Slashdot Mirror
Worms Could Dodge Net traps
Danse writes "ZDNet reports that future worms could evade a network of early-warning sensors hidden across the Internet unless countermeasures are taken. According to papers presented at the Usenix Security Symposium, just as surveillance cameras are sometimes hidden the locations of the Internet sensors are kept secret. From the article: 'If the set of sensors is known, a malicious attacker could avoid the sensors entirely or could overwhelm the sensors with errant data.' A team of computer scientists from the University of Wisconsin wrote up the background in their award-winning paper titled 'Mapping Internet Sensors with Probe Response Attacks.'"
Duh! Of course you can slowly figure out how a security system works, and then work around it. See any famous and/or talented thief for such an example. The real threat, I suppose, is that these worms can do it automatically and on a larger scale.
Solution: Don't open holes and then fill them with trip wires. Just fill up the hole (via patch or otherwise) in the first place.
-Ryan
AUWYHSTOT (Acronyms are Useless When You Have to Spell Them Out Too)
This still doesn't protect the users that are spreading the worms in the first place. So you make an announcement about a worm on the loose? They don't even know what the updates do, and don't patch themselves. The early warning has protected itself.
Maintaining sensor anonymity is critical because if the set of sensors is known, a malicious attacker could avoid the sensors entirely or could overwhelm the sensors with errant data.'
So basically: "Security through Obscurity is Bad." combined with "We found a way to eliminate the obscurity.".
My Suburban burns less gasoline than your Prius.
We already have a form of White IC - simple detection, non-aggressive measures. How long before we have more active Grey IC - Tar Babies (similar to today's honey pots), Tar Pits, Blaster - and ultimately, Black IC - seeking out the source of the intrusion and in turn, destroying the origin of attack?
Would a big, multi-national corporation get punished for "accidentally" frying the computer of someone who was thought to be intruding into the corporation's computers? I seriously doubt it.
His name is Robert Paulsen...
Is it just me, or are we again speaking about security through obscurity (albeit I have to admin that it's in a slightly different way, this time).
How long will it take for people involved in computers and networks security that "secret" has no virtually no meaning in the field?
A private key is the only exception I can see at the moment: it is kept secret because nobody has any use of it except its owner, a noone will ever need access to it.
But how long a "secret" early-warning network will remain so... when its primary function is to be contacted by the worms that try to evade it?
--
Arkan
If these are used solely for detecting, rather than taking action and blocking traffic, why on earth aren't they located passively? By that I mean a ethertap. rather than having a device sat on the line that responds to traffic.
That would essentially make the device invisible - all you'd then have to do is have your network of passive detectors inform you when odd traffic passes through.
The original penetration story:/ 200221&tid=172&tid=6
http://books.slashdot.org/article.pl?sid=05/07/25
"Sure there's porn and piracy on the Web but there's probably a downside too."
For those of you who don't know, DShield is precisely one of the 'early-warning sensor' networks the article is talking about.
If you've seen Zulu!, this attack will make a lot of sense.
In the movie Zulu!, the Zulus first attack, from many different sides. Not too heavy, but from all sides.
The British guy's troops repel them, with guns. Quite a few Zulus get shot and killed.
Quite smug, the British commander asks the Boer what he thinks of it all. The Boer explains that that's a Zulu tactic: attack lightly from the various sides to draw the fire. Then the Zulus know where the guns are, where the defenses are hard, where they are soft. The Zulus aren't going anywhere, this is just the beginning. After this, the Brit looks a lot less smug.
Zulu! is a fantastic movie, by the way.
http://www.thebricktestament.com/the_law/when_to_
Awesome, another cat and mouse game.
a really good read. i knew it would be a matter of time before something like this can be thwarted, basically attacks are slowly evolving. would it be easy for them to change to different unused IP addresses?
i know an easy fix.. i see in the paper "bandwidth for the fractional T3 attacker and the OC6 attacker could be achieved by using around 250 and 2,500 cable modems".. i wish more cable ISPs were responsive to abuse complaints, or would notice certain bot-like activity like many DDoS attacks coming from their network. hell i've read my sshd logs and was amazed at the amount of US cable/dsl scans. you know that's a bot at work.
lameness filter thwarted.
Shout out to the my boys and girls at the U-Dub. I'm gonna go strap on my kevlar so i survive being shot down for off-topic.
I can't remember the last time I forgot anything.
A biological virus adapts to its environment too, a worm too, so why would the digital variant not adapt. And since the main platform clearly suffers from an immune deficiency syndrom, just kept alive by their doctors and creators by means which are always to late to stop the newest infection but just on time to save most patients, it is pretty easy for the virusses to stay alive, and adapt to a point where the immune system will completely fail.
My wife's sketchblog Blob[p]: Gastrono-me
Solution: Needs more sensors.
If the number of sensors is brought to the point where it becomes impractical to map them, voila no more sensor evasion.
This obviously would be harder to impliment than spoken. Maybe if a sensor implimentation came as an optional standard with server software.
Heh, I can speculate.
Could certain software companies start spewing out secure software, so worms don't have much of a chance to exist in the first place?
The number of companies getting fat over those needless insecurities is just gross...
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
For a long time I have forwarded all 419 scams to abuse addresses at all their involved mailbox hosters.
In some cases (not always, unfortunately) this causes them to lose their account and thus their way to get replies and possible revenue.
What I would have liked is that they detected "when we send mail to this address we lose our account" and put that address on some blacklist to send no more scams.
But, this has not happened. So, I don't think there is any cleverness behind it, they just scatterbomb and hope the don't hit a whistleblower.
I want to suggest one thing ,in my opinion very important..
,packets filtering,
and what really irritates me IPv6 security.
..and it will be too late.
We're talking all the time about security of internet,about net-monitoring
Please note that nobody complain about such solutions everyone believes that they're (or will be) elegant and helpful.
My questuion is..what do you think goverment(NSA) will do with such 'security tools' ha?
So we're not talking about security but we're also talking about Privacy and Freedom of internet-2.
Someday we will wake-up with all-monitored-internet-2
echelon2=internet2?
Or maybe I'm just paranoid? ha?
"Kata ton daimona eay toy." (Be true to your soul).
What about creating an ad hoc distributed network of sensors (versus a fixed network). If thousands or millions of people downloaded a worm monitor application, then the sensor network would be very fluid and span IP space in a less predictable way. An ongoing P2P cross-comparison of the signatures of unsolicited packets could also provide distributed detection of novel worms. When too many sensors see the same anomalous thing, the alert propagates across the network.
Done well, it would create an internet immune system in that sensors that had seen the worm would alert machines that hadn't seen the worm. Those machines would then automatically filter for the new pattern while watching for confirming evidence that a worm was loose. If the download also provided a protective feature, then more people would download it and that the network would become more sensitive and valuable.
The idea may have some minor problems. First, security vulnerabilities could be introduced by the monitoring package itself (e.g, the Witty worm targeted vulnerable firewall software). I'd recommend that if a buffer overflow or malformed command exploit were ever discovered in Honeypot@home code, then all the developers would have to be shot immediately. Second, I see some but no great problem of worm writers trying to subvert the network because it would be hard for them to register enough machines (and replace the code to mute the alert signal triggered by their worm) to swamp the alert signals generated by legitimate nodes of the network.
I'm sure someone is working on this very thing.
Two wrongs don't make a right, but three lefts do.
Chloe: How did this happen? Mr. Buchanan, the network security monitor lit up. Someone on the outside is trying to jam our satellite servers.
Buchanan: Could this just be high network load?
Chloe: No, it's definitely a denial of service attempt. What do you want me to do?
Buchanan: Did it do any damage yet?
Chloe: No, the Cisco system is self defending.
Video at http://www.cisco.com/now/24/indexSecurity.html
When I saw the thread title, I only thought of real worms (you know, the squirmy squishy things in that big blue room that has way too few accessible electrical outlets) and fishing nets.
Basically, they are saying that by probing ports in particular patterns, and then looking for mention of their probes in published summary reports, they can determine the identity of systems contributing to the reports. (If a trivial idea like that manages to get the USENIX best paper award, then it's no wonder computer security is so bad.)
I, for one, hope that these kinds of techniques will be widely adopted by worm writers. Why? Because it sets up an incentive system to have systems monitored and contribute to public interenet statistics: you contribute monitoring and statistics information, and worms won't attack you.