.
The primary purpose of a rootkit is to allow an attacker to maintain undetected access to a compromised system. The main technique used is to replace standard versions of system software with hacked versions, and install a backdoor process by replacing one or more of the files, such as ls, ps and netstat. The new system commands are designed to hide all traces of hacker activities. Using these kinds of rootkits, attackers can bypass normal security controls and access systems on their own terms.
The most important thing to remember about rootkits is that a rootkit cannot be installed unless the system is already compromised. Maintaining a secure environment is your primary defence to protect your organisations information assets.
The following steps will help to better protect against external attack:
Develop a baseline security policy, and ensure that all systems meet this level before being deployed. This should include disabling all unneeded services and applying relevant patches before deploying new machines.
Keep systems patched by having an active program identify when new patches are released, testing patches on a non-production system and rapidly applying them to the production environment.