Intrusion Detection
Lowell Hamilton
plug-discuss@lists.PLUG.phoenix.az.us
Sat, 05 May 2001 12:37:34 -0700
<dislaimer>
This is just me rambling on about my opinions on the world written while
in my boxers eating a poptart. No flame/os wars
</disclaimer>
Ahh it would be a wonderful world if there was no such thing as a
"security flaw" or "software bug", all governments got along in perfect
harmony, competition between software companies was based on "who made
the better product" and not "who can make the most money" ... but this
is Earth .. filled with humans.
Sysadmins are the strongest set of people in the 'cyber crime war' ...
the people with the knowledge and the power who have to protect
themselves and their networks... most of the time. Admins secure their
boxes, their networks, enact strict policies... all of which are
undermined by a software bug that was exploited, or a malicious attacker
ping flooding/DDOS-ing through their internet connection. But the, say
an exploit is announced at 6pm after the only admin went home for the
weekend. When they check their email the next morning they see the
announcement, and see their website defaced.
NetAdmins protect their networks from attackers and keep everybody
running smooth, but in most cases are not there to protect the end
user. Most of the time when you connect to the net, you don't want a
netadmin dictating what you can and cannot do, and if they do you go
elsewhere... That division is both good for users, and bad for
security. While I can buy a T1 from a company and know that I can do
everyting I want to with it, I could also use that line to attack
others, spam, scan, etc and until there was a complaint from a victim,
the upstream network wouldn't know about it.... or I could use it for
legitimate reasons, and because my isp doesn't have strict policies, I
get portscanned, and exploited
The customers on those networks, though, are often just regular people
who are blisfully ignorant of what's really going on. Joe blow that
heard about this linux craze and decided to buy Mandrake 6 at the corner
store because it was $5, installs it, and is rooted in 5 minutes. I
acquired an ip range from a providor recently that had been someone
else's a month or two ago. They still had their nameserver, with
several domains on it, pointing to an ip address on that ip block. When
I emailed the admin, the response was "well, I'll get to it eventually"
... a couple weeks later I had to let him know how, because his
nameserver was still shown on my ipblock, I could take over all his
domains and sell them back to him by the internic update the next
day.... only then did he take action because he didn't know anything bad
could happen. The average person doesn't have the time to research
security and constantly monitor mailing lists for new exploits, and
update their firewall/ids/software every couple of days when something
new hits.... nor does the average user know every tiny detail of every
service they run. I imagine if I were to scan just one /24 block on
@home's network, I could find at least 2 or 3 exploitable machines.
Worse yet, scan the www name for a couple thousand domains, and see how
many unpatched IIS 5 servers there are right now.
This is where the software companies come in. Most software until
recently has come in an "Everything enabled" format. Out of box a
linux/FBSD/NT server comes with services running that the average user
would never use. I install 2k server and out of box it has a long list
of ports open and services running...or install linux and it has
bind/mysql/apache/portmap/rpc.nfsd/inetd all running in the default
workstation installation. That's like buying a home with an "unlock all
doors" button right under the doorbell, `doorbells` next to each window,
and windows where you have install your own locks... Until openbsd
started up, "Secure by default" hadn't been even considered because no
commerial operating system company could run technical support for a
product where the user had to install and setup their own services. It
is too costly to develop intuitive and powerful all-in-one management
tools for their products... so they enable what they feel are the most
common for the average power-user. Plus there are hundreds of bugs,
mis-implementations, and laziness in apps/os's... look at the WindowsXP
vs Cisco 5000 battle at Xerox.
Then there are the governments. In the eyes of all the of the above...
"Who are they to tell me what I can and cannot do". Government
regulation of software has lead to moving that software to a different
country... it'll make it's way to where it needs to go. Look at the US
vs >40bit encryption... and how many different foreign-developed suits
are there now. If a government were to want something `protected`, it
would require the joint effort of all governments in the world, and
pro-active prevention of violations. Even one government not caring can
open up the whole mess to everybody... just take a look at your $2500
phone bill after calling some carribean nation when you try and claim
your huge prize on their online-gambling site.... then try and get
something done about it.
So ... when JLF asked if it was to the point where we need a
one-stop-shop for all security, I say no. While this would make it
easier to get the updates, people have to know there is a need for an
update. There needs to be some huge re-design of the software industry
.. required education/maintaince of users .. and the human condition ..
to make security happen... But that could never happen. The first time
I have to take a apptitude test to purchase software, I won't buy it or
write my own. Open source helps cure a portion of the software
industry, though ... because better are being made, which cost
nothing... but much of it's distribution relies on commercial companies
(RedHat, Storm, etc) .. and they are stuck with many of the same
problems closed source companies .. how to make our product better with
a wider userbase than the other guy... and I don't see people
distributing LFSMake floppies very much ;(
MS's critical update notification is a start in the right direction, but
many people immediately click notify me later constantly for months at a
time until it finally bugs enough that they go to the updates, see it's
going to take 45 minutes to download...or see that there are 10 pages of
text explaining all the different options they have, and cancel it all.
Unfortunately, forcing users to upgrade and maintain their software just
causes grumpy users ... aka grumpy consumers ... and that's bad.
Lowell
"J.Francois" wrote:
>
> What the #$*&?
>
> I am on 4 mailing lists that document the huge number
> of attacks on Internet hosts.
> Thats just the logs from people that are running IDS that
> take the time to submit logs.
> We trade IDS logs like baseball cards and the patterns
> are always the same. Sometimes the hosts are the same too.
>
> On other mailing lists we all discuss the attacks on our machines.
>
> <RANT>
>
> The question that begs asking is this:
>
> Why aren't SysAdmin, NetAdmins, Companies, Govts, etc. doing
> something to make this stop?
>
> Is there really that much incompetance/apathy/naievete out there
> about whats happening?
>
> Does Linux really need to go the way of the *BSD development to
> make security updates a "one stop shop" for code and binaries?
>
> We already know that with all of the various Linux flavors ( good thing )
> that everyone with a CDROM is trying to install and use Linux.
> We also all know that these same people in general have no idea how to
> keep their machine up to date ( bad thing ) or do a "make && make install",
> or recognize what exploits exist for the rev of an application they are running.
>
> Not to be unfair, Windows(9x,NT,2K,etc.) are worse because users actually
> think that they know what they are doing when they point and click admin.
> Detecting an intrusion on Windows is not as easy, remember it took Microsoft
> 6 months to discover that they had been cracked.
> XP feels like it is a disaser waiting to happen.
>
> So, fellow list members, now that this is becoming epidemic what can be done?
> See the graphs at www.incidents.org for an eye candy view of what we are
> up against.
>
> </RANT>
>
> On Sat, May 05, 2001 at 09:44:37AM -0700, Lowell Hamilton wrote:
> > Yeah ... the whole "Hack the US" idea is growing more popular. I host a
> > website about the Armenian Genocide, and I get a good 100 attacks (not
> > just probes/scans) a day from Turkish IP's.... Not to mention the
> > attacks from China, Sweden, Taiwan, and all the other people grumpy at
> > the US for something. Most of the time they do a couple scans of ports
> > 53, 111,and 137 which will give them enough info to see if they're
> > dealing with Win or Unix boxes, then try a couple specific exploits.
> >
> > James Bell wrote:
> > >
> > > Shoot, if you're not getting at least 10 portscans a week from China,
> > > Korea, and Taiwan, it's time to check if you're still connected to the
> > > net. Latest one I've been seeing a lot at work is a lot of sunRPC and
> > > DNS version scans from Italy.
> > >
> > > kyle wrote:
> > > >
> > > > Uh dude... You know that one of these portscans came
> > > > from china right?
> > > > It is the week we are supposed to be getting attacked
> > > > so...
> > > > Just thought i would let you know that these probably
> > > > arnt your run of the much script kiddies.
> > > > And they probably dont care if you post there ip,
> > > > although that means we can have a little fun tho :)
> > > > -Kyle
> > >
> > > ________________________________________________
>
> Jean Francois - JLF Sends...
> MagusNet, Inc. - Design * Develop * Integrate
> Doing my part to educate the Clubie Illiterati. One LART at a time!
>
> ________________________________________________
> See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail.
>
> PLUG-discuss mailing list - PLUG-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss