In the end, an effective Distributed Denial of Service (DDoS) attack will likely be done in a manner making it difficult to block the involved IPs without shutting down services to the victim’s customers. In cyberspace, attackers do not wear uniforms, nor do they necessarily come from a particular domain. It is not so easy to identifying the enemy. The intelligent attacker makes all effort to blend into the population.

With that in mind, I wanted to post some sites that can help identify from where attacks might originate. Please do remember that IPs used in an attack do not necessarily identify who is behind the attacks.

Overview

I agree with Col. Charles W. Williamson III that that cyberspace is a dangerous place. The idea of going on the offensive and striking back is appealing. Since early childhood, I can remember my dad always saying, “The best defense is a good offense.” The problem with a offensive military botnet is that it will run into problems when it comes to locating the base of the enemy. To understand why this is the case, we will start by defining some of the favorite cyberspace weapons used by the bad guys. We will then examine the countries where attacks are occurring. Sources of publish information will be examined, which should help the reader continuously monitor activities in their network. We will end by discussing Carnegie Mellon’s attempt to establish international communication and coordination.

Definitions

Let us defines a few of the favorite tools being used in carrying out attacks in cyberspace.

Malware

Malware is short for short for malicious software. It is any software written for malicious reasons that infiltrates or damage a computer without authorization. Some common malware types are trojans, worms, viruses, bots, rootkits, and spyware/adware. Below are definitions taken from the links above.

• Trojan – a package disguised as something useful or popular, but actually carrying a malicious payload that will damage the victim machines or threaten data integrity, or impair the functioning of the victim machine. Trojans can be classified according to the actions which they carry out on victim machines: backdoors, PSW trojans, trojan clickers, trojan downloaders, trojan droppers, trojan proxies, trojan spies, trojan notifiers, and arcbombs.
• Virus – will attach itself to a program or file so it can spread from one computer to another, leaving infections as it travels. Viruses can be classified according to their environment and infection methods, such as file viruses, boot sector viruses, macro viruses, and script viruses.
• Worm – are considered a subclass of virus and take advantage of file or information transport features on systems allowing it to travel unaided. Worms includes programs that propagate via LANs or the Internet with the objective to penetrating remote machines, launching copies on victim machines, and spreading further to new machines. The key difference to a trojan is that worms can propagate on their own. They self-copy and infect other machines through penetrate and infect purely through vulnerabilities that are inherent to the system itself. No human intervention is required.
• Rootkit – a program (or combination of several programs) designed to take fundamental control (in Unix terms “root” access, in Windows terms “Administrator” access) of a computer system, without authorization by the system’s owners and legitimate managers.
• Spyware – is computer software that is installed surreptitiously on a personal computer to intercept or take partial control over the user’s interaction with the computer, without the user’s informed consent.
• Adware - advertising-supported software is any software package which automatically plays, displays, or downloads advertising material to a computer after the software is installed on it or while the application is being used. Generally, addware is classified as privacy-invasive software.

Botnet

A botnet is a collection of Internet connected computers running autonomously and automatically in order to accomplish some distributed task. Distributed computing can be used for useful and constructive applications, while the term botnet typically refers a system designed and used for illegal purposes. The individual compromised machines (drones or zombies) run malicious software (bot) and are assimilated and used without the owner’s knowledge. The machines operate under the Command and Control (C&C) of the botnet owner (herder). Botnets are used for (definitions taken from the accompanying links):

• Click Fraud – click fraud is a type of internet crime that occurs in pay per click online advertising when a person, automated script, or computer program imitates a legitimate user of a web browser clicking on an ad, for the purpose of generating a charge per click without having actual interest in the target of the ad’s link.
• DDoS – one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users.
• Keylogging – a method of capturing and recording user keystrokes.
• Warez – refers primarily to copyrighted works traded in violation of copyright law.
• Spam – is the abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages.

Phishing

Phishing is the practice of sending out fake emails, or spam for purpose of gathering personal information and/or identity theft.

Source Countries

Now that we know a few of the weapons used in cyberspace, we are ready to examine countries where these various attacks are occurring. Once more, please remember that those behind the attacks might not be at the same location as the machines that are launching the attacks.

The Shadowserver Foundation (see below) collects and provides some very interesting statistics. The below map shows the locations of infected machines (drones) that Shadowserver has observed in the past 24 hours. Please note that this information is not complete. It cannot be. If we knew all infected computers and C&C machines, we could shut them down easily. The challenge is in the ever changing landscape. The Shadowserver Foundation does a commendable job continuously monitoring this dynamic landscape.

The below map shows the last 24-hours worth of tracked C&C servers.

The below graph shows the count of all the network scans into routed CIDR blocks that occur from the botnets that Shadowserver is aware of:

The below map shows the last 24-hours worth of tracked existing C&C and the target of scan attacks.

The below graph shows the count of all the DDoS attacks that occurred from the botnets that Shadowserver is aware of:

The below most recent 24 hour period map shows the C&C and the target of the DDoS attack.

The below map shows the machines suffering DDoS attacks and the C&C sources in 2007.

The PhishTank (see below) provides daily verified phishing attempts. Below is a map of the countries generating the most reported verified Phishing attempts for April 2008.

Sources for Information

As previously mentioned, the Shadowserver Foundation gathers, tracks, and reports on malware, botnet activity, and electronic fraud. It is a great source of information concerning cybercrime. Richard Perlotto, the gentleman who runs the technology and operational side of the Shadowserver Foundation, presented last week at the Asia Pacific Information Security conference (AusCERT2008).

PhishTank provides information on phishing attacks. While OpenDNS created and operate the site, PhishTank is a community effort with the information being provided by companies and people submitting phishing e-mails and Web sites. The data is totally open and a free API exist. The API documentation is available for developers wanting to use PhishTank’s community data to integrate anti-phishing elements into their applications.

If you have anything in your security arsenal that is monitoring for certain IPs or domains, the DNS-DB Malware Domain Blocklist and the Global Watchlist provide invaluable up-to-date information. The DNS-DB Malware Domain Blocklist site maintains a list of domains, pulled from various sources, that are known to be used to propagate malware and spyware. The Global Watchlist was created after a discussion between C.S. Lee and Spoonfork. C.S. Lee describes the purpose of this list in his posting “The Harimau Watchlist” What they have done, in their own words is to “pull the list of suspected malicous IPs/Net ranges from different sources such as Sans dshield, Arbor atlas and so forth, then putting all of them in one place.” You can search through a web interface or set up processes to search automatically via URL. They have also made all the IPs and data available in one file. Helping detect and possibly prevent access from these IPs and domains through Snort, Dragon, and other IDS/IPS signatures is the Emerging Threats site.

The Spamhaus Project attempts to “track the Internet’s Spam Gangs, to provide dependable realtime anti-spam protection for Internet networks, to work with Law Enforcement Agencies to identify and pursue spammers worldwide, and to lobby governments for effective anti-spam legislation.” The project offers a realtime database of IP addresses consisting of a combination of the Spamhaus Block List (SBL), the Exploits Block List (XBL) and the Policy Block List (PBL). If you desire a data feed, the service is not free. You can try it out for 30 days free. They do operate DNSBL servers spread across 18 countries. You may qualify for free access via DNS queries.

The SANS Internet Storm Center (ISC) provides a free analysis and warning service to fight back against the malicious attackers. The ISC gathers millions of intrusion detection log entries every day, from sensors covering over 500,000 IP addresses in over 50 countries. It is a a free service to the Internet community. After removing identifying information, the ISC sends send intrusion detection and firewall logs to the DShield distributed intrusion detection system.

The National Vulnerability Database (NVD) is a fantastic source of free information enabling automation of vulnerability management, security measurement, and compliance. While it might not help with filtering of IPs, the data can be used in combination when automating your security. To quote the site, “NVD includes databases of security checklists, security related software flaws, misconfigurations, product names, and impact metrics.” NVD is the repository for Information Security Automation Program (ISAP) and the Security Content Automation Protocol (SCAP). Here are a few of the major sources of information NVD provides:

1. CVE Vulnerabilities – a dictionary of publicly known information security vulnerabilities and exposures. Allows you to download the entire CVE List in various formats.
2. Checklists – repository of publicly available security checklists (or benchmarks) that provide detailed low level guidance on setting the security configuration of operating systems and applications.
3. US-CERT Alerts – provide timely information about current security issues, vulnerabilities, and exploits.
4. US-CERT Vuln Notes – include technical descriptions of the vulnerability, as well as the impact, solutions and workarounds, and lists of affected vendors.
5. OVAL Queries – an international, information security, community standard to promote open and publicly available security content, and to standardize the transfer of this information across the entire spectrum of security tools and services. OVAL Repositoty downloads include Data Files of all vulnerability, compliance, inventory, and patch definitions for supported platforms.

There are a few good sources for security statistics in the form of a reports. The Anti-Phishing Working Group (APWG) is the global pan-industrial with over 3000 members in over 1700 companies and agencies worldwide. The group’s purpose is eliminating the fraud and identity theft that result from phishing, pharming and email spoofing of all types. They produce an interesting Phishing Activity Trends report which was last updated in January 2008.

WhiteHat produces a Security Statistics Report. The report presents a statistical picture of current website vulnerabilities focused solely on previously unknown vulnerabilities on public websites. The report also contains expert analysis and recommendations. Jeremiah Grossman, founder and CTO, does maintain a very informative blog where additional information can be found. You can hear Jeremiah on a recent episode of Risky Business where he discussed with host Patrick Gray Cross Site Request Forgery attacks.

Microsoft produces a “Security Intelligence Report.” Currently the fourth volume is available covering July through December 2007. You can also watch the video cast of Bret Arsenault, GM US National Security Team and Vinny Gullotto, GM Microsoft Malware Protection Center, discuss the trends and findings in the latest SIR.

There are a few final additional sources of information that I have found useful when trying to understand security trends. Dan Geer did a presentation, “A Quant Look at the Future Extrapolation via Trend Analysis.” The state-of-the-art report (SOAR) published by the Information Assurance Technology Analysis Center (IATAC) provides observations about noteworthy trends in software security assurance as a discipline. The Computer Crime and Security Survey is conducted by CSI annually. The aim of this effort is to raise the level of security awareness, as well as help determine the scope of computer crime in the United States. They use to issue the report with the FBI. Registration is required.

Blogs can also be a valuable source of information, and may occasionally post IPs to be concerned about. SunBelt Software just did a posting titled “Fresh new rogue antispyware programs.” Dancho Danchev recently posted “Malware Domains Used in the SQL Injection Attacks.” The F-Secure folks maintain a very informative site concerning the latest news from their labs. There are many excellent sites for information on malware, botnets, and phishing. For example, Kaspersky Lab maintains the blog VirusList and the AVDefender. SANS ISC has the Handler’s Diary.

International Incident Coordination

Security on international projects is complicated. Take a look at my previous post, “Information Security and the Law.” Different countries have different laws impacting what can and cannot be done. Many CEOs may not know a great deal about information technology, but they know they have no desire to break the laws of other countries. This can pressure managers to prefer to implement light security. Heavy on the data protection, but light on the detection. We have established cyberspace can be a dangerous place, especially when you are playing in international waters. Defenses will fail. If an organization cannot detect nefarious activities in a high risk environment, that is a bad combination. Even when you have fully supportive management, it is easy to run into a road block when dealing with other countries.

Carnegie Mellon University Software Engineering Institute (SEI) is trying to help establish some coordination between the white hats working in international security. First, a little history in order to understand the players involved. SEI was charged by the Defense Advanced Research Projects Agency (DARPA) with setting up center to “coordinate communication among experts during security emergencies and to help prevent future incidents.” This center was named the CERT Coordination Center (CERT/CC) and is an amazing source for cutting edge security research and information.

With the establishment of incident response team both within the United Stated and Internationally, soon difficulties developed due to differences in language, timezone, and international standards or conventions. It became apparent that better communication and coordination between teams were needed. The Forum of Incident Response and Security Teams (FIRST) was established. Membership consists of teams from a wide variety of organizations including educational, commercial, vendor, goverment and military.

CERT/CC also began a program to help Computer Security Incident Response Team (CSIRT) development and establish CSIRTs around the world. National CSIRTs deal with security at the macro level. Large-scale incidents can affect the economy, critical infrastructure, government operations, and/or national security. If the incident ends up being a worldwide event, National CSIRTs can coordinate with CSIRTs in other countries to establish communications and cooperation among those countries.

To hear more about CSIRT, in August Jeff Carpenter talked with Julia Allen on the CERT podcast titled, “Tackling Security at the National Level: A Resource for Leaders.” Jeffrey J. Carpenter is the technical manager of the CERT/CC and has assisted with the formation and development of CSIRTs. Julia Allen is a senior researcher within the CERT Program and is engaged in developing and transitioning executive outreach programs in enterprise security and governance, and works extensively with the IT operations and audit communities. She is one of my favorite sources for enterprise security information.

Below is an interactive map to locate CSIRTs with national responsibility around the world. From the map, additional information can be pulled up on the individual sites.

Final Words

I understand the frustration Col. Charles W. Williamson III feels. The problem is that in cyberspace, the enemy is all around us. It is within us. If we lash out, our first target must be ourselves. In the end, we are fighting blind. Edmund Burke once said, “All that is necessary for evil to succeed is that good men do nothing.” I do not think good men attacking each other was the something Edmund had in mind. That is what will occur if we fight blind. We can’t even withdraw into the safety of our own silos for the perimeters are being continuously breached. Retreat is not an option. The delusion that isolationism will bring safety has been shattered. The only solution is for the good guys to band together. There is strength in unity. Only when working together will we be strong enough to take on those who bring destruction.

The next day, April 27th, marked the one year anniversary of the cyber attack on Estonia. The incident began when Estonian government moved a war memorial honoring Russian-Estonians who died fighting the Nazis. Gadi Evron, the former Israeli Government CERT manager who was in Estonia at the time of the attacks, has published an article titled, “Battling Botnets and Online Mobs” in the Georgetown Journal of International Affairs. Evan explains the attack:

Once bloggers started reporting their small-scale attacks, more experienced players became involved. Before long, botnets were being used. The involvement of the Russian government in the affair cannot be confirmed. What raised speculation, however, is the failure–or unwillingness–of the Russian authorities to stop the cyber riot against Estonia for over three weeks after the initial attack.

In an attempt to deal with future attacks, seven NATO countries are backing the establishment of the Cooperative Cyber Defence (CCD) Centre of Excellence (COE) in Estonia. General James Mattis, NATO’s Supreme Allied Commander Transformation/Commander, at the signing ceremony stated, “The need for a cyber defense center to be opened today is compelling…It will help NATO defy and successfully counter the threats in this area.” The center will be tasked with conducting research and training on cyber warfare. The US showed its backing by agreeing to send an observer.

Cyber attacks are occurring in every country. Last month Chinese hackers called for a DDoS against CNN.com in retaliation for news coverage of Tibet protesters. The organizers felt the news coverage was skewed against China. The attack was reported called off because the amount of coverage of the approaching attack expected to limit its effectiveness. Still, on the day of the planned attack, CNN was knocked offline for three hours. The Internet research website Netcraft reported, “CNN’s website suffered downtime within a three hour period on Sunday morning, followed by other anomalous activity on Monday morning, where response times were greatly inflated.”

Providing information on scale of compromised servers, malicious attackers, and the spread of malware is the Shadowserver Foundation. The organization gathers, tracks, and reports on malware, botnet activity, and electronic fraud. It is a great source of information concerning cybercrime. Richard Perlotto, the gentleman who runs the technology and operational side of the Shadowserver Foundation, spoke last week at the Asia Pacific Information Security conference (AusCERT2008). Additional presentations and interviews from the conference can be accessed through ITRadio. Below is a sample map showing DDoS attacks in 2007.

In the old days, countries controlled information through clamping down on the press and shutting down television stations. Pakistan meant to exercise country wide censorship February, when the the telecommunications ministry order access to YouTube blocked. According to Danny McPherson, Arbor Networks’ Chief Research Officer, in his posting “Internet Routing Insecurity::Pakistan Nukes YouTube?” Pakistan Telecom had three options:

1. deploy access-control lists (ACLs) on all your router interfaces dropping packets to or from these IPs
2. statically route the three IPs, or perhaps the covering prefix (208.65.153.0/24), to a null or discard interface on all the routers in your network
3. employ something akin to a BGP blackhole routing function that results in all packets destined to those three specific IPs, or the covering prefixes, being discarded as a result of null or discard next hop packet forwarding policies, as discussed here

Pakistan Telecom selected option three. Because Pakistan’s BGP traffic was offering very precise routes to what it declared were YouTube’s Internet servers, routers took it to be more accurate than YouTube’s own information about itself. That data was supposedly accidentally shared with Hong Kong’s PCCW, who failed to validate the BGP data. PCWW then shared the data with other ISPs throughout the Internet. Believing Pakistan Telecom had faster routes to YouTube, service provides started sending their YouTube traffic requests to Pakistan.

McPherson spoke with ITRadio on the topic, “How to destroy the Internet.” In the interview, McPherson discusses what occurred in Pakistan and how, “the control path, in general, on the Internet (DNS and routing, in particular) are two of the most fragile pieces of the Internet infrastructure.”

Kimberly Zenz, Senior Threat Analyst at VeriSign iDefense, pointed out that times have changed and blocking a site from an ISP is an increasingly unreliable way of censoring the Internet. Bringing down a site with a DDoS or shutting down the Internet completely are more effective options. For example, faced with a major protest movement for the first time since 1990, the government of Myanmar cut off the country’s Internet access completely. The actions of the Myanmar government are not unique. The OpenNet Initiative (ONI) tracks Internet censorship with the aim “to investigate, expose and analyze Internet filtering and surveillance practices in a credible and non-partisan fashion.” The site has a intriguing global filtering map and can provide valuable non-partisan information on Internet censorship throughout the world.

RFE/RL President Jeffrey Gedmin raises the concern that the number of cyberattacks will only increase, when he stated:

The Belarusians, the Iranians — they all have basically the same objective. They see free information — flowing information of ideas and so forth — as the oxygen of civil society. They’ll do anything they can to cut it off. If it means jamming, if it means cyberattacks, that’s what they’ll do.

Providing additional insight into the conditions that are helping foster hacking, Zenz was interviewed and presented at AusCERT2008. For additional information, Zenz co-authored with Eli Jellenc the fascinating report “Global Threat Research Report: Russia.” While the report is focused on Russia, the conditions exist in may countries.

Remember the good old days when our view of hacking was mostly based on the movie War Games? Hackers where misunderstood high school kids who might break into a government site just for the thrill of it, or maybe to play games. Who can forget the famous lines, “Greetings Professor Falken, Shall We Play a Game?” If you don’t recall the movie, or that line, you really need to work on your geek culture. While life and hacking may have appeared simple in those days, one cannot deny that today’s Internet offers the most interesting challenges. It is an exciting time to be a security monk. In the end, what’s not to love?