Infosec's Worst Nightmares

Code Red (2001). In July 2001, IDS sensors around the world noticed a massive eruption in incoming HTTP requests. Many infosec professionals, including those at the

Nimda (2001). The nation was barely staggering back to its feet a week after the 9/11 terrorist attacks when Nimda hit. I distinctly remember thinking: "How dare you, you little twerp! We're trying to rebuild networks throughout Manhattan as we mourn the loss of thousands of people, and you launch a worm now!?!" Rumors floated that China released Nimda to measure the response of the U.S. to a cyberattack. Not likely, given the nature of Nimda. While it was bad, it had the appearance of being written by a determined amateur, not a nation-state reported to spend $1 billion annually on cyberwarfare capabilities.

Nimda ripped Windows apart in as many ways as possible, giving us a taste of the future by offering a stunning example of the power of a multi-exploit worm. It compromised Windows boxes in a number of ways, by exploiting and propagating through:

• Flaws in IIS.
• Browsers with JavaScript enabled that surf to an infected Web server.
• Outlook e-mail clients.
• Activating Windows file sharing, enabling the guest account and adding guest to the administrator's group.

After taking over a system, Nimda focused purely on spreading, sucking up bandwidth and processor cycles in its wake. From Nimda, we learned:

• The importance of having incident-response capabilities, and linking them with network management personnel. To block the spread of a vicious worm, you need to rapidly deploy filters throughout your WAN and possibly disconnect portions of your network to limit damage.
• The importance of disabling arbitrary script execution in e-mail clients and Web browsers.

Melissa (1999) and LoveLetter (2000). The Melissa virus in March 1999 and the LoveLetter virus in May 2000 share the stage because of the way they exploited e-mail to propagate. Both spread via an application-level scripting language and propagated primarily via Outlook e-mail attachments. Melissa was a Microsoft Word macro virus, and LoveLetter was a VBScript virus.

When activated through the "Double Click of Doom"--often just before reading the sysadmin's e-mail warning about not opening attachments--each worm harvested the victim's address book to e-mail itself to a new set of victims, spreading exponentially. Although we'd seen worms propagate via e-mail before, the results of Melissa and LoveLetter were far more dramatic because of the efficiency of using the Outlook address book to infect other users.

Both of these threats brought e-mail service down at many companies, as a flood of bogus messages clogged their mail servers. Some organizations even pulled their networks off the Internet until the danger passed, so they could clean up the worm infestations in their internal environment without getting reinfected. In a number of cases, that meant no Web and e-mail for 24 or perhaps even 48 hours or more. While AV vendors demonstrated their effectiveness in distributing signatures to their biggest clients, many firms and individuals had to wait for virus definitions because of the "Super Bowl toilet flush effect" of everyone trying to download updates at the same time. Melissa and LoveLetter ranked just behind Code Red and Nimda among mini-poll respondents.

Melissa and LoveLetter were security wake-up calls. The outbreaks spurred two important infosecurity trends:

• Melissa and LoveLetter energized the business community to beef up security. Many organizations finally got serious about antivirus software--deploying AV not only at the desktop, but also on mail and file servers. Companies that tried to do virus protection on the cheap--ignoring their servers--got burned.
• The inability of many organizations to respond effectively to the worms gave rise to widespread establishment of computer incident-response teams.

Distributed Denial-of-Service (DDoS) Attacks (2000). The millennium arrived without incident, and the infosec industry breathed a collective sigh of relief. Y2K barely caused a ripple. Then, a month later, came the deluge. The Internet's first big wave of DDoS attacks first brought down Yahoo!, then a who's who of high-profile Web sites: Amazon.com, CNN, E*Trade, ZDNet, Buy.com, Excite and eBay. All were knocked off the Internet. A single attacker, MafiaBoy, had spread zombie flooding agents to hundreds of machines around the world. We had seen packet floods before and even basic DDoS attacks, but we had never witnessed an attack of this magnitude.

This DDoS blitz made us realize that the Internet was far more vulnerable--and distributed attacks were far more potent--than we had suspected. By launching an attack from a large group of machines spread across the world, an attacker could use the power of the Internet itself to spread mayhem via DDoS, distributed scanning, distributed password cracking, etc.

So what did we learn from this onslaught?

• These attacks underscored the importance of egress antispoofing filters. If your Web server starts spewing packets using a bogus source address, your border router or firewall should drop the spoofed traffic.
• Incident-response teams realized that they had to work with their ISPs to block packet floods. Your firewall may be a formidable barrier, but you still lose if someone sucks up all bandwidth connecting you to the Internet. Only by rapidly marshaling the forces of your ISP incident-response team can you block massive floods.

Unfortunately, these attacks remain a major threat, in large part because ISPs have been slow to deploy DDoS countermeasures or ramp up their incident-response capability.

Remote Control Trojan Horse Backdoors (1998-2000). In July 1998, the Cult of the Dead Cow hacker group caused quite a stir with the release of Back Orifice, a Trojan horse that installs a backdoor on Windows 95/98/NT target machines to allow a remote attacker to have complete access. Armed with this point-and-click tool, even unskilled attackers could dupe a user into installing Back Orifice, giving the attacker complete control of the victim's machine. With Back Orifice, an attacker can do just about anything a user sitting at the keyboard can do: access sensitive files, delete or modify critical data, and even reconfigure the system.

Functionally, Back Orifice was virtually identical to many commercial remote control and administration tools, such as

Exploiting Automatic Update Features. Major software vendors, including Microsoft and

Attacks Against the Routing or DNS Infrastructure. The Internet is glued together by two critical pieces of infrastructure--the routers that make up the Internet backbone and the DNS servers that resolve domain names into IP addresses. If an attacker could successfully undermine the Border Gateway Protocol (BGP) used by the backbone routers to share routing information, or tear apart DNS servers at will, the Internet itself could come unraveled.

With these extremely juicy targets, attackers are very carefully combing through the code of major router vendors and DNS suppliers. They are looking for buffer overflows and other problems that would let them crash or even gain administrative access to such systems. Routing code is highly complex, and may have some significant problems, although few significant holes have been identified to date. DNS software has been plagued with buffer overflows in the past, and could have similar problems in the future. If attackers find what they are looking for in routing or DNS attacks, much of the Internet could be rapidly disabled.

To prepare for this type of attack, make sure your systems can't be used as jumping-off points to target others:

• Harden your publicly accessible routers and external DNS servers. Your organization's DNS servers are among the most security-sensitive machines in your whole environment, ranking right up there with your firewalls and authentication servers.
• Keep your DNS servers patched, and carefully monitor them for attacks.
• If you're responsible for ISP security, make sure your incident-response team can rapidly contact your upstream provider to coordinate your response to a massive router attack.

Simultaneous Cyber and Physical Terrorist Attacks. This is the double nightmare--a massive computer attack that disables millions of systems conducted in tandem with a physical terrorist assault against one or more cities, such as a bombing or biological attack. On Sept. 11, 2001, telephone communication virtually melted down in several East Coast cities, forcing people to turn to e-mail to verify the safety of colleagues and loved ones. The Internet (as well as TV news) proved to be an excellent vehicle for learning about the attacks as they happened. By sending a super worm, breaking BGP or disabling DNS, an attacker could cut off one of our critical communications channels just when we need them the most.

Getting ready for this one is certainly difficult:

• Procure backup communications capabilities for your disaster recovery and computer incident-response teams. Get them two-way messaging pagers in addition to cellphones.
• Make sure that your physical security folks are an integral part of your computer incident-response team.
• Create attack scenarios with your physical security team, and walk through them to ensure all assignments and roles are understood in advance.