Re: IP spoofing -- assessment
ziese@trex3.csap.af.mil
Wed, 25 Jan 1995 08:04:31 cst
Frank Swift mentions:
>Of interest also was that the tools were subsequently posted at an .edu
>site and then taken off the net by their administrators.
Tsutomu and I discussed this attack in depth, over dinner, and he never
mentioned his tools being posted somewhere; I think what may have happened is
confusing definitions -- tools like "gimme which is the ankle-biters weapon of
choice' vs tools like 'the interface builder builder, which I defy anyone to
execute outside Tsutomu's lab having seen it in operation firsthand. It's
sweet, but it's just not going to be a compressed tar file you download and
uncompress, it requires a great deal of careful planning and preprocessing
before use. And my comments are based on sitting with Tsutomu last summer and
having him show me how the 'advanced' tools work.
>
>This incident is just the tip of the iceberg. I'm fear that we all may get
>spooled off in a router discussion eddy and miss the importance of what the
>other tools were and what they do.
>
>How's that for another catalyst?
>frank
>
>Frank Swift L-321 (Sent from Home)
>Unclassified Computer Security Coordinator
>Lawrence Livermore National Laboratory (LLNL)
>7000 East Avenue L-321 Livermore CA 94550-9516
>Voice: (510) 422-1463 FAX: (510) 423-0913
>
Tsutomu Shimomura and I were on the system vulnerabilities session of the
conference referenced in the article -- and it was his system that was
attacked. We discussed, privately, the attack at length. The 'tools' that
were stolen are far less significant than might be expected for three reasons:
(1) this attack, in an even more elementary form, was launched, successfully,
on his system last summer and most of the tools were originally pilfered then
-- not now. (2) the tools, were more snippets of code that require the
original code architect to string them together and compile and execute. (3)
the crackers don't necessarily need sophisticated tools, and will be loath to
use pilfered, and very complicated (i.e. easily attributed) ones if they're
intelligent, because if caught intruding it will also be evidence they broke
into a research system in San Diego. I would like to discuss another thread
of all this though.
AF testing has verified that 50% of the systems on the net, within the .af.mil
domain, are vulnerable to penetration with the simplest techniques. On 80% of
those 50% my team can get root use equally simple techniques. Although the IP
spoofing is interesting let's work the math, because our metric data indicates
that 95% of what's reported is ankle-biting not roicket science. There's no
denying that IP spoofing is severe and it could hurt a lot of us and it should
be fixed, unfortunately so should world hunger -- the problem is you can't fix
everything, nor can you fix a lot of things at once -- you have to prioritize
based on what is happening, not what might happen. For instance, if
experience data indicates that sendmail is still wide open on most systems,
even if you prevent IP spoofing sendmail is still vulnerable. This is
important because yopu'll have stopped one IP spoofer, but 95 others crackers
will have snatched the code you built using sendmail. It's a hollow argument
to say sendmail should be updated because as 8lgm will demonstrate at midnight
on 6 Feb -- the newest version of sendmail is still vulnerable. We need to
identify the tope ten problems, and proactively prevent them. I know,
metrically, what the Air Force's top ten are and we are working on the short
term solution. Until that's fixed, I'm willing to bite the bullet and accept
what I cannot change -- for the moment.
Were am I going? First, the tools taken from Tsutomu will most likely not be
seen for a while because unlike the gimme program, there were code snippets
not functional shell scripts AND they can be easily attributed to him. Two,
ip spoofing is bad, but the ankle biters are worse because our systems (yours
and mine) are vulnerable to the most elementary attacks and as long as that
stands, the exotic ones should be counted but not obsessed over.
Finally, I wonder if the people on this list would share metric data? Since
things like number of attacks, number of successes, and number of compromises
(along with things like the top ten attacks you've seen) would not hold a site
up to the microscope and would not compromise site data -- but it would let us
identify the top ten, real world, problems. If we could achieve even a modest
goal like this, we could confidently say "these are the immediate
countermeasures that must be built." I am willing to share AF metric data at
this level to help strengthen the community as a whole. I'm also willing to
accept and maintain this data in something like an email server were yopu
email your new input and the list gets emailed the new metrics. Any thoughts
on this?
I'd like to thank Frank for being a catalyst. Often times I'm reluctant to
post anything because I like to listen to everyone else's thoughts first. It
just seemed like everyone was thinking the same thing I was so I decided to
'share' ;)
Kevin
=========================================================
Capt Kevin J. Ziese ziese@chaos.csap.af.mil
Chief, Countermeasures Development 1-210-377-0477 Voice
AF Information Warfare Center 1-210-377-1326 Fax
1100 NW Loop 410, Suite 607 1-800-217-0570 Pager
San Antonio, Texas 78213
=========================================================