Hackers are banding together to mount low-visibility attacks in an effort to sneak under the radar of security specialists, a Navy team says.
Coordinated attacks from up to 15 different locations on several continents have been detected, and Navy experts believe that the attackers garner information by probing Navy Web sites and then share it among themselves.
"These new patterns are really hard to decipher--you need expert forensics to get the smoking gun," said Stephen Northcutt, head of the Shadow intrusion detection team at the Naval Surface Warfare Center. "To know what's really happening will require law enforcement to get hold of the hackers' code so we can disassemble it."
The new method involves sending as few as two suspicious probes per hour to a host computer, a level of interest that usually won't be detected by standard countermeasures. But by pooling information learned from those probes, hackers can garner considerable knowledge about a site.
Northcutt said the new technique for attacks was discovered only this month and has been detected at Defense Department facilities as well as in private sector sites, including some outside the United States.
The Shadow group has posted descriptions of the attacks and countermeasures, and the information has been forwarded to CERT, which investigates security attacks.
"Most intrusion detection systems have a threshold, a radar. These attacks are intentionally sliding under that threshold so normal intrusion detection tools will not detect them," said Tim Aldrich, principal analyst at the Navy facility.
The Shadow team said that although the new method is harder to detect, it should not affect sites that are well-secured. But the technique puts sites with weak security at greater risk.
The attacks do not involve a new hacker tool or new kind of attack, but rather represent a low-visibility technique for perpetrating attacks. For example, one coordinated attack that involved at least 14 locations simply probed a Web site for security weaknesses without mounting a break-in.
The Shadow Intrusion Detection team said it cannot determine how many people might be involved in the attacks--hackers frequently use many different machines to launch their attacks. But the number of individuals involved is less important than the technique itself, Northcutt said.
The technique could be used to scan or mount attacks from more than 100 Internet addresses. The security experts also suggested that makers of commercial intrusion detection software need to counter the new method.
"This stealthy probing enables large amounts of parallel firepower, which means many attack attempts [from many sites] over a short time frame," said a note distributed by the System Administration Networking and Security (SANS) Institute.
Going public with a news of new hacker techniques is somewhat unusual in the secretive network security community, which often fears that publicizing attacks before countermeasures are known will tip off attackers to vulnerabilities.
"We went public in hopes of raising awareness," Northcutt said. "You're only going to be able to find stealthy stuff by looking for stealthy stuff."
But before publicizing the new hacker technique, he added, the Shadow team had checked to be certain it would not jeopardize any official actions against the attackers. He also thinks that users of the attack may be caught.
"If they're working together, it ought to be easier to track them down because they leave more of a trail," he said.