On the Definition of a Hostile Network Connection?

Kirk Bauer writes "As the author of AutoRPM, my program used to be shipped with my FTP site as one of the default sites the program contacts. However, over the years, I have received more and more emails accusing my machine of 'attacking' their machine ... through identd and failed FTP active-mode connections. Do other FTP sites receive this much (or more) harassment? ect to an FTP site every night?" First it was port-scanning, now it seems that admins are crying wolf at any unknown client that connects to their network. Now I'm all for a dose of healthy paranoia, but is this going overboard? What should administrators really be watching for if they are concerned with potential hostile activity over the net?

"I have since changed the default configuration to NOT use my own FTP site. However, I still receive around one email every day that my machine has been hacked and has been 'probing' or 'attacking' their machine. Often times, these emails are CC'd to my ISP (or sometimes only sent to my ISP).

Since when did identd lookups become 'attacks'? Most email servers use identd regularly ... how come there are so many firewalls out there that log this as suspicious activity?

Additionally, are there really that many ignorant network administrators who look at a log of one refused identd lookup and one refused active-mode FTP connection every night at 2 a.m. and not realize that something on their end is trying to connect to an FTP site every night?"

Re:Blame the Users

[judd]

an endless loop of mutual fingering...

Thanks. I really, really needed that image.

Blame the Users

[Splat]

As a previous poster pointed out, I think this is most likely do to the boatload of personal firewall software out there. A lot of people who go buy Norton's firewall, use BlackIce, ZoneAlarm or whatever see that "A computer has tried to connect to your machine via FTP" and panic. I do deskside support and I get people who worry that they've done something "illegal" when they get the BSOD (no I'm NOT joking). The simple answer seems to be you've got people who don't know what the hell they're doing installing/using firewalls.

Nothing beats the one time I tried to telnet into an old shell, attempted to logon, and after login failed I realized it was a different machine. The admin somehow or another ran a finger query on the shell machine I was logged onto and sent me email demanding to know who I was and why I was connected to his machine. There are some psychos out there ..

Then again, you never can be too paranoid.

it's not the admins that are emailing you

[brettbender]

... it's the users. The real network or security admins on a site of > 1 hosts are likely to:

1. have more pressing issues to resolve than failed identd queries (e.g. exhaustive network probing, exploit attempts, etc.)
2. have a clue (i.e. that an identd query probably corresponds to a client connection, and that identd lookups at a regular interval are probably from a cron job or similar)

When I ran a single workstation on my desk in college, I had plenty of time to write huffy emails each time a line was added to /var/log/security (by the default log levels, which I had only the slightest inkling of how to configure). Now that I (try to) secure a class B network, I do 3 things:

1. screen the network with a firewall
2. run an IDS (Snort http://www.snort.org)
3. (largely) ignore all the crud that bangs into the firewall each day

Here's what this lets me do with the scenario described above:

When I run end-of-period reporting against the IDS logs, the nightly identd query shows up as a traffic spike. That night, I set the network sniffer to log all traffic to and from the "suspicious" external host/network. Bingo! The outgoing FTP client connection is logged as well. The owner of the offending workstation gets a phone call to find out if they know about their cron-job.

What I love...

[BiggestPOS]

Is lusers with Zonealarm and Blackice calling up asking why they lose their IP every 122 minutes. Well lets see, our DHCP leases are 122 minutes, Have you set your firewall to block the DHCP server? Oh, you have? Well then, as long as you are doing that, you are going to lose your IP every two hours. Please configure your firewall correctly, and then you can call me back. And they always ask "Can you do that for me?" Its great, these people break their computers with other peoples products (Bonzai Buddy anyone?) And then call their ISP to have it fixed.

Education, Education, Education

[marm]

Maybe it's just me, but wouldn't it make more sense (perhaps with "Internet 2" or any of these other projects) to create infallible network protocols/tools that can't be used for malaciousness? Or is this logically impossible?

It's not a logical impossibility. Practically, however, it is impossible - IP only works because it is a nice lightweight, easily-routed network protocol. If one were to extend IP or redesign it to try and prevent any misuse, you would almost certainly find it became too heavyweight for it to work successfully at the global level. Not to mention that someone would eventually find some minor chink in its armour and start exploiting that instead...

However, there's all sorts of things that one can do to make the IP world a safer place. Number one, and probably the best example, would be for all network admins (and router manufacturers) to turn on source route verification by default at their border routers at the very least. What this does is get the router to verify that the source address of a packet headed to an external destination is in fact inside the netblock that the router 'owns' before forwarding it to the next hop. If every network admin would do this, then packets with a spoofed source address would never get any further than their nearest border router, and the internet as a whole would be an awful lot safer. This isn't a new idea and the capability to do it is probably in every router made in the last 5 years at least. Certainly any modern Linux kernel can do it. However, some manufacturers of both router hardware and software routing solutions still insist on keeping it set off by default, and combined with clueless network admins who don't know to switch it on, the problem remains.

The problem is thus not one of inadequate technology (although IPv6 addresses some security concerns too) but rather one of education...

READ: TCP/IP Illustrated guide = informed paranoia

[raretek]

I think Admins who jump at this type of traffic need to read TCP/IP illustrated guide, because it demonstrates a lack of understanding of what their logs are saying. If you don't understand that book, you should not even bother monitoring the logs or being an Admin in a tcp/ip networked environment for that matter, anymore than an iliterate man should be a proof reader. My 2 cents.

Yup, there really are that many bad admins...

[segfaultcoredump]

Over the past few years, I've had the opportunity to interview quite a few folks for the position of network and system administrators.

Let me tell you, there really are not that many good ones out there.

In my own personal experience, I'd say that 1 in 20 are worth the space that they occupy. One in 100 would fall into what I would classify as a true senior level admin. The rest of them are just an accident waiting to happen. All of them go around trying to sell themselves as 'senior unix | network system administrators'

The problem is that many of these places setup the firewall and block everything. all ICMP packets included. they dont take the time to learn what they should block and what the consequences are. they just block everything. Then when something does not work, they open things up till it does. For a good time, check out the firewall config of an admin who setup an exchange server that sits behind a firewall. Chances are they had no clue what the 'established' keyword was and just allowed ports 1024 through 64k. (in the cases where their firewall did not automatically recognize that exchange works in a fashion similar to rpc)

The really sad thing is that most of these admins pull 60-80K/yr (in the us) and think that they know everything. Ah, the ignorance of youth (even the 40+ year old ones who still dont have a clue). You see, the more you know, the more you know that you dont know everything.

The hard part for me is that with all of the gui's now dominating the server market, the level of knowledge required to get a system up and running is getting lower and lower. A trained monkey can install NT and most of the linux based distros out there nowadays. And as soon as they can do that, they add 'system admin' to their resume and try and go for the big bucks. And they can play that game till something serious comes up and they discover what vi is and then they discover that they have no idea of what single user mode is or how fsck works. At that point the game is over and the company that they work for discovers that they didnt hire a senior level admin, they hired a trained monkey.

So yes, you are screwed. If your ISP is nice, you can send them an email telling them to discard any emails that they get of 'attacks' from your ftp servers. If it goes to the right network admin (one of the 100) then you can probably sit back, smile and respond with an automatic 'hey stupid, please read rfc bla, bla and bla and then write back when you get a clue as to how ftp works and what your firewall is doing.'

In the mean time, all we can do is hope that companies start to find some way to tell when an admin really knows their shit and when they just know how to walk through the mandrake gui install.

Re:You think this is stupid?

[refactored]

You think that's stupid? Try this one. I got this email from a twit calling himself Callisto the other day (cc'd to my ISP's postmaster)

Can I ask why you are playing around in my account???? This is an account that I pay for, for private use and I don't appreciate people putting files into my account.

What great sin had I commited?
I had sent an email to my wife and mistyped her address.

...are there really that many ignorant...

[John+Hasler]

The default page in the Debian Apache package contains our logo. As a result, we are regularly accused of defacing Web pages when someone bungles a configuration change. I wonder how often time-A.timefreq.bldrdoc.gov gets accused of "attacks" as a result of the default configuration of my chrony package.