Navy: Hackers' coordinated efforts are difficult to detect

A Navy intrusion detection team has uncovered a new kind of stealthy hack that flies
under the radar of current network intrusion detection systems.

Hackers apparently have begun a cooperative effort, splitting up their probes among as
many as 15 IP addresses in different countries.

“We started seeing more than one IP address involved in an attack,” said
Stephen Northcutt, head of intrusion detection at the Naval Surface Warfare Center in
Dahlgren, Va. “This was a change.”

Splitting up the job among so many attackers means that packets from any one address
escape notice below the activity thresholds of intrusion detection software. “The
attacks are targeted under the threshold,” said Tim Aldrich, principal analyst at

A number of Defense Department and other government sites saw such attacks last month,
Northcutt said. The sites use the Shadow intrusion detection freeware developed by a
consortium of public and private organizations, including the Navy’s intrusion
detection team.

“We’ve been pretty sure about what we’ve seen,” Northcutt said.

Although the hackers use ordinary techniques, their coordinated effort conveys several

So far, the stealth attacks have been against unclassified networks and have created no
big problems. But Shadow analysts were startled by the hackers’ cooperation.

“Some of these coordinated probes and scans may be practice runs for future
larger-scale attacks,” said an analysis by Northcutt and Aldrich.

Because the coordinated attacks generate as few as five packets per hour from a given
address, buried among millions of packets of ordinary traffic, it was largely luck that
they happened to be spotted.

“You stare at information long enough, and you start to see patterns,”
Aldrich said. “In this case, it was boredom” that led to the pattern

“The sky is not falling,” Northcutt said, despite the hackers’ progress.
Well-defended sites can resist attacks if they have properly configured firewalls, their
domain name servers are split and they have external routers that reveal nothing about the
internal network.

But the risk has increased for inadequately defended networks, Northcutt said.

The Shadow group is updating its intrusion detection freeware to recognize the new
attack profile. It is downloadable from the Web site at

About the Author

William Jackson is a Maryland-based freelance writer.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.