[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Sheflug] Re: Security : Port scanning

To: shef-lug [at] xxxxxxxxxxxxxxxxxxx
Subject: RE: [Sheflug] Re: Security : Port scanning
From: "Chris J" <cej [at] xxxxxxxxxxxxxxxx>
Date: Thu, 8 May 2003 11:40:11 +0100 (BST)
Delivered-to: shef-lug [at] list.sheflug.org.uk
Importance: Normal
List-help: <mailto:shef-lug-request [at] list.sheflug.org.uk?subject=help>
List-id: Sheflug <shef-lug.list.sheflug.org.uk>
List-post: <mailto:shef-lug [at] list.sheflug.org.uk>
List-subscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=subscribe>
List-unsubscribe: <http://community.uklinux.net/mailman/listinfo/shef-lug>,<mailto:shef-lug-request [at] list.sheflug.org.uk?subject=unsubscribe>
Reply-to: shef-lug [at] xxxxxxxxxxxxxxxxxxx
Sender: shef-lug-admin [at] xxxxxxxxxxxxxxxxxxx
User-agent: SquirrelMail/1.4.0

And Lo! Tthe Great Prophet " Morris, David \(Allvac, UK\)" uttered these
words of wisdom...
>
>> Richard wrote:
>> ...[stuff about bots]...
>
> Just out of curiosity, how did you come to that conclusion?
>
> (I don't fully understand the methods behind the hijacking / spoofing
> bit, so any info would be useful).

There are an increasing number of bots that install themselves on peoples
machines, usually through social engineering (emails like "hi! here's a
picture of my kids" ... you know the sort of thing). Essentially, it's
getting the user to unwittingly install the bot in the first place.

Once it's installed, then controlling it is trivial in comparison, and
depends a lot on what sort of firewall is stopping communications with the
bot.

Most bots tend to be controlled by IRC, allowing an attacker to control
many bots at once - each bot logs into a certain IRC channel on a certain
network, and then just parses any of the text put out on the channel. An
attacker can control just a single bot by then simply using private
messages (/msg). The advantage is it's simple and quick, with plenty of
access points to an IRC network. The bot could connect to any one of a
number of servers on a single IRC network.

Alternatively, the bot could have a custom server it connects to; this has
the downside that a name or IP has to be hard coded, and, unless the
attacker has a number of resources, it's only going to be a single
hostname or IP. So if his machine is knocked offline, the bots become
harmless. At least until the attacker comes back online.

Bots could also email details of their location to the attacker; again,
this requires hardcoding one or two email addresses into the bot, but
gives the attacker another method to gain information. Controlling the bot
through email isn't likely to happen though.

Firewalls can thwart most bots, but there have been a number of ideas
mooted about how to get round them. I can't say if any have ever been
taken up. One of the possible techniques is to only ever send TCP ACKs
through a firewall, thus getting through firewalls that block connections
by blocking SYNs... using only ACKs could be analogous to using TCP as a
datagram/connectionless protocol...but an appropriately programmed bot
could pick them up. The server that controls the bot(s) would also be
custom written, so this technique isn't actually mainstream (to my
knowledge) - being confined to those people that can actually write the
software to do this.

This method is also the most complex, and can be thwarted by stateful
firewalls (a la pf on BSD and iptables on linux which will see if a
connection exists for an incoming packet before allowing it through,
unlike basic filter firewalls, a la ipchains, ipfwadm). But this also does
require you to build your rules so they watch for state (using "keep
state" in BSD, and whatever the iptables equivalent switch is).

This latter ACK-only method can also be thwarted by NAT. See... NAT isn't
only a useful thing to connect lots of machines through a single IP, it
adds some security as well :-)

However, if you're computer is connected to the net, there will be some
way a bot can be controlled ... they get smarter all the time, and as
weaknesses in firewalls are exploited more and more, and other ways of
abusing the TCP protocol turn up, you'll never be 100% safe.

But as with sex, take sensible precautions and nothing untoward will
happen :)

But to finish on a glum note ... no one knows how many sleeping bots are
out there; I've seen talk that there could be a number of trojans on
machines that just haven't been activated at all as the attacker hasn't
yet used them, biding his time. This plays into the hands of the attacker
as the more time that passes, then the smaller, or non-existant, the logs
of how the trojan may have got onto the target's machine in the first
place.

Paranoia's a wonderful thing :)

Chris...

-- 
\ Chris Johnson                 \
 \ cej [at] nightwolf.org.uk          \
  \ http://cej.nightwolf.org.uk/  ~-----------------------------------+
   \ Redclaw chat - http://redclaw.org.uk - telnet redclaw.org.uk 2000 \____

___________________________________________________________________

Sheffield Linux User's Group -
http://www.sheflug.co.uk/mailfaq.html

  GNU the choice of a complete generation.

References:
- RE: [Sheflug] Re: Security : Port scanning
  - From: Morris, David (Allvac, UK)

Prev by Date: RE: [Sheflug] Re: Security : Port scanning
Next by Date: [Sheflug] Re: Security : Port scanning
Previous by thread: RE: [Sheflug] Re: Security : Port scanning
Next by thread: [Sheflug] Re: Security : Port scanning
Index(es):
- Date
- Thread