Hackers turn to stealth mapping for cyberattacks
- By Stephen Northcutt
- Sep 28, 1998
Hackers are beginning to exploit unique conditions of the Internets TCP/IP
communications protocol to map and analyze sites for future attack.
Two such stealthy mapping techniques were discovered this month by Scott Hoye, a
college intern working for the Defense Departments Shadow intrusion detection team.
The Shadow group recently released government-developed detection freeware [GCN, Aug. 3, Page 1].
Hoye reported that a probe known to security vendors, but not previously used by
hackers, had been hitting various Internet sites at a rapid rate. The probe masqueraded as
an identification response to a TCP connection request.
Hoyes discovery was the fourth stealthy probing method reported in the past six
months, said Matt Bishop, who heads the Database of Vulnerabilities, Exploits and
Signatures (DOVES) project at the University of California at Davis. The DOVES project
works to improve intrusion detection systems and software development.
A second hard-to-detect attack exploited TCP/IP resets designed for breaking off
Internet connections. But the connections were nonexistentthe resets instead were
meant to gather information about the target sites.
A third recent variant in the DOVES collection relied on sending Domain Name System
answers to questions that target sites had never asked. The fourth variant hid in
low-layer network protocols not usually examined by intrusion detection systems.
What is happening, Bishop said, is that hackers are probing computer resources for
future attack in ways that evade existing intrusion detection systems. More information
about DOVES is available by sending e-mail to [email protected].
The four new types of stealthy attacks complicate an already difficult security
situation, said Angelo Bencivenga, leader of the Army Research Laboratorys intrusion
Most hackers use easily available attack scripts, but the skilled ones know how to
cover their tracks better, Bencivenga said.
The new probing techniques, such as those Hoye found, reflect growing hacker
sophistication and may be a harbinger of what CIA Director George J. Tenet has termed
Such attacks are difficult to distinguish from the noise of normal communications
traffic. The extra effort required to probe and map a site before mounting a full-scale
attack implies a patient attacker who seeks financial or political gain rather than
Variants of the new probe types likely will be detectable only by analysis, not by
simple, signature-based intrusion detection systems.
Some government and corporate executives have begun calling for the establishment of a
national analysis capability, said Alan Paller, research director at Sans Institute Inc.
of Bethesda, Md.