Four latest trends in hacking attacks _ web surfing

Starting in 1988, cert CC (Computer Emergency Response Team focal point) at Carnegie Mellon University in the United States began investigating the activities of intruders. CERT cc gives some trends on how the latest intruders attack.

Trend one: Automation of attack processes and rapid updating of attack tools

The level of automation of attack tools continues to increase. The four phases involved in automated attacks have changed.

1. Scan for potential victims. There has been a lot of scanning activity since 1997. At present, the new scanning tools use more advanced scanning technology, become more powerful, and improve the speed.

2. Intrusion into a vulnerable system. Previously, attacks on vulnerable systems occurred after a wide range of scans. Now, the attack tool has designed an intrusion into the vulnerability as part of the scanning activity, which greatly speeds up the intrusion.

3. Attack spread. Before 2000, the attack tool needed a person to initiate the rest of the attack process. Now, the attack tool can automatically initiate a new attack process. These tools, such as the red Code and the Nimda virus, spread across the globe within 18 hours.

4. Collaborative management of attack tools. Since 1999, with the advent of distributed attack tools, attackers have been able to launch attacks on a large number of attack tools distributed over the Internet. Attackers can now more effectively initiate a distributed denial of service attack. Collaborative functionality leverages a number of popular protocols such as IRC (Internet Relay Chat), IR (Instant message), and so on.

Trend two: The ever-increasing complexity of attack tools

The creator of the attack tool employs more advanced technology than ever before. The signature of the attack tool is increasingly difficult to discover through analysis, and it is increasingly difficult to find through signature based detection systems, such as anti-virus software and intrusion detection systems. The three important features of today's attack tools are the ability to reverse detect, dynamic behavior, and modularity of attack tools.

1. Reverse detection. The attacker used a technique that could hide the attack tool. This makes it more difficult and time-consuming for security professionals to determine the process of new attacks through various analytical methods.

2. Dynamic behavior. The previous attack tool launched the attack in accordance with a predetermined single step. Today's automated attack tools can change their characteristics in different ways, such as random selection, predetermined decision paths, or direct control through intruders.

3. The modularity of the attack tool. Compared with the previous attack tool, the new attack tool can make rapid changes by upgrading or replacing some modules. Also, attack tools can run on more and more platforms. For example, many attack tools use standard protocols such as IRC and HTTP for data and command transmission, making it more difficult to analyze attack features from normal network traffic.

Trend three: Vulnerabilities found faster

The number of vulnerabilities reported to CERT/CC every year has multiplied. The vulnerability data released by CERT/CC in 2000 was 1090, 2001 was 2,437, and 2002 had increased to 4,129, meaning that more than 10 new vulnerabilities were found every day. As you can imagine, it is difficult for an administrator to keep up with patches. Also, intruders are often able to discover these vulnerabilities first before software vendors fix them. As the tool for discovering vulnerabilities becomes more automated, it leaves users with less and less time to patch. In particular, the buffer overflow type of vulnerability, the harm is very large and ubiquitous, is the greatest threat to computer security. In the survey of CERT and other international network security agencies, this type of vulnerability is the most serious server-causing effect.

Trend Four: Penetrating firewalls

We often rely on firewalls to provide a secure primary border protection. But the situation is:

* There are already some technologies that bypass the typical firewall configuration, such as IPP (the Internet Printing Protocol) and WebDAV (Web-based Distributed Authoring and Versioning)

* Some of the protocols advertised as "firewall fit" are actually designed to bypass the configuration of a typical firewall.

Specific features of the "Mobile Code" (such as ActiveX controls, Java, and JavaScript) make it more difficult to protect vulnerable systems and to discover malicious software.

In addition, as computers grow on internet networks, there is a strong dependency between all computers. Once some computers have been invaded, it is possible to become an intruder's habitat and springboard as a tool for further attacks. Attacks on network infrastructures such as DNS systems and routers are increasingly becoming a serious security threat.

Adopting active defensive measures to deal with next generation network attack

The "Red Code" worm infects more than 250,000 computer systems within the first nine hours of its spread over the Internet. The cost of the infection is growing at a rate of 200 million dollars a day, resulting in a loss of up to $2.6 billion. The "Red Code", "Red Code II", and the "Nimda" and "cover letter" threats quickly spread show the serious limitations of existing network defenses. Most intrusion detection systems on the market are simple and do not have enough defenses against the new, unknown, commonly called "instantaneous attack: Zero-day Attack" threat to the network.

"Window of opportunity" for hackers

At present, most intrusion detection systems have limitations, because they use signatures to identify whether there is an attack behavior. These systems use this approach to monitor specific attack patterns. They are based on identifying information stored in their databases: similar to the way antivirus software checks for known viruses. This means that these systems can only detect specific attacks that they have programmed to identify. Because "instantaneous attacks" are new and are not widely known, they can bypass these security systems before new signatures are developed and installed and configured. In fact, only a slight modification of known attacks is needed, and these systems do not recognize these attacks, giving intruders the means to circumvent the signature-based defense system.

The launch of the new attack into the development of a novel signature is a dangerous window of opportunity, and many networks will be compromised. At this time many fast intrusion tools are designed to be developed, and the network is vulnerable to attack. The following illustration illustrates why most security products are actually ineffective during that period. This chart, developed by the CERT organization, illustrates a typical lifecycle of a network attack. The peak of the curve is just after the attack's first attack, which is when most security products eventually begin to provide protection. The "instantaneous attack" is however those the most sophisticated hacker in the earliest phase the emphasis unfolds.

At the same time, those fast-breaking attacks take advantage of security vulnerabilities in widely used computer software to create widespread damage. With just a few lines of code, they can write a worm that penetrates into a computer network, clones itself by sharing accounts, and then starts attacking your peers and users ' networks. In this way, the "Nimda worm" spread to over 100,000 of the Web sites in the United States only in the time that the vendor developed the signature and distributed it to the user. These distribution mechanisms have caused "instant attacks" like Sircam and love bugs two viruses to sweep through 2.3 million and 40 million of computers, without much human intervention. Some of these attacks even provide a basis for subsequent damage by installing a backdoor that allows opponents, hackers, and other unauthorized users to access an organization's important data and network resources.