So you think you're being attacked. You've got your intrusion detection
systems running, and you've seen something in the logs that shouldn't be
there. Well, what now? What is the best way to respond to an incident?
This article is geared primarily toward the home user or small business.
The assumption is made that the user already knows a little about system
security and intrusion detection; if not, I recommend the following:
Technotronic's Unix security page
NWO.net's Linux tools page
The IDS mailing list
NT links
Read up on intrusion detection, get some experience with it, and then read
this.
Response to an intrusion starts before the intrusion begins. The first
step lies in determining what it is you're looking for, and what it is you
care about -- for instance, if you know you're not running a web server,
you might not care about failed connections on port 80; successful
connects on port 31337, on the other hand, may be particularly
interesting if you're running a Windows machine. Try to learn a little bit
about what you're running, and what its vulnerabilities are. Simovits has
a good page of known
trojan ports -- it's a good idea to find out what kinds of things you
-should- be seeing (i.e., what constitutes 'normal' traffic on your
machine) so you'll know what doesn't look right. Once you have a good
idea of what's important to you, you're prepared to respond to an
intrusion. Second, find out who to contact at your ISP if you're under
attack. Most ISPs have an abuse mailbox; some even have a security
mailbox. It's a good thing to know ahead of time who to contact at your
ISP; they can often be your first line of defense. The third thing you
should do is find a good place to store your logs; most intrusion
detection systems come with a default log storage location. Make sure you
save logs when you're under attack -- there's very little that can be done
without them if you have to escalate the situation to your ISP or the
attacker's.
So. You've found something in your logs that doesn't look right. What
now? The first step is to look at the logs and find out exactly what you
see in there. What service is affected? Unix/linux users can look in
/etc/services for a list of common ports and their associated services;
those lists are also easily found on the web via your favorite search
engine. What is the attacker trying to do...or what has he already done?
If I see an entry in my logs that's unfamiliar to me, I find it easy to
cut'n'paste the line into a search engine (I use
AltaVista and
Google) and look through what turns up.
Who is the attacker? Is it coming from a bunch of different IP addresses
all at once, or just one? If it's coming from many IP addresses, you're
probably under a denial of service attack; contact your ISP's abuse
department, if this is the case (there -are- ways to deal with a DoS yourself,
but chances are if you're able to do that, you don't need me telling you
how). If it's all coming from just one address, and it is not a denial of
service attack, it's time to find out a little bit about who this is
trying to get into your system (or who has already compromised your
system).
As a note -- some attacks, especially most denial of service attacks, are
conducted from a spoofed (faked) source IP address; however, most actual intrusion
attacks, in which someone attempts to gain access to your computer, are
not run from a spoofed source. The reason for this is that attackers using
denial of service attacks don't need to see the responses from the victim
computer, while in most cases, actual intrusion attempts cannot be done
'blind' (without seeing the responses from the victim computer -- this
-is- possible, but not common). If an attacker uses a spoofed source IP
address, then when the victim computer responds to the packets the
attacker sends, the responses will go to the spoofed address...not to the
attacker. This is not always the case, but it's a good rule of thumb.
Now to find out who's doing the attacking. The first step -- do an
nslookup on the IP address, and find out who it is. If it's a dialup
machine from one of the major ISPs out there, your best bet is to contact
the ISP in question. I generally try to find that ISP's web page and look
through it for their Acceptable Use Policy/Terms of Service/whatever;
often an ISP will list an email address for abuse complaints. If it does
not, I suggest mailing abuse@whoever.isp and copying support@whoever.isp.
If you're sending mail to an ISP, I recommend against copying postmaster,
root, hostmaster, webmaster, and every other name you can think of, unless
both abuse and support bounce and you can't find the correct address on
the company's web page. It tends to annoy the ISP receiving the
complaint...and you want them on your side. Include your logs; the ISP
can't do much without them. I would also copy your own ISP's abuse
department on the mail, in case you later need their help. See below for
a sample letter template when mailing an ISP.
If the attacker is not an ISP's dialup user, but is coming in from a
machine with its very own DNS name, such as jojo.example.com, then you
have two options. The first is to send mail to your ISP and let them
handle it. The second is far more interesting -- find out some
information about the machine in question. Please note that this by no
means implies 'hacking them back' -- generally a bad idea which is likely
to get you in trouble. First, to give you an idea of what the attacking
system is like, try doing the command 'finger @jojo.example.com'. This is
not a conclusive step, but if jojo.example.com is running finger and is
allowing incoming connections, it may tell you who's on the system right
then. It's one piece of information to use. Another is whois -- do the
command 'whois example.com' (or, on machines without a 'whois' command,
go to
internic's whois page). That will
give you contact information; more to work with. As a further step,
ARIN's whois will give you
additional information (look things up by IP address, though, not by name).
Traceroute will give you their upstream provider -- do 'traceroute
jojo.example.com' (or, on a Windows machine, 'tracert jojo.example.com').
At this point, I go back to the web. See if example.com has a web page --
what's it like? Are they a business? Are they a group of hax0rz bragging
about their sploits? Do a search on the names you pulled off finger and
whois -- get a feel for who's on the other end. Go by your gut feeling; if
you mail a complaint, will the administrator of the box help you or hack you?
At this point you make an educated decision: you can mail postmaster@example.com
with your logs, and ask him to look into the situation...or you can mail
example.com's upstream provider. Either way, copy your ISP's abuse
department, just in case their help is needed later.
But what if you mail postmaster@example.com, and no one replies? What if
you don't trust that postmaster's going to help, but don't want to involve
the upstream provider yet? What if you think that jojo.example.com has
actually been hacked, and is being used as a launch point? There are a
number of ways to find out what kind of system you're dealing with.
Despite popular opinion, having finger running doesn't necessarily mean
the machine is not secured; you can try other methods. Keep them
above-board, though -- while telnetting to port 25 may get you some very
interesting information, it may get -you- in trouble. Likewise with nmap
scans -- they give you a lot to work with, but many administrators would
view an nmap scan as an attack (or at least a prelude to an attack). I
would suggest Netcraft -- it's a site
that scans hosts to see what kind of web server they're running. Go over
there and type in example.com -- is it running an ancient default version of
Apache on an old Linux kernel? Then there's a very good chance that
jojo.example.com is wide open, 0wn3d, and being used as a launch for attacks.
If this is the case, I'd mail postmaster@example.com once again, and at the
same time notify his upstream ISP -- not to get him in trouble, but because
they will have means to contact the adminstrator in case your mail never
gets to him at all (if his network is controlled by someone malicious, they
may be intercepting mail).
When mailing your ISP or the ISP of the source of the attack on your
system, be polite. As I'd said earlier, you -want- them on your side in
the event of an attack. As a possible template:
----------------------------------------------------------------------------
To : postmaster@example.com
Cc : abuse@your.isp,abuse@upstream.isp,support@upstream.isp
Attchmnt:
Subject : Unauthorized access attempt
----- Message Text -----
To whom it may concern:
I noticed a number of entries in my log files starting at *when the attack
started* and lasting until *when the attack ended*. It appears that
jojo.example.com has been attempting to use *whatever attack the attacker
was trying to use* against my system. I have included the log files in
question below in plain text format. I would appreciate any help you
could give me in stopping the source of these access attempts on my
system. Please contact me if I can be of assistance.
*attach the log files here, in plain text so you can be assured that the
ISP can read them*
----------------------------------------------------------------------------
An attack doesn't have to be a crisis, and it shouldn't be an event that
leaves you lost and panicked. There are appropriate ways to respond to
intrusions and intrusion attempts.
/dev/null