X

Worms could dodge Net traps

Scientists outline a way that attackers could subvert the early-warning systems meant to detect threats.

Anne Broache Staff Writer, CNET News.com
Anne Broache
covers Capitol Hill goings-on and technology policy from Washington, D.C.
Anne Broache
3 min read
BALTIMORE--Future worms could evade a network of early-warning sensors hidden across the Internet unless countermeasures are taken, according to new research.

In a pair of papers presented at the Usenix Security Symposium here Thursday, computer scientists said would-be attackers can locate such sensors, which act as trip wires that detect unusual activity. That would permit nefarious activities to take place without detection.

Internet sensor networks, such as the University of Michigan's Internet Motion Sensor and the SANS Internet Storm Center, are groups of machines that monitor traffic across active networks and chunks of unused IP space. The sensor networks generate and publish statistical reports that permit an analyst to track the traffic, sniff out malicious activity and seek ways to combat it.

Just as surveillance cameras are sometimes hidden, the locations of the Internet sensors are kept secret. "If the set of sensors is known, a malicious attacker could avoid the sensors entirely or could overwhelm the sensors with errant data," a team of computer scientists from the University of Wisconsin wrote in its award-winning paper titled "Mapping Internet Sensors with Probe Response Attacks."

But the Wisconsin researchers discovered that the sensor maps furnish just enough information for someone to create an algorithm that can map the location of the sensors "even with reasonable constraint on bandwidth and resources," John Bethencourt, one of the paper's authors, said in his presentation.

All an attacker would have to do is throw packets of information at IP addresses and then check to see whether the activity showed up on the sensor reports. If it didn't, "we (could) safely assume the address was not monitored," Bethencourt said.

After running a simulated attack on the SANS Internet Storm Center's network and on randomly generated IP addresses, Bethencourt and his team found it would take less than a week, with high bandwidth, to uncover the identities of sensors in the SANS network and other similar networks.

With that new information, the attacker could continue to engage in suspicious behavior without being detected. "The results would be pretty severe," Bethencourt said.

"This is particularly worrisome in the case of worms," he added, since the sensors are often the first to detect that breed of Internet menace.

Japanese paper
Researchers from Japan came to a similar conclusion in a paper titled "Vulnerabilities of Passive Internet Threat Monitors." They noted that sensor attackers can identify the location of sensors without the aid of a "complete list of sensor addresses." They also devised several algorithms that managed to pinpoint the sensors "in surprisingly short time."

"We believe that we have found a new class of Internet threat," the researchers wrote, "because it does not pose a danger to the host systems themselves, but rather a danger to a metasystem that is intended to keep the host systems safe."

The threat could be diminished, both studies said, if the information in the networks' public reports was less detailed.

The Wisconsin researchers said current countermeasures, such as encryption and obscuring of IP addresses, simply aren't adequate. They suggested that the widespread adoption of IPv6, the next-generation Internet, could also help to curb attacks because of its longer IP addresses.

Yoichi Shinoda, who co-authored the Japanese study, emphasized in his presentation that because network sensors are the "sole" means of monitoring Internet background traffic, "we must protect them."