[unisog] CHE 3/15: The Growing Vulnerability of Campus Networks

Russell Fulton R.FULTON at auckland.ac.nz
Tue Mar 12 20:46:59 GMT 2002

On Wed, 2002-03-13 at 08:25, E. Larry Lidz wrote:
> o We find a large number of our compromises by investigating scans.
> Often we'll see a scan hit our network, and by looking at the network
> audit logs, we can see that the scanner also connected to a wierd port
> on a machine or two. That port will often turn out to be a copy of ssh.
> Alternatively, we'll notice a connection going out from a scanned
> machine to an ftp or web site right after the scan -- the intruder
> downloading tools. Of course, this requires a comprehensive network
> audit trail.

I beleive that used to be the case and certainly I used exactly these 
strategies in the past to find compromised hosts.  In my opinion two things
have changed:
1/ we are seeing so many scans that we can not afford to follow them all 
   (or even more than a small fraction) up.
2/ Crackers have moved from an integrated scan, exploit and secure mode (all
   launched from a single IP) to a mode where the scan come from one IP, the 
   exploits come from somewhere else (often, I suspect, days or weeks
later) then the machines are access/secured from another address,
again, often after a delay.

Crackers are also resorting to scanning large block varying the more
significant octets fastest so a /16 will see two or 3 packets an hour. 

Now I almost never follow up scans with further investigation -- the
exception has been the sysadmind worm, where I realised that by counting
the number of connections the attacker made to each host you could tell
if it had been compromised or not.
> o While I don't have hard numbers to prove it, it certainly appears that
> we see more scans of our network when we are lax in reporting the scans
> to the source than we see when we report the scans within a day or two
> of the scan.

I can attest to the effect of reporting scanning activity.  As we all know
nimda used a weighted scannning strategy so you see much more activity from
you own /8.  At one stage last year I got fed up with the number of probes
I was seeing from 130/8 and decided to do something about it.  Every morning
I ran a job that dumped out all the addresses in 130/8 that were probing us
on port 80 and emailed the ARIN contact or abuse at site.{edu|ac.xx}. 
After two weeks there were no obvious nimda infections in 130/8. It may
just have been coincidence but *I* don't think so ;-)  

Now I admit that 130/8 is not typical of the internet as a whole but this 
does illustrate that individuals can make a difference.

When I get time (I often do this from my laptop in the evening from home)
I look over the days scans and pick out those that probably represent 
compromised hosts and have a fair chance that someone will care if I report
it.  This includes all academic institutions (nearly all now seem to have
abuse aliases, hurray!!) and government organisations.

The reporting process is fairly automated and providing contact information is
straight forward I can report a scan in well under minute.  There is scope for
more automation, particularly in the extraction of contact info, I wish I 
had the time to do it.

> I think long term, we're not going to be able to sustain the level
> of work each scan takes us, and we'll probably have to cut back on
> it.  However, for most scans, it currently takes us only two or three
> minutes per scan to investigate and send off a report to an appropriate
> contact. I think we can cut that down by 50% still by improving some of
> our database backends. 

Automation is certainly the key. AusCERT runs a 'probe' service for customer
where by I can append some simple tagged data to a report and email it to
probe at auscert.org.au and the probe reporter will try and figure out the
contact info and forward the report along with blurb about the
vulerablities being probed.

I would love to see other IRTs do this.

> I suspect the next step for us will be to send our reports to someone
> like DShield who will forward it on to the appropriate contact rather
> than doing it ourselves. Of course, often having the direct dialog with
> the other end is useful.

Ah, yes, I must check out DShield ;-)  SecurityFocus's ARIS is also
worth a look, although reporting incidents is a little tedious -- you
step though about 4 screens.

All that said, I'll keep watching scans because (as the Honeynet crew
point out) scans are a good indication as to what types of attacks are
currently in fashion and, of course, scans from your own block almost
certainly means that you have trouble at home.

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

More information about the unisog mailing list