Hackers turn to stealth mapping for cyberattacks

Hackers are beginning to exploit unique conditions of the Internet’s TCP/IP
communications protocol to map and analyze sites for future attack.

Two such stealthy mapping techniques were discovered this month by Scott Hoye, a
college intern working for the Defense Department’s Shadow intrusion detection team.
The Shadow group recently released government-developed detection freeware [GCN, Aug. 3, Page 1].

Hoye reported that a probe known to security vendors, but not previously used by
hackers, had been hitting various Internet sites at a rapid rate. The probe masqueraded as
an identification response to a TCP connection request.

Hoyes’ discovery was the fourth stealthy probing method reported in the past six
months, said Matt Bishop, who heads the Database of Vulnerabilities, Exploits and
Signatures (DOVES) project at the University of California at Davis. The DOVES project
works to improve intrusion detection systems and software development.

A second hard-to-detect attack exploited TCP/IP resets designed for breaking off
Internet connections. But the connections were nonexistent—the resets instead were
meant to gather information about the target sites.

A third recent variant in the DOVES collection relied on sending Domain Name System
answers to questions that target sites had never asked. The fourth variant hid in
low-layer network protocols not usually examined by intrusion detection systems.

What is happening, Bishop said, is that hackers are probing computer resources for
future attack in ways that evade existing intrusion detection systems. More information
about DOVES is available by sending e-mail to [email protected].

The four new types of stealthy attacks complicate an already difficult security
situation, said Angelo Bencivenga, leader of the Army Research Laboratory’s intrusion
detection team.

Most hackers use easily available attack scripts, but the skilled ones know how to
cover their tracks better, Bencivenga said.

The new probing techniques, such as those Hoye found, reflect growing hacker
sophistication and may be a harbinger of what CIA Director George J. Tenet has termed
structured attacks.

Such attacks are difficult to distinguish from the noise of normal communications
traffic. The extra effort required to probe and map a site before mounting a full-scale
attack implies a patient attacker who seeks financial or political gain rather than

Variants of the new probe types likely will be detectable only by analysis, not by
simple, signature-based intrusion detection systems.

Some government and corporate executives have begun calling for the establishment of a
national analysis capability, said Alan Paller, research director at Sans Institute Inc.
of Bethesda, Md.  


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/Shutterstock.com)

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected