Navy Researchers Warn of New Hacking Technique

The advice of two analysts from the Naval Surface Warfare Center (NSWC, Bellevue, Va., <A HREF="http://www.nswc.navy.mil/">www.nswc.navy.mil</A>) is that both government and enterprise networks must prepare to brace for a new wave of denial-of-service (DOS) attacks, the ilk of which has rarely been seen before.

The advice of two analysts from the Naval Surface Warfare Center (NSWC, Bellevue, Va., www.nswc.navy.mil) is that both government and enterprise networks must prepare to brace for a new wave of denial-of-service (DOS) attacks, the ilk of which has rarely been seen before.

In late September, both Stephen Northcutt, the head of intrusion detection at the NSWC, and Tim Aldrich, a principal analyst with the NSWC, participated in a teleconference sponsored by the SANS Institute (www.sans.org). The topic was coordination among groups of unscrupulous hackers to stage stealthy DOS attacks that are difficult to detect by customary intrusion detection tools.

While cooperation among groups of unscrupulous hackers isn’t a new phenomenon, NSWC’s Northcutt acknowledges, the manner in which these hackers are collaborating is. "There are certainly times in the past where the hacking community has coordinated among themselves and agreed to work together," Northcutt acknowledges. "But the key is multiple IP addresses working together."

Northcutt says the NSWC first recognized the existence of the coordinated DOS attack model in September, although he acknowledges that such an attack schema could very well have been in existence for some time beforehand.

In this new type of attack, hackers bombard target machines from thousands of different IP addresses with a very small amount of malicious packets intermixed with benign packets.

These orchestrated attacks are "sliding under the limit" of the thousands of packets per day that most intrusion detection software looks for, Northcutt observes. "That’s why this is a dangerous thing, because most intrusion detection systems have a threshold or radar level that they’re looking at, [and] these attacks seem to be aiming under that threshold, so that normal intrusion detection tools, the tools that are out there, are not going to detect them."

How effectively can hacker groups circumvent the alarm thresholds of contemporary intrusion detection software packages? "We’re seeing two and three, five [malicious] packets per hour from any number of different sites," Northcutt says. Because unscrupulous hackers may attack a network or machine from any number of IP addresses, such seemingly miniscule packet amounts can add up, he explains, amounting to millions of packets per hour.

While the suggestion of a new degree of collaboration and cooperation between hacker groups is a striking one, both Northcutt and Aldrich caution that it’s not currently possible to establish definitively that the recent wave of attacks represent the efforts of a group of hackers, rather than a single hacker.

"It is possible for one person to launch attacks, scans or probes from multiple sites simultaneously," Aldrich maintains. "We could be talking about one hacker having multiple accounts and launching the attack simultaneously through some kind of tool."

"What is clear it that the attacks are coordinated," avers Northcutt. "But exactly how many people are driving it is not clear." Thus far, the attacks have been directed at nonclassified networks at the Department of Defense and at least at one private, corporate network.

The new attacks pose a detection and analysis problem by virtue of their coordination, as a small amount of packets from any number of locations must first be correlated and analyzed to establish that an attack has taken place. Resources and techniques useful for tracking these hacking activities are available at www.nswc.navy.mil/ISSEC/CID, courtesy of the Navy's Secondary Heuristic Analysis for Defensive Online Warfare intrusion detection team.

While the DOS attacks certainly represent a new kind of threat, the NSWC’s Northcutt contends that sites that are properly protected and configured for Internet security will be no more susceptible to these new coordinated DOS attacks than they are to other, singular DOS attacks. "Well-defended sites with firewalls and split DNS are no more vulnerable to coordinated attacks than they are to single attacks," Northcutt says, noting that sites with routers outside of network firewalls that contain internal network topology information are at the greatest risk.