Hackers turn to stealth mapping for cyberattacks

Hackers are beginning to exploit unique conditions of the Internet’s TCP/IP
communications protocol to map and analyze sites for future attack.


Two such stealthy mapping techniques were discovered this month by Scott Hoye, a
college intern working for the Defense Department’s Shadow intrusion detection team.
The Shadow group recently released government-developed detection freeware [GCN, Aug. 3, Page 1].


Hoye reported that a probe known to security vendors, but not previously used by
hackers, had been hitting various Internet sites at a rapid rate. The probe masqueraded as
an identification response to a TCP connection request.


Hoyes’ discovery was the fourth stealthy probing method reported in the past six
months, said Matt Bishop, who heads the Database of Vulnerabilities, Exploits and
Signatures (DOVES) project at the University of California at Davis. The DOVES project
works to improve intrusion detection systems and software development.


A second hard-to-detect attack exploited TCP/IP resets designed for breaking off
Internet connections. But the connections were nonexistent—the resets instead were
meant to gather information about the target sites.


A third recent variant in the DOVES collection relied on sending Domain Name System
answers to questions that target sites had never asked. The fourth variant hid in
low-layer network protocols not usually examined by intrusion detection systems.


What is happening, Bishop said, is that hackers are probing computer resources for
future attack in ways that evade existing intrusion detection systems. More information
about DOVES is available by sending e-mail to doves-info@cs.ucdavis.edu.


The four new types of stealthy attacks complicate an already difficult security
situation, said Angelo Bencivenga, leader of the Army Research Laboratory’s intrusion
detection team.


Most hackers use easily available attack scripts, but the skilled ones know how to
cover their tracks better, Bencivenga said.


The new probing techniques, such as those Hoye found, reflect growing hacker
sophistication and may be a harbinger of what CIA Director George J. Tenet has termed
structured attacks.


Such attacks are difficult to distinguish from the noise of normal communications
traffic. The extra effort required to probe and map a site before mounting a full-scale
attack implies a patient attacker who seeks financial or political gain rather than
recreation.


Variants of the new probe types likely will be detectable only by analysis, not by
simple, signature-based intrusion detection systems.


Some government and corporate executives have begun calling for the establishment of a
national analysis capability, said Alan Paller, research director at Sans Institute Inc.
of Bethesda, Md.  

inside gcn

  • ARL seeks private cloud to modernize IT infrastructure

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group