Most hackers are looking for spam relays; others want to spread worms or gain control of your computers.
One million, seven hundred thousand security alerts during a two-week stretch in July seems like a lot. But it doesn't faze John Clarke, general manager of i-Trap Internet Security Services.
Clarke and his team of security analysts monitor three intrusion-detection sensors that sit on the backbone of a regional ISP in Cleveland and weed out the serious attacks from the Internet background noise that reaches out and touches the network daily.
To Clarke, it's all a matter of perspective.
With a minimum of 3.3 billion packets flowing across this network backbone in any given two-week period, having only 0.052% of those packets tagged as possible security events is not all that worrisome. However, that number of alerts has tripled in the past six months. And that is scary.
If you drill down, of those 1.7 million alerts, 120,000 are likely false positives, a conservative estimate based on i-Trap's experience.
Another 765,000 are alerts that are triggered by network scanning operations, rather than actual attacks.
That brings the number of potentially serious attacks down to 800,000.
Bringing it down one more notch, an average corporate customer with a midsize network served by this ISP likely would see 32,000 security alerts in any recent two-week period.
Thirty-two thousand is certainly better than 1.7 million, but the frightening fact is that it takes only one dangerous attack to wreak havoc on your network. The point is, you still have to watch these alerted events carefully over a period of time to ascertain what's noise and what's noxious.
Based on the long-term view of the monitored network, we asked Clarke and his team to weed through our data set and pinpoint the top 10 red flags. Here they are in order of volume.
1: Snort alert: Proxy rules 592,171 Use proxy as spam relay
Number of alerts:
Possible malicious intent:
Almost all these are inbound scans. If an attacker finds an open proxy server, he can use this as a jumping point to disguise his identity and launch attacks against other hosts. A pattern change here will alert us to a proxy that was found and is being used.
2: Snort alert: MS-SQL Worm propagation attempt OUTBOUND 373,107 Worm propagation
Number of alerts:
Possible malicious intent:
This alerts us that one of our customers has caught the MS-SQL Slammer Worm, and it is attempting to spread itself. In this case, one source address inside the network was responsible for hitting 99.9% of the destination IP addresses, which shows that the worm was randomly probing addresses, but only sent one attempt to each target. The ISP does not want its customers to contribute to the worm propagation problem, so it would notify the customer who owns the infected machine before complaints are sent from other networks.
3: Snort alert: BAD-TRAFFIC loopback traffic 26,770 Spoofing
Number of alerts:
Possible malicious intent:
Of these alerts, those with a source IP address of 127.0.0.1 signify spoofed traffic. Tracing this packet back to its true source is difficult, if not impossible. On an incorrectly configured machine (or one with out-of-date patches), this spoofing method could trick the machine into thinking it was talking to itself, giving an attacker the ability to send spam or steal information from the target.
4: Snort alert: Telnet logon incorrect 20,874 Gain control of device
Number of alerts:
Possibly malicious intent:
When we dug into this series of alerts, we found that most of these packets were sent from only two source addresses that actually were sitting on the ISP's network. With this particular snort signature, the sensor flagged outbound responses from the hosts that were being hit repeatedly with incorrect logon attempts. This is a cause for concern because it's likely the two machines were being hit by a dictionary attack, and if it goes on long enough, a compromise is likely to occur.
5: Snort alert: ICMP ping rules 15,047 Denial-of-service (DoS) attack
Number of alerts:
Possible malicious intent:
Ping traffic is normal. Ping is used widely as a troubleshooting and diagnostic tool, but also is used in scanning and DoS attacks. A change in the pattern here would be a cause for alarm. But in this case, the i-Trap team referred to its real-time statistics to track the frequency of these pings. There were no bursts of ping traffic hitting the network in a relatively short time (5 to 60 minutes), so they could conclude there was no attempted DoS attack.
6: Snort alert: Formail rules 2,508 Corrupt Web e-mail
Number of alerts:
Possible malicious intent:
Formail is a script used to handle e-mail correspondence through a Web site. If misconfigured, an attacker can use this as a launching point for spam. While the attackers did not find any misconfigured machines during the two weeks we tracked alerts, i-Trap officials said they typically see one incident per month (that's tracked across 1,500 Web sites the ISP hosts) in which the machine is found and subsequently used as a spam relay.
7: Snort alert: NetBIOS IPC$ share access 1,139 Gain full administrator rights
Number of alerts:
Possible malicious intent:
The IPC$ share is an administrative feature of Windows that, if achieved by a hacker, gives him administrative rights over the machine. Breaching a share requires three things: the share name (which is on every Windows NT, 2000 and new 2003 system, and cannot be removed or renamed), a user name (the default of which is "Administrator," which often is not changed), and a password. This feature should not be accessed outside of a LAN environment, so to see these share attempts coming from the Internet is a definite sign that someone is trying to break into these machines.
8: Snort alert: RPC portmap rules 160 Gain admin rights to a machineRPC vulnerabilities easily will allow an attacker full control of the target if they find an unpatched machine. There were no RPC break-ins on our watch, but it's worthwhile to note that the probes were fairly constant, so system operators need to be pretty vigilant about keeping RPC vulnerabilities patched.
Number of alerts:
Possible malicious intent:
These alerts crop up when hackers are looking for unpatched Linux and Unix machines.
9: Snort alert: SCAN SSH Version map attempt 13 Gain administrator rights to a machine
Number of alerts:
Possible malicious intent:
This is probing for a vulnerability in Secure Shell (SSH), a method used to remotely gain administrative rights to Unix or Linux systems. There are known vulnerabilities in the SSH service, and people who use Linux tend to be behind in their patching, as it is a manual process unlike using Windows Update. If a vulnerable system is found, the flaws in SSH will allow an attacker full control of the system. There was no evidence of a successful SSH during our two-week period. These attempts typically come at the network in groups but at a low volume, so they usually can be reviewed manually to see if a compromise occurred.
10: Snort alert: Policy FTP rules 11 Store contraband files
Number of alerts:
Possible malicious intent:
These alerts are triggered when an FTP logon is successful - whether through an anonymous account or otherwise - and the user is digging around in the FTP server. In particular, these rules are usually indicative of somebody setting up a warez distribution site. They indicate the user is attempting to clock the speed of the server, create hidden directories, and access storage on the site to which they shouldn't have access.
|