Denial of service (DoS) attacks get all the press, but stealth attacks are the ones to really worry about. What are some of these attacks (with colorful names like “Bot” and “Zombie”), and how can you determine if your site has been compromised?
Unfortunately, on the Internet, there is no real border between “out there” and “in here.” We need to realize that it is quite easy to compromise systems within our firewalls through a variety of techniques. Without proper understanding of the threats, it’s a jungle in here as well.
Brute force attacks, such as distributed denial of service (DDoS) attacks, are obvious — the level of traffic to your server is suddenly greatly increased, which should set off the alarms you already have in place. The more subtle attacks are not intended (necessarily) to interfere with people accessing your site; they are designed to take it over.
To understand these intruders, we need to dig in a bit to how they work. There are typically two parts — the vector (how the infection spreads) and the payload (the code that does the dirty work on the compromised system.)
Vectors are things like viruses, worms, trojan horses and other malware.
A virus is a self-spreading piece of software that looks for vulnerable systems and then infects them. It usually attaches itself to other executable code on the compromised system, much like a human virus infiltrates the cells in the infected body. Viruses are quite rare these days, although a few are still circulating.
A worm does not attempt to infect existing software on the compromised system. Rather, it installs itself onto the compromised system and then starts attempting to infect other systems the same way. One recent well-known worm was “Slammer.”
A trojan horse is a malicious program masquerading as something else. These programs attempt to convince a human being to run them, which technically makes them a social engineering attack. One recent well-known trojan was “MyDoom.”
Purpose of Vectors
Other vectors include floppy disks (infected at home and brought in to the office), laptops (infected while off-site, then brought back to the office and plugged in to the network), and even USB flash disks (plugged into an infected machine off-site, and then plugged into a system in the office.)
The purpose of vectors is straightforward: they are designed to spread themselves as widely as possible, either quickly (to outstrip the ability of the good guys to figure them out and block them soon enough) or slowly (to come in under the radar of the good guys.)
Payloads are the programs that the bad guys put into the vectors. These payloads can be programmed to do just about anything the bad guys want them to do: relay spam, steal passwords, or even take over complete control of the compromised system.
So, how to protect your systems?
First, recognize that the attack might come from inside. A desktop compromised through any of the vectors listed above can be used to attack your production systems. Thus, it is necessary to protect your production systems from your corporate systems and desktops just as stringently as you protect them from the outside.
Limit access using firewalls between your production network and your corporate network. Ideally, those who maintain your production systems should do so from computers that connect only to the production network, and are not used for any other purpose. Provide a second desktop for corporate purposes such as e-mail and Web browsing.
Second, monitor the network traffic from your production systems as carefully as you do the traffic to them. Set alarms on the firewalls that will alert you should any production server start behaving differently on the network than expected.
For example, watch for your Web servers attempting to connect to any outside Web server — a common behavior for an infected system. Firewall the traffic from your server to the outside world. Using a firewall to allow only the server to contact systems that have already requested a legitimate service (e.g., made a connection to the http port and requested a page) and to alarm on any other connection can be a very powerful way to detect an infected machine before it can do much damage.
Third, harden your production servers. Ensure that only the minimally necessary services are running, and that all unnecessary ports have been closed. Pay strict attention to your code development, testing and release process, ensuring that security reviews and tests are performed at each level. Train your developers on how to write code that is less susceptible to attack.
Fourth, retain the services of a trusted penetration testing service. Have them perform an in-depth penetration test before releasing any new versions of your production software. Ask them to perform light-weight scans of critical servers at least weekly, and preferably daily. They will help you uncover vulnerabilities in your overall security design, and can often detect compromised systems with a simple scan.
Fifth, periodically run an external load test against your production servers. These load tests will provide you with a baseline performance metric of your system (often pointing out that the actual capacity is far lower than internal load test indicated — a good thing to know in advance of sudden traffic increases to your site), which can be compared against later load tests to detect unexpected performance reductions (as often happen when one of a set of load-balanced servers is compromised.)
Finally, measure the performance and availability of your servers from outside your network. Sudden changes in performance can be a red flag that something serious is wrong — whether caused by a malicious infection or a simple programming error. Knowing what your customers are experiencing can help you perform triage in high-threat situations, allowing you to focus on the most important problems first.
Know Your Enemy
Sun Tzu — a military general from the state of Ch’i during the Spring and Autumn period (722-481 BC) — said that the greatest generals knew both themselves and their enemies. Through the steps outlined above, you can come to know your systems better than ever before, and thus be able to tell when they are no longer working correctly — your best indication that they need your attention.
Lloyd Taylor is vice president of Technology and Operations at Keynote Systems.