How to shore up Web defenses while you're under attack
Shawn P. McCarthy
The politically inspired Web defacement known as hack-tivism made news following the April 1 landing of a Navy surveillance plane on Chinese territory.
There were threats against U.S. government sites from Chinese sources, as well as service denial attacks aimed at White House and CIA Web servers. The Navy, National Institutes of Health and Labor Department suffered site defacements.
It's not a pleasant time to be a site administrator. But if you manage a high-profile federal server, there are several things you can do to take the pressure off, even if hackers have you in their crosshairs.
Like many hacking activities, defacement has been automated. For example, a worm program called sadmind/IIS can be set to alter the front page of a Web site automatically. The worm targets the SunSoft Solaris operating system. It can make most Solaris platforms carry out auto-attacks against other machines running Microsoft Internet Information Server within a certain range of domain names or IP addresses. It enters through a known IIS security hole if a patch available from Microsoft Corp. has not been installed.
Once in, the worm posts a message to the site's front page. In recent attacks, this was an anti-U.S. government message.
Details about the worm and how to avoid it with existing server patches appear at www.cert.org/advisories/CA-2001-11.html
A 5-month-old worm known as Lion is also attacking Linux platforms that use the Berkeley Internet Name Domain implementation of the Domain Name System [GCN, March 5, Page 22
Like sadmind/IIS, Lion automatically defaces Web pages, but ones that are hosted on the same server. Information about how to defeat Lion can be found at www.sans.org/y2k/lion.htm
The Assessment section of the Packet Storm library site is a great place to watch for newly discovered vulnerabilities that hackers use to gain control of pages or entire servers. Visit packetstorm.securify.com/assess.html
If you need to come up to speed quickly on security topics, the Security KickStart program of the SANS Institute of Bethesda, Md., might be for you. It's offered at many security conferences and also via an online tutorial. Learn more at www.sans.org/giactc/kickstart_info.htm
A distributed denial-of-service attack is one of the crudest a hacker can make. Yet, aggressively executed, it can leave a server unreachable for hours or days.
Hackers generally execute such an attack by breaking into multiple servers around the world to install a small program on each. Then they remotely send commands to the compromised servers to start transmitting packets to a target server. When enough packets simultaneously bombard the same address, it goes down under the flood of data.
If you find yourself under attack, capture any suspicious packets and analyze them. Many routers can be set to block certain packets, so you could work with others on your network or your Internet provider's network to screen out such an attack.
Service denial attacks sometimes use fragmented UDP packets to keep stealthy, so inspect your firewall logs for fragments, usually directed to Port 80. Such inbound packets may indicate a service denial effort under way.
If you see such packets outbound from your network, it could mean that your server has been compromised and is being used to attack others.
The FBI's National Infrastructure Protection Center site, at www.nipc.gov
, is a good place to learn more about service denial attacks and efforts to combat them. Read an overview and tool discussion at www.nipc.gov/ddos.pdf
The Carko DDoS agent is one of the newest attack tools. Learn more about Carko at www.incidents.org/news/carko.php
.Shawn P. McCarthy designs products for a Web search engine provider. E-mail him at [email protected]