Irish Honeynet under increasing attack
1 April 2005 | 0
The Irish Honeynet Project ran into its fourth month in July. The results to date have proved the long-held belief that ‘if it is on the Internet, it will be attacked’ and serve as a wake up call to many of those Irish businesses who so far have failed to take information security seriously. As some of the figures and trends have shown, to ignore the risks inherent in going on-line could spell disaster.
A honeynet is a network attached to the Internet that has been designed to act as a decoy, luring hackers in order to study their activities and monitor how they attempt to break into a system. Honeynets are designed to mimic systems that hackers would like to break into, appearing as easy targets but in reality allowing just enough access for the attacker to compromise the system and then recording their every move.
Once an attacker has been lured into a system, they can be observed in action. By studying the activities of hackers, security practitioners can learn how hackers compromise systems today—leading to more secure systems tomorrow.
The Irish research project, run by security software distribution company Espion and the Security Services Group of Deloitte & Touche, is hosted by Data Electronics and saw a further 415 attacks against the Honeynet in July. This was an increase on June’s 364 attacks (ComputerScope August 2002), and represents the ever-growing threat present on the Internet.
Several theories exist to explain this months increase in attacks, but the most popular, and probably realistic, is that the script-kiddie teenagers, who are responsible for a huge proportion of server probes and indiscriminate hacking attempts, go on school holidays in June and as such have plenty of (unsupervised) spare time with which to wreak havoc in the playground of cyberspace.
Month on month, April, May, June, and July, we have seen a steady increase of 3.5 per cent, 6.5 per cent, and 10 per cent respectively in the number of attacks. In this short space of time we have also seen that our techno-savvy friends in the USA have almost doubled their attacks on the Honeynet. Attacks have increased from 67 in April to 106 in July.
This month’s ‘top ten’ list changed only slightly from the previous months. The same old attacks were seen time and again. The Code Red, Nimda and SQLSnake worms all feature prominently, as did FTP server probes and probes for the SubSeven Trojan horse as discussed in last months issue.
Another continued trend we have seen over these last four months has been a continued and persistent search for servers open to mail relay. This is a well-documented flaw found on mail servers that is as simple to fix as it is simple to exploit.
Mail servers that are vulnerable to this kind of attack can (and most likely will) be used to send huge quantities of unsolicited email to Internet mailing lists, causing endless problems not only for the owner of the server, but also for the poor unfortunates whose email addresses end up on these mailing lists. We all have been victim to these lists at some stage or another. Many of us have had to go so far as to change email addresses simply to avoid being snared by these rogues.
The culprits responsible for compiling these mailing lists and for sending these unsolicited mails have become known in cyberspace as spammers. Once a vulnerable mail server has been identified, it will be involved in bulk mailing anything from silly ‘get-rich quick’ schemes to pornography advertisements. Spammers will trade lists of these servers amongst themselves, allowing the entire spamming community to take advantage of the open mail relay vulnerability.
There are several serious consequences of having your mail server vulnerable in this way:
A degradation of service for the owner of the mail server
Due to thousands, or in some cases tens-of-thousands, of extra emails being sent each day, those genuine business mails may be pushed to the end of the queue as the Spammers consume expensive bandwidth.
Potential denial-of-service, by complete loss of the mail service
A little known service on the Internet is the Realtime Blackholes List (RBL). RBLs are databases of mail servers that Spammers are known to use. This list is then made available to mail server administrators (most ISP’s make use of these lists) who can choose not to accept or send mail to machines on the list. If you suddenly find yourself unable to mail anyone and your mail server is working, you could be on one of these lists.
Loss of reputation
If the security of your online presence is seen to be weak, allowing your servers to forward unsolicited email, your corporate reputation is bound to suffer.
Any organisation that is seen to be associated with individuals or groups intent on flooding the Internet with pornography could face criminal prosecution.
Thankfully, like many of the vulnerabilities we have seen being exploited in the Honeynet, the problem of mail relay is an easy one to fix. All modern mail servers have a feature known as ‘antirelay’. It is highly recommended that anyone with a mail server double-check that this feature is enabled. Enabling this simple configuration could save your organisation thousands of euro. If no open relays existed, the chances are the vast majority of the rubbish we all see in our inboxes would disappear completely.
In next month’s issue we will document a live attack on the Honeynet, what the hacker did and how they did it.