BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Online Scans: Precursor to Attack?

From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 6 Nov 2013 23:20:41 -0700
http://www.databreachtoday.com/online-scans-precursor-to-attack-a-6199

A significant uptick in traffic this week linked to an Internet port known
as "port zero" is likely among the first signs of a massive and targeted
attack against remote servers and networks throughout the world, says
threat researcher Craig Williams of Cisco Systems Inc.

Fraud analyst Al Pascual of the consultancy Javelin Strategy & Research
says news of the port zero scans revealed by Cisco is significant because
such activity is often a precursor todistributed-denial-of-service attacks.

"The attackers are probing networks to determine how they respond," Pascual
says. "This activity could also represent attempts to locate systems for
later infection with operating system specific attacks, as Unix and Windows
treat port zero slightly differently. Port zero traffic is often completely
innocuous, but the breadth of this activity renders it suspicious enough to
watch closely. It is too early to tell exactly what this activity portends,
but organizations should be on guard."

While Williams does not believe the network and server scans through port
zero are linked to DDoS strikes, he says it's difficult to know exactly
what type of attack, if any, could result.

"This type of reconnaissance is for remote attacks against a remote server
or any other type of remote service," Williams says. "Seeing reconnaissance
activity does not always indicate attack, but there is no reason for
someone to do this kind of scanning with bad IPs [Internet protocols]
unless they were planning something."

In fact, Williams says the remote scans being run through port zero suggest
that if an attack is later waged against some operating system or device
vulnerability, it could be so narrow that it's not detected.

Researchers say the port zero traffic that is being used to scan remote
servers and networks is not focused on any single industry. "Just about
anyone is being scanned, and I would guess that means it's some piece of
malware that is looking for some very specific vulnerable piece of software
to exploit," Williams says. "They are not doing this randomly."

Preventable Attack

This type of anticipated attack is completely preventable because the main
vulnerability is port zero - an Internet port no one needs to leave open,
Williams says.

"The most obvious thing to do is block or deny this port over TCP
[Transport Control Protocol] and UDP [User Datagram Protocol]," he says.
"This port is open in many cases because most people are just not aware of
it."

Because port zero is a reserved port, Williams says that means it generally
should not be used; the only time traffic should be linked to port zero
should be for testing or research.

So when researchers started noting abnormal upticks in port zero traffic
Nov. 2 - the highest such traffic this year - they knew something was
amiss, Williams says. And, based on the traffic patterns, the end goal is
likely some sort of attack, he says. That's because the Internet protocol
addresses linked to the port zero traffic are known as being malicious,
Williams says.

And Williams says other Internet security teams have confirmed seeing the
same kind of anomalous traffic linked to port zero.

"We know these IPs don't have a good reputation, and that is why we are
concerned," he says. "And, historically, right before an attack, you can
expect to see this type of increase in traffic patterns, which is another
reason why we are worried."

Also, the only time online scanning in a legitimate context should occur is
when research is being conducted, Williams explains. "And we have not been
able to associate these IPs with any white-hat," he adds.

Most of the IP addresses involved have been linked to the Netherlands, but
Williams says that does not mean much. "It's likely compromised machines,
so I'm not sure the geographic location tells us much," he says.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Previous By Date Next
Previous By Thread Next

Current thread: