 |
 |
|
|
|
||||||
 |  |  |  |
|
||||||
 | ||||||||||
 |  | docs | faqs | install notes | patches | tutorials | tools | articles | support request | | |
| | Articles Thwarting Stealthy Attacks with Anti-Reconnaissance By Don Davidson Malicious attacks on proprietary networks have become a major threat to business and government operations. Although immediate access to global networks makes it easier to conduct business, it also makes sensitive information more vulnerable to sophisticated cyber thieves. Rather than just amateurs prowling the networks looking for a thrill, today’s hackers are skillful and stealthy, able to identify and exploit the slightest network vulnerability to break and enter, steal your data, and leave without a trace. By using easily accessible tools such as Nmap, SuperScan, or IPSonar, attackers begin their operations by scanning your network for potential points of entry. Once they find their way in, these stealthy intruders steal massive quantities of data, and leave under the radar of most available security tools. As a result, large-scale data theft has increased significantly during the last few years. What is perhaps most alarming is that it may take weeks or months for the crime to be discovered and exposed. A prime example of this issue happened several years ago, before the problem was widely known. The case involved an unemployed British programmer who successfully hacked into the American military networks. The thief used his professional knowledge and skill to access 97 U.S. government computers between February 2001 and March 2002, resulting in $700,000 in damages. The potential for irreparable damage remains largely unaddressed. Why does this security gap persist? Until now, the industry has had limited success in developing solutions that stop these stealthy attacks. Firewalls and other barriers do not provide the foolproof protection that guardians of sensitive information ought to have. Wherever there are “weak links” in the network, sophisticated hackers can find a way in the door. There are just too many locks to jiggle in most cases. Some may argue that since network vulnerabilities are published and patches are made available, the danger is minimal. The truth is, it has become increasingly difficult to keep pace with new threats. One hindrance is the reluctance of network administrators to be the first to attempt a new patch; after all, the cost of potentially crashing the network would be too high for many operations to risk it. Another obstacle is the time it takes to actually install the patch. Time-sensitive businesses, such as brokerage firms on Wall Street or the plethora of small and large e-commerce sites out there, simply can’t afford the downtime. Finally, there’s the fact that cyber thieves are quicker than ever in identifying network vulnerabilities and exploiting them in record time -- before the problem is widely communicated. Why is anti-reconnaissance effective? Cyber criminals lay the groundwork for any attack by scanning networks to identify valid IP addresses, domain name system (DNS) names, operating systems, applications, and open IP ports. Evidence of this practice can be found in any typical firewall log. These reconnaissance attempts may come in the form of hard-to-detect, “slow and low” single-packet probes, complex bounce or idle scans, or self-propagating worms looking for the next victim. Each of these probes looks for a reply from the intended target, which provides the attacker with critical information about the target server and the services it is presently running. As you can see, the logical step is to prevent reconnaissance attempts from providing any useful information to the attacker. The best way to do this is to thwart all scanning attempts with both active and passive (or “always on”) anti-reconnaissance. That’s the reason why Port80 Software developed the first Web anti-reconnaissance software solution on the market, ServerMask for IIS, which brought server anonymization to the Microsoft Internet Information Services (IIS) Web server and provided masking for the HTTP layer. Arxceo Corporation then developed the unique combination of ServerMask ip100 or IP1000 network-based security devices running the groundbreaking Tag-UR-IT analysis engine for network anti-reconnaissance at the TCP/IP layer (learn more about the Arxceo and Port80 Software partnership). The state-of-the-art ServerMask Security Appliances offer a network-based solution that protect Layers 2 through 6 by acting as a “header proxy” or “protocol proxy,” providing false information in response to network penetration attempts. By confusing the attacker and blacklisting IP addresses sending suspicious traffic, the ServerMask Security Appliances prevent malicious traffic from ever reaching its intended target. How do ServerMask Security Appliances work? The ServerMask Security Appliances mislead would-be attackers so that no meaningful information is gleaned from even the most cleverly designed scans. By fingerprinting, or modifying, reply data in unrecognizable ways, you can wear down intruders so that targeting your network becomes far more trouble than it’s worth. As mentioned earlier, there are two basic types of reconnaissance: active and passive. The examples below will address each of these network attack vectors. Active Reconnaissance Nmap, which is the de facto standard active reconnaissance tool, was used in the scanning examples below. UDP Protocol-Based Scans Imagine that an intruder performed the following UDP Protocol-based scan with Nmap to check for open ports. With no ServerMask Security Appliance on your network, a 2.8-second scan correctly revealed that 12 UDP ports are open. The intruder has now completed the first step toward an attack!  Figure 1: Nmap UDP scan results with no ServerMask Security Appliance present Now, let’s look at a similar scan run on a network protected by ServerMask Security Appliance device running Tag-UR-IT (see Figure 2 below). As you can see, a scan that now takes 34.5 seconds erroneously identifies 1482 open ports. Although the attacker thinks a target has been identified, this is actually the result of anti-reconnaissance, which automatically dropped the responses that would reveal a closed port. Subsequent scans with the same parameters will provide equally meaningless results from which no real information can be gleaned. Repeated attempts will frustrate the intruder, who will eventually move on to an easier target.  Figure 2: Nmap UDP scan results with ServerMask Security Appliance present TCP Protocol-Based Scans Here’s an example comparing two TCP Protocol-based scans performed with Nmap. In Figure 3, no ServerMask Security Appliance is present. Therefore, a 519-second scan correctly reveals 15 open ports, which are now prime targets.  Figure 3: Nmap TCP scan results with no ServerMask Security Appliance present Compare those results to a similar scan performed on an ServerMask appliance-protected network. This scan, which is partially pictured in Figure 4, took considerable time and erroneously identified far more than 15 open ports. As with the UDP scan results, repeated TCP Protocol-based scans on the same network would frustrate the would-be attacker with equally useless information.  Figure 4: Nmap TCP scan results with ServerMask Security Appliance present The ServerMask Security Appliances guard the network against even the stealthiest reconnaissance techniques, such as "slow and low" scans. In this type of scan, the intruder attempts long-term reconnaissance over several days, weeks, or months, which would likely remain undetected by most intrusion detection systems. This method allows the attacker to probe for a single open port or service, usually from a spoofed IP address, which obscures the attacker’s real address. The goal is to elicit a response to determine if the target port is open or closed. Naturally, correlating patterns of a single-port probe within vast logs can be difficult to achieve. However, the ServerMask Security Appliances intercept incoming SYN and SYN+ACK traffic prior to them entering the network and typically responds with a “found service” reply whether there is a valid service at the intended destination or not. This potentially provides a “false positive” to the attacker. Upon reaching the final part of the 3-way handshake, the ServerMask Security Appliances would discover that the intended destination is invalid and then move that attacker’s IP address to a stealth response list -- generating false “nothing here” replies, after timing out appropriately, when traffic is directed to a valid source -- and continuing to provide false positives to all other probes or scans. Passive Reconnaissance Passive reconnaissance is a highly sophisticated technique that raises no red flags on the network. This type of scan allows the intruder to “sniff” from the source machine, while performing seemingly innocuous tasks, such as Web surfing or a “ping,” on the intended target machine. The attacker’s “sniffer” receives the responses from the target and analyzes them for inadvertent data leakage. Security expert Greg Hoglund has written extensively about protocol leakage within hardware NICs and within various protocols -- especially ICMP with very small payloads. The technique in the following example massages several of the packet fields and performs random padding on short packet trailers, making passive reconnaissance a waste of the intruder’s time. The scanning tool used here is p0f, developed by Michael Zalewski. Figure 5 shows the results of a p0f scan run without a ServerMask Security Appliance running on the network. As shown from below, the scanner detects that the target is running a version of FreeBSD varying between 4.6 and 4.8.  Figure 5: Passive (p0f) scan results with no ServerMask Security Appliance present On the other hand, Figure 6 shows what happens when p0f is used to probe a network that is protected by a ServerMask Security Appliances, which is “always on,” whether or not a probe is detected. In this example, p0f identified the remote architecture as being Windows 98 (OK, it's older, but you get the concept). However, that result was arbitrary due to obfuscation of the IP fields. Therefore, no real information is ever revealed to the attacker, who eventually will move on to a different target.  Figure 6: Passive (p0f) scan results with ServerMask Security Appliance present How well do the ServerMask Security Appliances perform in independent tests? In SC Magazine’s Intrusion Prevention System “Bake Off” Review, the panel agreed that the ServerMask ip100 (the product is also sold under the Ally ip100 or IP1000 brand) was the outstanding product in its class and was rated the Best Buy for small sites, systems, and companies. “The [appliance] performed way above our expectations,” the SC Magazine panel reported. “We were not able to penetrate either the test network or the device itself. After each test, we would remove our IPs from the blacklist, only to find ourselves blacklisted again on the next attempt.” Are there solutions for protecting Layer 7 and HTTP (on Microsoft IIS and Apache Web servers)? For complete anti-reconnaissance across all Web-based applications over HTTP and HTTPS, customers should consider a combination of host and network-based security tools. For networks running Microsoft IIS as their Web server application, deploy the category-leading host-based anti-reconnaissance defense package from Port80 Software: ServerMask for IIS. Combined with a ServerMask Security Appliance, ServerMask for IIS totally obscures the identity, responses, and version of Microsoft’s IIS application and also application servers like ASP, ASP.NET, PHP, ColdFusion, and JSP. This makes it extremely unlikely that an attacker can correctly choose and succeed with a known exploit without getting caught or blacklisted. Port80 Software offers ServerMask for IIS bundled with the ServerMask Security Appliances and Tag-UR-IT for its customers who seek all-inclusive network protection. Arxceo recommends ServerMask for IIS to its customers that have deployed Microsoft IIS as their Web server. Apache Web server customers can deploy a combination of mod_headers, mod_rewrite, and other modules to accomplish similar Web server anonymization on that platform. Anti-reconnaissance adds a missing defense-in-depth layer to network security By thwarting all attempts to gain accurate information about your network, the ServerMask Security Appliances provide the most comprehensive solution for protecting your proprietary data. Much more than a deterrent, this combination of active, passive, and “always on" vigilance renders all attempts at reconnaissance virtually useless, preventing threats such as Denial of Service attacks (DoS); Distributed Denial of Service attack (DDoS), Distributed Reflected Denial of Service, zero-day attacks, spoofed traffic, self-propagating worms, and data leaks. With comprehensive anti-reconnaissance defenses, all attempts at targeting your data will be fruitless, regardless of an attacker’s methods or intentions. Protect your networks with ServerMask today! About the Author Don Davidson is founder, chairman, president, and chief executive officer of Arxceo Corporation, a Port80 Software partner. back to articles | | |
 | |||||
 | |||||
|
| ||||
