Hackers turn to stealth mapping for cyberattacks

Hackers are beginning to exploit unique conditions of the Internet’s TCP/IP
communications protocol to map and analyze sites for future attack.

Two such stealthy mapping techniques were discovered this month by Scott Hoye, a
college intern working for the Defense Department’s Shadow intrusion detection team.
The Shadow group recently released government-developed detection freeware [GCN, Aug. 3, Page 1].

Hoye reported that a probe known to security vendors, but not previously used by
hackers, had been hitting various Internet sites at a rapid rate. The probe masqueraded as
an identification response to a TCP connection request.

Hoyes’ discovery was the fourth stealthy probing method reported in the past six
months, said Matt Bishop, who heads the Database of Vulnerabilities, Exploits and
Signatures (DOVES) project at the University of California at Davis. The DOVES project
works to improve intrusion detection systems and software development.

A second hard-to-detect attack exploited TCP/IP resets designed for breaking off
Internet connections. But the connections were nonexistent—the resets instead were
meant to gather information about the target sites.

A third recent variant in the DOVES collection relied on sending Domain Name System
answers to questions that target sites had never asked. The fourth variant hid in
low-layer network protocols not usually examined by intrusion detection systems.

What is happening, Bishop said, is that hackers are probing computer resources for
future attack in ways that evade existing intrusion detection systems. More information
about DOVES is available by sending e-mail to [email protected].

The four new types of stealthy attacks complicate an already difficult security
situation, said Angelo Bencivenga, leader of the Army Research Laboratory’s intrusion
detection team.

Most hackers use easily available attack scripts, but the skilled ones know how to
cover their tracks better, Bencivenga said.

The new probing techniques, such as those Hoye found, reflect growing hacker
sophistication and may be a harbinger of what CIA Director George J. Tenet has termed
structured attacks.

Such attacks are difficult to distinguish from the noise of normal communications
traffic. The extra effort required to probe and map a site before mounting a full-scale
attack implies a patient attacker who seeks financial or political gain rather than

Variants of the new probe types likely will be detectable only by analysis, not by
simple, signature-based intrusion detection systems.

Some government and corporate executives have begun calling for the establishment of a
national analysis capability, said Alan Paller, research director at Sans Institute Inc.
of Bethesda, Md.  


  • business meeting (Monkey Business Images/Shutterstock.com)

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (Shutterstock.com)

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected