What do they want?

Most hackers are looking for spam relays; others want to spread worms or gain control of your computers.

One million, seven hundred thousand security alerts during a two-week stretch in July seems like a lot. But it doesn't faze John Clarke, general manager of i-Trap Internet Security Services.

Clarke and his team of security analysts monitor three intrusion-detection sensors that sit on the backbone of a regional ISP in Cleveland and weed out the serious attacks from the Internet background noise that reaches out and touches the network daily.

To Clarke, it's all a matter of perspective.

With a minimum of 3.3 billion packets flowing across this network backbone in any given two-week period, having only 0.052% of those packets tagged as possible security events is not all that worrisome. However, that number of alerts has tripled in the past six months. And that is scary.

If you drill down, of those 1.7 million alerts, 120,000 are likely false positives, a conservative estimate based on i-Trap's experience.

Another 765,000 are alerts that are triggered by network scanning operations, rather than actual attacks.

That brings the number of potentially serious attacks down to 800,000.

Bringing it down one more notch, an average corporate customer with a midsize network served by this ISP likely would see 32,000 security alerts in any recent two-week period.

Thirty-two thousand is certainly better than 1.7 million, but the frightening fact is that it takes only one dangerous attack to wreak havoc on your network. The point is, you still have to watch these alerted events carefully over a period of time to ascertain what's noise and what's noxious.

Based on the long-term view of the monitored network, we asked Clarke and his team to weed through our data set and pinpoint the top 10 red flags. Here they are in order of volume.

1: Snort alert: Proxy rules 592,171 Use proxy as spam relay

Number of alerts:

Possible malicious intent:

Almost all these are inbound scans. If an attacker finds an open proxy server, he can use this as a jumping point to disguise his identity and launch attacks against other hosts. A pattern change here will alert us to a proxy that was found and is being used.

2: Snort alert: MS-SQL Worm propagation attempt OUTBOUND 373,107 Worm propagation

Number of alerts:

Possible malicious intent:

This alerts us that one of our customers has caught the MS-SQL Slammer Worm, and it is attempting to spread itself. In this case, one source address inside the network was responsible for hitting 99.9% of the destination IP addresses, which shows that the worm was randomly probing addresses, but only sent one attempt to each target. The ISP does not want its customers to contribute to the worm propagation problem, so it would notify the customer who owns the infected machine before complaints are sent from other networks.

3: Snort alert: BAD-TRAFFIC loopback traffic 26,770 Spoofing

Number of alerts:

Possible malicious intent:

Of these alerts, those with a source IP address of 127.0.0.1 signify spoofed traffic. Tracing this packet back to its true source is difficult, if not impossible. On an incorrectly configured machine (or one with out-of-date patches), this spoofing method could trick the machine into thinking it was talking to itself, giving an attacker the ability to send spam or steal information from the target.

4: Snort alert: Telnet logon incorrect 20,874 Gain control of device

Number of alerts:

Possibly malicious intent:

When we dug into this series of alerts, we found that most of these packets were sent from only two source addresses that actually were sitting on the ISP's network. With this particular snort signature, the sensor flagged outbound responses from the hosts that were being hit repeatedly with incorrect logon attempts. This is a cause for concern because it's likely the two machines were being hit by a dictionary attack, and if it goes on long enough, a compromise is likely to occur.

5: Snort alert: ICMP ping rules 15,047 Denial-of-service (DoS) attack

Number of alerts:

Possible malicious intent:

Ping traffic is normal. Ping is used widely as a troubleshooting and diagnostic tool, but also is used in scanning and DoS attacks. A change in the pattern here would be a cause for alarm. But in this case, the i-Trap team referred to its real-time statistics to track the frequency of these pings. There were no bursts of ping traffic hitting the network in a relatively short time (5 to 60 minutes), so they could conclude there was no attempted DoS attack.

6: Snort alert: Formail rules 2,508 Corrupt Web e-mail

Number of alerts:

Possible malicious intent:

Formail is a script used to handle e-mail correspondence through a Web site. If misconfigured, an attacker can use this as a launching point for spam. While the attackers did not find any misconfigured machines during the two weeks we tracked alerts, i-Trap officials said they typically see one incident per month (that's tracked across 1,500 Web sites the ISP hosts) in which the machine is found and subsequently used as a spam relay.

7: Snort alert: NetBIOS IPC$ share access 1,139 Gain full administrator rights

Number of alerts:

Possible malicious intent:

The IPC$ share is an administrative feature of Windows that, if achieved by a hacker, gives him administrative rights over the machine. Breaching a share requires three things: the share name (which is on every Windows NT, 2000 and new 2003 system, and cannot be removed or renamed), a user name (the default of which is "Administrator," which often is not changed), and a password. This feature should not be accessed outside of a LAN environment, so to see these share attempts coming from the Internet is a definite sign that someone is trying to break into these machines.

8: Snort alert: RPC portmap rules 160 Gain admin rights to a machineRPC vulnerabilities easily will allow an attacker full control of the target if they find an unpatched machine. There were no RPC break-ins on our watch, but it's worthwhile to note that the probes were fairly constant, so system operators need to be pretty vigilant about keeping RPC vulnerabilities patched.

Number of alerts:

Possible malicious intent:

These alerts crop up when hackers are looking for unpatched Linux and Unix machines. 

9: Snort alert: SCAN SSH Version map attempt 13 Gain administrator rights to a machine

Number of alerts:

Possible malicious intent:

This is probing for a vulnerability in Secure Shell (SSH), a method used to remotely gain administrative rights to Unix or Linux systems. There are known vulnerabilities in the SSH service, and people who use Linux tend to be behind in their patching, as it is a manual process unlike using Windows Update. If a vulnerable system is found, the flaws in SSH will allow an attacker full control of the system. There was no evidence of a successful SSH during our two-week period. These attempts typically come at the network in groups but at a low volume, so they usually can be reviewed manually to see if a compromise occurred.

10: Snort alert: Policy FTP rules 11 Store contraband files

Number of alerts:

Possible malicious intent:

These alerts are triggered when an FTP logon is successful - whether through an anonymous account or otherwise - and the user is digging around in the FTP server. In particular, these rules are usually indicative of somebody setting up a warez distribution site. They indicate the user is attempting to clock the speed of the server, create hidden directories, and access storage on the site to which they shouldn't have access.

When are they coming after you?
Hackers don’t seem to take weekends off. The intrusion-prevention system at our test site (Tel Aviv University) was hit with similar numbers of both reconnaisance (scans) and attacks (bites) every day of the week. The scan spike on July 22 was because of hackers looking for vulnerable User Datagram Protocol (UDP) services.
PeriodScan eventsBite eventsTotal events
Thursday, July 10 5,558 4,994 10,552
Friday, July 115,3124,68810,000
Saturday, July 124,8624,5019,363
Sunday, July 135,9925,65811,650
Monday, July 148,0437,58615,629
Tuesday, July 157,610 7,35314,963
Wednesday, July 167,0117,84614,857
Thursday, July 177,6558,24415,899
Friday, July 186,5826,91413,496
Saturday, July 196,7966,009 12,805
Sunday, July 208,058 6,92914,987
Monday, July 218,048 7,84615,894
Tuesday, July 2215,145 3,71218,857
Wednesday, July 23N/AN/AN/A
SOURCE: FORESCOUT TECHNOLOGIES
The three major spikes in hacker activity recorded on the regional ISP’s backbone in Cleveland were a SQL slammer worm on July 16, and scans on July 15 and 22 looking for spam relays.
Periodi-Trap alerts
Thursday, July 10 80,953
Friday, July 1165,302
Saturday, July 1289,010
Sunday, July 1365,689
Monday, July 14100,189
Tuesday, July 15190,535
Wednesday, July 16199,012
Thursday, July 1767,774
Friday, July 18149,453
Saturday, July 19115,716
Sunday, July 2042,400
Monday, July 2189,824
Tuesday, July 22301,964
Wednesday, July 23112,763
SOURCE: I-TRAP INTERNET SECURITY SERVICES

Learn more about this topic

Eric Bowser of I-Trap and Network World Global Test Alliance member Joel Snyder of Opus One contributed to this story.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10