Date: 01 Sep 1994 12:44:27 -0600 (MDT) From: Chris McDonald Subject: Article on Sniffer Attacks To: orvis@icdc.llnl.gov To: cmcdonal@wsmr-emh34.army.mil Apparently-To: orvis@icdc.llnl.gov I distributed the Sep product test index as well as the monthly listing of viruses in commercial/government media/software. Some of you may have noticed that I had to slide two product tests on COPS and on CRYPTOMACTIC. One of the reasons for this was to provide limited technical and administrative assistance to administrators involved in sniffer attacks. From speaking with those administrators I drafted this article which you may use as you feel appropriate. I should add that the administrators with whom I have spoken may be "atypical" of those who have been attacked in so far as how initial access to their systems may have been gained. Regards, Chris ************* Sniffer Attacks and Possible Defensive Strategies Sniffer attacks against DoD hosts on the Internet have been occurring since November, 1992. Internet discussions at that time openly spoke of such attacks without providing too many details. The recent publicity generated by the news media and by several emergency response center activities represents simply a normal progression to alert users to the phenomenon. Unfortunately discussion of the problem does not always include possible solutions or countermeasures which might be employed to address the threat. While there is admittedly no one solution, there are a list of items which reasonable users and system administrators might consider. For those unfamiliar with sniffer attacks, perhaps a brief review is in order. From the approximately 15 system administrators with whom I have spoken who have been successfully attacked, several common threads have appeared. First, initial access to a system is obtained either through the compromise of a non- randomly generated password, or by the exploitation of a known system vulnerability which has been well-advertised over the Internet. Once initial access has been gained the attack scenario is for the intruder to turn on promiscuous mode, upload the sniffer program, and with the program installed capture the first 128 characters of every outgoing telnet session. In those cases where the initial access has been gained through the exploitation of an easily guessable root password, or through the exploitation of a vulnerability which can provide root privileges, the intruder has gained additional passwords and permissions in addition to whatever might be collected by the sniffer program. In certain cases the intruder has not even bothered to download the data captured by the sniffer program. Instead the intruder has simply scanned the file of captured data looking apparently for interesting login/password pairs to other hosts. In most cases the intruder has attempted to "hide" the existence of the sniffer and its captured data. It is my suspicion that many different individuals are involved in the attacks; that some individuals have more talents than others; and that some are simply using other people's programs to exploit system vulnerabilities. The following list is by no means inclusive, but does reflect the defensive strategies which one might adopt. a. Subscribe to a multitude of news groups and emergency response center team mailings to ensure the receipt of vulnerability data. Many of the groups will have discussion of critical items well in advance of normal emergency response team mailings. b. Create a database of known bugs for operating systems, application application utilities, etc.. If someone needs to know what are the reported vulnerabilities for IBM AIX, for example, he or she can go to one source and/or location. c. Insist that system administrators utilize some type of automated tool to examine their system on a continuing basis. COPS, SPI, TRIPWIRE, and early versions of the ISS are available. There are also several commercial programs to facilitate an analysis of individual systems and to establish a baseline of what is a "normal" picture of a system. d. Centralize the distribution scheme of all vulnerability data to ensure system administrators receive the latest information, and then ensure that some independent person/office follows-up to verify the implementation of any "bug" fix or patch. e. Insist on random password generation. While it may be fashionable to waive the requirement, I find that it just eliminates a large part of outside attacks. f. Train users about the danger of using the same password on more than one system. Since one never knows where a sniffer program might be in place, a single password loss should not result in the compromise of multiple systems for an individual user. g. Consider the use of one-time passwords or hardware authentication devices/tokens. h. Initiate packet filtering, where appropriate, for incoming/outgoing connections on routers. i. Install tcp_wrappers on systems, where feasible, to deny incoming/ outgoing Internet access for services such as ftp, smtp and telnet. j. Consider the installation of a firewall. There will always be threats to computing resources. It is important to do the best one can with available technology and then to apply a strong dose of common sense.