Matt Bishop, Ricardo Anguino, Tuomas Aura, Brian Cameron, Todd Heberlein, Keith Herold, Scott Miller, David O’Brien, Nick Puketza
Signatures – signs to detect attacks, such as number of connections
started at one time
Count the number of connections to:
unique ports – lots of connections indicate a vertical sweep
unique machines – lots of connections indicate a horizontal scan
Must be able to restrict signatures so that you don’t get false alarms (see handout notes)
Must be able to detect variations of an attack
David O’Brien brought up the “Hack Back” Pentagon/web server problem.
In response to the threat of tying up the Pentagon web server, the Pentagon
supposedly created a Java applet to disable the browsers of attackers.
Violation of the General Computer Misuse Law?
Another message from the "Lessons Learned" files (LL-Files)
> Attached are a few slides with thoughts from the Strategy workshop at NDU for today's (Thursday, 11/12) IA bi-weekly).
On Don's second slide is the question "Are we under attack?" This takes on even greater importance as we move to [automated] response.
Last Tuesday our network monitor running at UCD picked up a "vertical network sweep", a host trying to connect to many ports on the same machine.
On one hand, it had a very classic singature: hundreds of unique ports tried on a single machine, one attempt per port. Furthermore, in this case the sweep was hitting consecutive ports (4548, 4549, ...).
However, on further inspection, it turned out to be a user retrieving 1852 files by FTP. Each file transfer established a new connection at consecutively higher port numbers. So what appeared to be a sweep was a legitimate, if unusual, activity!
Fortunately, I had the information to allow me to drill down. (samples of logs are shown below).
I suspect during times of crisis (e.g., beginning of hostilities), there will be a lot of unusual activity. We should be careful with our responses.
"sweep" "vertical" #=8
Tue Nov 10 10:17:41 1998
Tue Nov 10 10:18:44 1998
Tue Nov 10 10:19:45 1998
5443002 22.214.171.124 --> 126.96.36.199
( 20 -> 4548)
5443010 188.8.131.52 --> 184.108.40.206 ( 20 -> 4549