IDS mailing list archives
Re: slow scans?
From: James Hoagland <jim () SiliconDefense com>
Date: Fri, 14 Feb 2003 09:42:35 -0800
Johannes and all, At 2:15 PM -0500 2/12/03, Johannes Ullrich wrote:
You are right that only few people care. Firstly, 'slow scans' are hard to detect, and even worse, frequently hard to define. Given the high background noise one can expect on any internet facing IP address (CR, Nimda, SqlSlammer, IRC probes...), it is hard to detect anything 'different'.
Slow scans are indeed hard to detect. But that doesn't mean that people shouldn't care. But I do know what you mean that they can be hard to define. With Spice we punt a little on that and use combinations of heuristics. We found that there was a line that could be drawn to catch stealthy scans without too many false positives.
On the other hand, do people actually use slow scans or do they rather use quick and loud scans from a throw-away source?
Some attackers use loud scans from a throw-away source. But there are times where it benefits an attacker to a stealthy scan. These include:
+ when they don't want to be discovered. They might be traced back from the throw away source.
+ if (for a horizontal scan) they want to keep the specific ports they are scanning a secret. For example, they might have a 0-day exploit they don't want the good guys to know about. Or perhaps it is the pre-scan before a Flash-type worm.
+ if (for a vertical scan) they want to keep the host(s) they are scanning a secret. For example, they don't want to reveal that they are interested in compromising some particular host or that they know the importance of a host.
+ if the scan is being conducted from the inside (either by an insider or an outsider). A scan discovered here is less likely to be considered noise. And even if a throw away host is used (the CEO's desktop?), the defenders will still know somebody is up to something and be extra watchful.
In addition, non-linear scans across 0.0.0.0/0 will look like a slow scan from the point of view of any given IP range. I think we've all seen this before (or at least should have seen it before).
Another question is: What would you do different if you know someone is scanning you slowly? If there is nothing you would change in your procedure, there is no reason to detect it. Would you provide some false information to the scanner (e.g. put up some form of honeypot to see if the attacker follows up)?
I think folks would (or should) perceive a stealthy scan more seriously and respond accordingly. There is a higher (but not overwhelming) cost to do a stealthy scan than a brain-dead scan, in terms of set-up and/or in time to wait for the scan to complete. So, the threat would seem to be more serious (why would the scanner pay the higher price otherwise?). And would you react differently to a stealthy scan (particularly if it has unusual targets or an unusual shape) than the 10,000th CodeRed scan? I think so.
As for tools: The main issue is to use an IDS / Log management system that can handle enough logs to recognize these probes. Shadow comes to mind as a solution.
Indeed, finding slow scans in the mass of packets is the challenge (and one I well realize). The approach we take with the CounterStealth is two-level. Spade very quickly analyzes a packet to see if it is anomalous enough to pass to Spice. (BTW, Spade is freely available and it not that hard to port.) Spice (since it is receiving only a small percent of packets) can take more time in its efforts to correlate the anomalous events into scans.
Best regards, Jim -- |* Jim Hoagland, Associate Researcher, Silicon Defense *| |* --- Silicon Defense: The Cyberwar Defense Company --- *| |* jim () SiliconDefense com, http://www.silicondefense.com/ *| |* Voice: (530) 756-7317 Fax: (530) 756-7297 *|
Current thread:
- slow scans? Anton Chuvakin (Feb 12)
- Re: slow scans? Johannes Ullrich (Feb 12)
- Re: slow scans? Anton Chuvakin (Feb 12)
- Re: slow scans? James Hoagland (Feb 14)
- Re: slow scans? Tod Beardsley (Feb 18)
- RE: slow scans? Rob Shein (Feb 18)
- Re: slow scans? Johannes Ullrich (Feb 12)
- Re: slow scans? Ron Gula (Feb 12)
- Re: slow scans? Anton Chuvakin (Feb 12)
- Re: slow scans? James Hoagland (Feb 14)