Department of Defense (DOD) security experts are warning that hackers have a new weapon in their arsenal -- coordinated attacks on government and private networks from multiple locations around the world.
Discovered just this month, the attacks are hard to detect since they involve sending two to three malicious data packets among millions of friendly packets from multiple Internet locations around the globe simultaneously in an effort to intrude into a network.
Multiple attackers can farm part of the attack to one Internet address and part of the attack to another, making it hard for existing intrusion monitoring systems to identify the packets as part of a coordinated attack.
"What is clear it that the attacks are coordinated," said Stephen Northcutt, head of the intrusion center at the U.S. Naval Surface Warfare Center, in Virginia. "But exactly how many people are driving it is not clear."
At times up to 15 different hackers appeared to be involved in the attacks, but it is not clear how many people are actually behind such coordinated attacks, Northcutt said. So far the attacks were directed at non-classified networks at the DOD and at least at one private, corporate network.
Although no known damage has been caused by the coordinated attacks yet, Northcutt and his colleagues issued a security alert today in order make network administrators aware of the new attack mechanisms.
"We are talking about how hackers are using a weapon, not about a new weapon itself," said Tim Aldrich, another U.S. Navy Surface Warfare Center security analyst.
It has been common for a single attacker to target multiple sites, but now multiple attackers are working together to target either single sites or multiple sites, he said.
Aldrich and his colleagues assume that the new techniques will be widely used and that it is imperative that intrusion detection tools, techniques, and tracking databases be developed or modified to detect
and respond to this new threat.
For sites with properly engineered Internet security, the new attack mechanism is no more effective than the previous generation of attacks. But sites that aren't as secure and have routers with knowledge of an internal network, sitting outside a firewall are especially vulnerable, Northcutt said.
The Navy's Shadow (Secondary Heuristic Analysis for Defensive Online Warfare) Intrusion Detection team has developed a new and freely available detection technique to track this new hacking activity.
The new hacker technique requires security experts to rethink some of their defense methods, which so far have focused on attacks from one hacker. In a coordinated attack, however, one attacker can do the reconnaissance, while another follows up with the exploit. Detecting attacks requires correlating attack packets with each other, which is difficult if a small amount of them are sent from many locations at the same time, Northcutt said.
The Shadow team is asking anyone who has detected similar patterns of coordinated hacking to share information about them by sending information to shadow@nswc.navy.mil.
RELATED LINKS
Cooperative Intrusion Detection Evaluation and Response
Navy site that includes info on the SHADOW project.
Security expert explains Times site break in
Likely involved errant CGI scripts. Network World Fusion, 9/17/98.
Defensive tactics can help users keep Web server hackers at bay
Author's checklist gives security professionals a fighting chance. Network World, 1/12/98.
Statement from Euskal Herria Journal
Example of a political Web site shut down by coordinated action.
Anatomy of a friendly hack
How to reduce your network's vulnerabilities. Network World, 2/2/98.
Apply for your free subscription to Network World. Click here. Or get Network World delivered in PDF each week.
Request a reprint or permission to use this article.
