Re: slow scans?

[James Hoagland <jim () SiliconDefense com>]

Johannes and all,

At 2:15 PM -0500 2/12/03, Johannes Ullrich wrote:
> You are right that only few people care. Firstly, 'slow scans' are
> hard to detect, and even worse, frequently hard to define. Given
> the high background noise one can expect on any internet facing
> IP address (CR, Nimda, SqlSlammer, IRC probes...), it is hard to
> detect anything 'different'.

Slow scans are indeed hard to detect.  But that doesn't mean that 
people shouldn't care.  But I do know what you mean that they can be 
hard to define.  With Spice we punt a little on that and use 
combinations of heuristics.  We found that there was a line that 
could be drawn to catch stealthy scans without too many false 
positives.

> On the other hand, do people actually use slow scans or do they rather
> use quick and loud scans from a throw-away source?

Some attackers use loud scans from a throw-away source.  But there 
are times where it benefits an attacker to a stealthy scan.  These 
include:

+ when they don't want to be discovered.  They might be traced back 
from the throw away source.

+ if (for a horizontal scan) they want to keep the specific ports 
they are scanning a secret.  For example, they might have a 0-day 
exploit they don't want the good guys to know about.  Or perhaps it 
is the pre-scan before a Flash-type worm.

+ if (for a vertical scan) they want to keep the host(s) they are 
scanning a secret.  For example, they don't want to reveal that they 
are interested in compromising some particular host or that they know 
the importance of a host.

+ if the scan is being conducted from the inside (either by an 
insider or an outsider).  A scan discovered here is less likely to be 
considered noise.  And even if a throw away host is used (the CEO's 
desktop?), the defenders will still know somebody is up to something 
and be extra watchful.

In addition, non-linear scans across 0.0.0.0/0 will look like a slow 
scan from the point of view of any given IP range.  I think we've all 
seen this before (or at least should have seen it before).

> Another question is: What would you do different if you know someone
> is scanning you slowly? If there is nothing you would change in your
> procedure, there is no reason to detect it. Would you provide some
> false information to the scanner (e.g. put up some form of honeypot
> to see if the attacker follows up)?

I think folks would (or should) perceive a stealthy scan more 
seriously and respond accordingly.  There is a higher (but not 
overwhelming) cost to do a stealthy scan than a brain-dead scan, in 
terms of set-up and/or in time to wait for the scan to complete.  So, 
the threat would seem to be more serious (why would the scanner pay 
the higher price otherwise?).  And would you react differently to a 
stealthy scan (particularly if it has unusual targets or an unusual 
shape) than the 10,000th CodeRed scan?  I think so.

> As for tools: The main issue is to use an IDS / Log management system
> that can handle enough logs to recognize these probes. Shadow comes to
> mind as a solution.

Indeed, finding slow scans in the mass of packets is the challenge 
(and one I well realize).  The approach we take with the 
CounterStealth is two-level.  Spade very quickly analyzes a packet to 
see if it is anomalous enough to pass to Spice.  (BTW, Spade is 
freely available and it not that hard to port.)  Spice (since it is 
receiving only a small percent of packets) can take more time in its 
efforts to correlate the anomalous events into scans.

Best regards,

  Jim
--
|*     Jim Hoagland, Associate Researcher, Silicon Defense     *|
|*    --- Silicon Defense: The Cyberwar Defense Company ---    *|
|*   jim () SiliconDefense com, http://www.silicondefense.com/    *|
|*  Voice: (530) 756-7317                 Fax: (530) 756-7297  *|