Noticing and Responding To Network-Borne Attacks
| Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
By Paul Robichaux
The old cliché asks: "If a tree falls in the forest and no one is there to hear it, does it make a sound?" Armchair philosophers have been arguing this question for a long while. The question of whether network attacks that aren't noticed or reported are still attacks is much easier to answer, though: An emphatic Yes.
On This Page
Why You Should Bother
Protecting Yourself Before an Attack
How to Tell an Attack Is in Progress
What to Do When You Are Under Attack
Where to Learn More
Why You Should Bother
The most immediate reason why you should be on the lookout for attacks targeted at your network or computer is simple: these attacks use your bandwidth and computer resources to target other people. They steal resources from you, which is bad in and of itself. The resources are then used to harm others, which is even worse. Since these attacks can be traced back to you, you have to consider how it looks to have hosts on your corporate (or home) network attacking your customers, business partners, friends, or the local government. As if these weren't reason enough, failing to notice an attack might even make you civilly or criminally liable, although thank goodness this precedent hasn't been widely set yet.
What about reporting an attack in progress? Here the ground is a little more slippery. In general, reporting attackers to an ISP (yours or theirs) will bring relief only if the attack is coming from a single point. In the case of a distributed attack, virus, or worm, your ISP or the owner of the attacking node may be able to limit or stop attack traffic, but the biggest problem you're likely to run into is that stopping a widely distributed attack may require you to contact and work with several (or many) different providers—and some ISPs are much more responsive and knowledgeable than others! For these types of attacks, technical solutions (like the ones described below) should be your first priority.
Is it worthwhile to call in law enforcement? They should probably be your last line of defense (and, of course, they can't do much to prevent an attack in the first place!). Follow your organization's policies in reporting such incidents.
Protecting Yourself Before an Attack
How do you know when you're being attacked? It's easy to tell when someone's broken in to your office or home, but it can be a bit harder to tell when the attack is electronic. Different types of attacks have different telltale signs; here are some of the things you should be doing to remain vigilant:
Keep your Windows computers up to date with security patches and service packs from Microsoft. Run the Microsoft Personal Security Advisor to check workstation security; use HFNetChk to check your servers.
Set up an intrusion detection system (IDS) and review its output. While you can spend a lot of money on a full-featured commercial tool (like those from Internet Security Systems or McAfee), you can also roll your own using free versions of snort This is a great way to quickly build an IDS that can detect a variety of attack signs, including port scans and remote logon attempts. Attackers use these kinds of probes to find out what kind of systems you're running and where they might be vulnerable.
Close any TCP/IP ports that you're not using. Start by using Microsoft Knowledge Base (KB) article 150543 to see what ports you do not need, then close them. Double-check to make sure they're closed by using netcat, for example, to scan for any you might have missed. Check your intrusion detection logs to verify that the IDS caught the port scanning attempts!
Install a distributed monitoring client on your servers. dshield.org and mynetwatchman.com are currently the two most popular; I use dshield, since they have clients for the particular router I use. The MyNetWatchman and dshield agents log suspicious traffic and send the logs to a central server, where they are consolidated and analyzed for attack patterns. Attacks in progress can be reported to the attacker's ISP, which is a nifty feature for home users.
Watch for unusual changes in traffic volume. This can be as simple as watching the blinking lights on your cable modem or DSL adapter, or as sophisticated as using traffic-monitoring tools like Microsoft's Network Monitor or Network Instruments' Observer. If your volume of inbound traffic suddenly spikes upward, someone may be starting a DDoS attack.
Regularly review CERT advisories and incident reports. If you pay attention to these, you'll get early warning as distributed attacks or virus outbreaks emerge.
How to Tell an Attack Is in Progress
Some kinds of attacks are easy to identify; for example, the Melissa and Anna Kournikova e-mail viruses made their presence known clearly and visibly. Other attacks, like the infamous Code Red, may not leave any obvious signs other than an increase in outbound network traffic. Intrusion detection systems are the best way to get early warning of an attack; most IDS programs use a library of signatures to identify malicious traffic or traffic patterns. As long as you keep your signature library up to date, there's a good chance that your IDS will be able to notify you when you're under attack.
What if your attacker uses an exploit that's brand new, and not included in your IDS signatures? There are still some identifiers to look for:
A sudden increase in overall traffic. This may just mean that your web site has been mentioned on a popular news site, or it may mean that someone is up to no good.
A sudden jump in the number of bad or malformed packets. Some routers collect packet-level statistics; you can also use a software network scanner like Observer or Network Monitor to track them.
Large numbers of packets caught by your router or firewall's egress filters. Recall that egress filters prevent spoofed packets from leaving your network, so if your filter is catching them you need to identify their source, because that's a clear sign that machines on your network has been compromised.
Unscheduled reboots of server machines may sometimes indicate their compromise. You should be already be watching the event logs of your servers for failed logons and other security-related events.
The presence of known attack signatures in your system log files. For example, many sites learned that they'd been hit by CodeRed only when they examined the IIS log files for the distinctive GET request for default.ida. If you pay attention to the CERT advisories, you'll learn about these signatures and can check for them in your own logs in enough time to do you good.
What to Do When You Are Under Attack
So, your IDS (or other indicators) tells you that you're under attack. Your natural first response might be to call the cops, but there are actually some more productive things you should do first:
Identify the nature of the attack. Is it a DDoS attack, or an attack targeted just at you? Is someone trying to shut down your network altogether, or attempting to infiltrate individual machines?
Localize the source. Use your firewall and IDS logs to attempt to identify where the attack is coming from (or came from!) This will help you identify whether the attack/penetration is coming from a compromised host on your network or from the outside world.
Block the attack. Once you know where the attack is coming from, you can take action to stop it (although a determined attacker may just shift to another attack method):
If you've identified specific machines that have been compromised, pull them from the network until you can disinfect them and return them to service.
If an attack or attempted attack is coming from outside, block access to your network from that IP address.
If you're the target of a DDoS attack, you'll have to work with your ISP to get relief.
Protect the evidence. Keep backup copies of any logs you generate, and take detailed notes so that you have a good evidential record of what happened and when.
Find other compromised machines ASAP. If you identify that machines on your network have been attacked by a virus, worm, or DDoS attack, make sure that your IDS has up-to-date signatures, then consider using appropriate tools (including antivirus scanners and security scanners like ISS' Internet Scanner) to root out any other machines that may have been affected. Microsoft is quick to release alerts for new attacks and relevant patches, so be sure to check the site as well.
Don't recycle trouble. When you know that a machine has been compromised, the safest way to return it to service is to reinstall the operating system, and reload applications from a known good backup—one that is known (not just suspected) to predate the compromise. CERT maintains a list of steps for putting a compromised machine back together safely. Even though it might be tempting to patch the compromise and get the machine back on the network, it's risky to do so.
Where to Learn More
Before you do anything else, go get the IIS Lockdown tool from Microsoft's site and use it to harden all of your IIS servers—it works for IIS 4.0 and 5.0. All features of the lockdown tool and the majority of the abilitites of URLScan are built into IIS 6.0.
CERT maintains a set of guidelines for responding to an intrusion. They're well worth reading.
There are a number of good intrusion detection FAQs (frequently asked questions) around, including one from the IDS mailing list.
You should already be hardening your Windows servers using the checklists and tools available from the Microsoft security site.
SystemExperts has a good paper on how to harden Windows 2000 machines against attacks, too (it's an excerpt from their Windows 2000 security book, Windows 2000 Security Handbook).
Paul Robichaux is the principal of Robichaux & Associates, Inc., which provides programming, technical communications, and security services to customers ranging in size from local auto dealerships to Microsoft. He's glad to have his latest book (Managing Microsoft Exchange Server, published by O'Reilly & Associates) on the shelves so he can spend more time with his family.
For any feedback or comments in regards to the content of this article, please send them to Microsoft TechNet.
We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.