%!PS-Adobe-2.0 %%Creator: dvips 5.490 Copyright 1986, 1992 Radical Eye Software %%Pages: 16 1 %%BoundingBox: 0 0 612 792 %%EndComments %DVIPSCommandLine: dvips -f -q %%BeginProcSet: tex.pro %! /TeXDict 250 dict def TeXDict begin /N{def}def /B{bind def}N /S{exch}N /X{S N} B /TR{translate}N /isls false N /vsize 11 72 mul N /@rigin{isls{[0 -1 1 0 0 0] concat}if 72 Resolution div 72 VResolution div neg scale isls{Resolution hsize -72 div mul 0 TR}if Resolution VResolution vsize -72 div 1 add mul TR matrix currentmatrix dup dup 4 get round 4 exch put dup dup 5 get round 5 exch put setmatrix}N /@landscape{/isls true N}B /@manualfeed{statusdict /manualfeed true put}B /@copies{/#copies X}B /FMat[1 0 0 -1 0 0]N /FBB[0 0 0 0]N /nn 0 N /IE 0 N /ctr 0 N /df-tail{/nn 8 dict N nn begin /FontType 3 N /FontMatrix fntrx N /FontBBox FBB N string /base X array /BitMaps X /BuildChar{ CharBuilder}N /Encoding IE N end dup{/foo setfont}2 array copy cvx N load 0 nn put /ctr 0 N[}B /df{/sf 1 N /fntrx FMat N df-tail}B /dfs{div /sf X /fntrx[sf 0 0 sf neg 0 0]N df-tail}B /E{pop nn dup definefont setfont}B /ch-width{ch-data dup length 5 sub get}B /ch-height{ch-data dup length 4 sub get}B /ch-xoff{128 ch-data dup length 3 sub get sub}B /ch-yoff{ch-data dup length 2 sub get 127 sub}B /ch-dx{ch-data dup length 1 sub get}B /ch-image{ch-data dup type /stringtype ne{ctr get /ctr ctr 1 add N}if}B /id 0 N /rw 0 N /rc 0 N /gp 0 N /cp 0 N /G 0 N /sf 0 N /CharBuilder{save 3 1 roll S dup /base get 2 index get S /BitMaps get S get /ch-data X pop /ctr 0 N ch-dx 0 ch-xoff ch-yoff ch-height sub ch-xoff ch-width add ch-yoff setcachedevice ch-width ch-height true[1 0 0 -1 -.1 ch-xoff sub ch-yoff .1 add]{ch-image}imagemask restore}B /D{/cc X dup type /stringtype ne{]}if nn /base get cc ctr put nn /BitMaps get S ctr S sf 1 ne{dup dup length 1 sub dup 2 index S get sf div put}if put /ctr ctr 1 add N} B /I{cc 1 add D}B /bop{userdict /bop-hook known{bop-hook}if /SI save N @rigin 0 0 moveto /V matrix currentmatrix dup 1 get dup mul exch 0 get dup mul add .99 lt{/FV}{/RV}ifelse load def pop}N /eop{SI restore showpage userdict /eop-hook known{eop-hook}if}N /@start{userdict /start-hook known{start-hook} if /VResolution X /Resolution X 1000 div /DVImag X /IE 256 array N 0 1 255{IE S 1 string dup 0 3 index put cvn put}for 65781.76 div /vsize X 65781.76 div /hsize X}N /p{show}N /RMat[1 0 0 -1 0 0]N /BDot 260 string N /rulex 0 N /ruley 0 N /v{/ruley X /rulex X V}B /V{}B /RV statusdict begin /product where{pop product dup length 7 ge{0 7 getinterval dup(Display)eq exch 0 4 getinterval (NeXT)eq or}{pop false}ifelse}{false}ifelse end{{gsave TR -.1 -.1 TR 1 1 scale rulex ruley false RMat{BDot}imagemask grestore}}{{gsave TR -.1 -.1 TR rulex ruley scale 1 1 false RMat{BDot}imagemask grestore}}ifelse B /FV{gsave transform round exch round exch itransform moveto rulex 0 rlineto 0 ruley neg rlineto rulex neg 0 rlineto fill grestore}B /a{moveto}B /delta 0 N /tail{dup /delta X 0 rmoveto}B /M{S p delta add tail}B /b{S p tail}B /c{-4 M}B /d{-3 M} B /e{-2 M}B /f{-1 M}B /g{0 M}B /h{1 M}B /i{2 M}B /j{3 M}B /k{4 M}B /w{0 rmoveto}B /l{p -4 w}B /m{p -3 w}B /n{p -2 w}B /o{p -1 w}B /q{p 1 w}B /r{p 2 w} B /s{p 3 w}B /t{p 4 w}B /x{0 S rmoveto}B /y{3 2 roll p a}B /bos{/SS save N}B /eos{SS restore}B end %%EndProcSet TeXDict begin 40258431 52099146 1000 300 300 @start /Fa 3 63 df58 D60 D62 D E /Fb 28 118 df45 DI49 DII65 DII76 DI80 D83 DI97 DIII I103 D105 D108 D110 DII114 DIII E /Fc 49 125 df40 DII45 DIIIII53 DI57 D65 D70 D77 DI80 D82 DII86 D88 DI94 D97 DIIIIIIIII IIII II114 DIIIIIII124 D E /Fd 39 122 df34 D44 D46 DI65 DII71 D73 D77 D80 D82 DII86 DI92 D97 DIIIIIIII107 DIIIII114 DIIIII121 D E /Fe 4 53 df49 DIII E /Ff 4 53 df49 DIII E /Fg 60 125 df 12 D38 DIII44 DII48 DI57 DI65 DIIII IIIIIIIIIII82 DIII87 DI97 DIIIIIIII107 DIIIIIIII IIIIIII124 D E /Fh 80 125 df11 DIII34 D38 DIII44 DIIIII IIIIIIIIII63 D65 DIIII IIIIIIIIIII82 DIIIII89 D 91 DII97 DIIIIIII IIIIIIIIIIIIIIIIIIII E /Fi 40 122 df12 D33 DI39 D44 DII63 D65 DI68 D71 D73 D78 D81 D83 DI87 D92 D97 DIIIIIIII107 DIIII 114 DIIIII121 D E /Fj 71 126 df38 D40 DII44 DIIIIIIIIIIIIIII62 D64 DI67 DI70 D72 DI76 DIIII82 DIII87 D89 D91 DIIIIIIIIIIIIIIIIIIIIIIIIIIIIII 125 D E /Fk 36 122 df12 D44 DII58 D70 D73 D77 DII83 DII87 D97 DIIIIIIII107 DIIIII114 DIIIII121 D E /Fl 7 117 df65 D 97 DII114 DII E /Fm 13 122 df46 D64 D97 DII101 D108 DI111 D 115 DII121 D E /Fn 21 122 df38 D44 D65 DI72 D74 D76 DII84 D97 DI101 D105 D108 D111 D114 DIII 121 D E /Fo 20 119 df44 D46 D49 DI53 D57 D65 DI77 D83 D 101 D103 D105 D 108 D110 DI115 DIII E /Fp 43 122 df48 DIIIIIIIII65 DIIIII 73 D82 D84 D87 D97 DIIIIIIII107 DII III114 DIIIIIII E /Fq 24 122 df73 D78 D80 D83 DII88 D99 DIIIIII109 DI II114 D III120 DI E /Fr 19 117 df44 D46 D49 DI57 D66 D83 DI 97 DI101 D105 D108 DIIII114 D116 D E end %%EndProlog %%BeginSetup %%Feature: *Resolution 300dpi TeXDict begin %%EndSetup %%Page: 1 1 0 bop 75 61 a Fr(T)l(o)13 b(app)q(ear)g(in)f Fq(Pro)q(ceedings)h(of)e(the)g (Third)h(Usenix)g(UNIX)f(Securit)o(y)h(Sympisum)p Fr(,)j(Baltimore,)f(Septem) o(b)q(er)e(1992.)p 75 70 1800 2 v 699 367 a Fp(There)22 b(Be)h(Dragons)773 495 y Fo(Stev)o(en)15 b(M.)g(Bello)o(vin)716 553 y Fn(A)l(T&T)j(Bel)r(l)h(L)n (ab)n(or)n(atories)801 611 y(Murr)n(ay)d(Hil)r(l,)j(NJ)719 669 y Fm(smb@ulyss)o(es.)o(att)o(.c)o(om)802 771 y Fo(August)e(15,)f(1992)884 943 y Fl(Abstract)251 1024 y Fk(Our)h(securit)o(y)g(gatew)o(a)o(y)f(to)g(the) h(In)o(ternet,)h Fj(research.att.com)p Fk(,)13 b(pro)o(vides)k(only)e(a)i (limited)189 1073 y(set)g(of)f(services.)29 b(Most)17 b(of)f(the)h(standard)g (serv)o(ers)i(ha)o(v)o(e)d(b)q(een)i(replaced)g(b)o(y)e(a)h(v)n(ariet)o(y)f (of)g(trap)189 1123 y(programs)c(that)i(lo)q(ok)f(for)h(attac)o(ks.)19 b(Using)14 b(these,)h(w)o(e)f(ha)o(v)o(e)g(detected)i(a)d(wide)h(v)n(ariet)o (y)g(of)f(p)q(ok)o(es,)189 1173 y(ranging)e(from)g(simple)g(do)q(orknob-t)o (wisting)h(to)g(determined)h(assaults.)k(The)c(attac)o(ks)g(range)g(from)189 1223 y(simple)e(attempts)i(to)g(log)f(in)g(as)h Fj(guest)f Fk(to)h(forged)g(NFS)g(pac)o(k)o(ets.)19 b(W)m(e)12 b(b)q(eliev)o(e)i(that)f (man)o(y)e(other)189 1273 y(sites)18 b(are)g(b)q(eing)f(prob)q(ed)h(but)g (are)g(una)o(w)o(are)f(of)g(it:)25 b(the)18 b(standard)g(net)o(w)o(ork)g (daemons)e(do)h(not)189 1322 y(pro)o(vide)e(administrators)e(with)i(either)h (appropriate)f(con)o(trols)g(and)g(\014lters)h(or)f(with)g(the)g(logging)189 1372 y(necessary)h(to)d(detect)j(attac)o(ks.)75 1521 y Fp(1)69 b(In)n(tro)r(duction)257 1624 y Fi(\\Queer)16 b(things)f(y)o(ou)g(do)g(hear)g (these)h(da)o(ys,)e(to)h(b)q(e)h(sure,")e(said)i(Sam.)257 1681 y(\\Ah,",)k(said)g(T)l(ed,)h(\\y)o(ou)e(do,)i(if)f(y)o(ou)f(listen.)35 b(But)20 b(I)g(can)g(hear)g(\014reside-tales)h(and)189 1738 y(c)o(hildren's)16 b(stories)f(at)g(home,)g(if)g(I)h(w)o(an)o(t)e(to.")257 1795 y(\\No)c(doubt)h(y)o(ou)g(can,")h(retorted)e(Sam,)h(\\and)g(I)g(daresa)o (y)g(there's)g(more)f(truth)h(in)h(some)189 1851 y(of)e(them)h(than)g(y)o(ou) g(rec)o(k)o(on.)18 b(Who)11 b(in)o(v)o(en)o(ted)h(the)f(stories)g(an)o(yw)o (a)o(y?)18 b(T)l(ak)o(e)11 b(dragons)f(no)o(w.")257 1909 y(\\No)21 b(thank)h('ee,")h(said)g(T)l(ed,)g(\\I)f(w)o(on't.)40 b(I)22 b(heard)g(tell)h(of)f(them)g(when)g(I)g(w)o(as)g(a)189 1965 y(y)o(oungster,)14 b(but)h(there's)f(no)h(call)h(to)f(b)q(eliev)o(e)i(in)f (them)f(no)o(w.)k(There's)c(only)g(one)g(Dragon)189 2022 y(in)h(Byw)o(ater,)e (and)h(that's)f(Green,")h(he)g(said,)h(getting)f(a)g(general)g(laugh.)643 2133 y Fh(J.R.R.)h(T)l(olkien,)g Fg(L)n(or)n(d)g(of)g(the)h(R)o(ings)146 2244 y Fh(By)c(no)o(w,)f(it)h(is)h(widely)g(accepted)g(that,)e(among)g(other) g(denizens)j(of)e(the)g(In)o(ternet,)g(lurk)g(crac)o(k)o(ers.)1856 2228 y Ff(1)75 2301 y Fh(F)l(or)20 b(whatev)o(er)g(reason,)i(these)e(folks)h (enjo)o(y)g(breaking)g(in)o(to)g(v)m(arious)g(computer)g(systems.)36 b(A)l(T&T)75 2357 y(app)q(ears)19 b(to)f(b)q(e)h(a)f(tempting)h(target.)29 b(Our)18 b(approac)o(h)h(to)f(this)h(problem)g(is)g(t)o(w)o(o-fold.)29 b(First,)19 b(most)75 2413 y(mac)o(hines)f(here)f(are)f(not)h(directly)h (connected)g(to)e(the)h(In)o(ternet.)25 b(Rather,)17 b(w)o(e)g(rely)g(on)g (application-)75 2470 y(lev)o(el)22 b(gatew)o(a)o(ys)d(and)i Fg(pr)n(oxy)h(servers)p Fh([Che90)n(].)37 b(Second,)22 b(w)o(e)f(emplo)o(y)g (a)f(v)m(ariet)o(y)h(of)f(monitors)h(and)75 2526 y(phon)o(y)15 b(daemons.)20 b(Instead)c(of)e(pro)o(viding)i(services)g(useful)h(to)d(b)q (oth)h(legitimate)i(users)e(and)g(crac)o(k)o(ers,)p 75 2570 720 2 v 127 2596 a Fe(1)144 2612 y Fd(Some)g(call)h(them)f(\\crac)o(k)o (ers",)g(and)h(some)e(call)i(them)f(\\hac)o(k)o(ers".)23 b(A)14 b(compromise)i(term)f(migh)o(t)g(b)q(e)g(\\c)o(hrac)o(k)o(ers".)75 2658 y(W)m(e)c(think)i(that)e(\\v)n(andals")j(is)d(more)h(appropriate,)h (though)f(those)g(of)f(a)g(classical)j(b)q(en)o(t)e(ma)o(y)f(prefer)g(\\V)m (andals",)i(or)e(ev)o(en)75 2704 y(\\Goths")j(or)f(\\Visigoths".)p eop %%Page: 2 2 1 bop 75 49 a Fh(these)18 b(log)g(the)f(request,)h(and)g(initiate)h Fg(c)n(ounterintel)r(ligenc)n(e)d Fh(strategies)h(to)g(learn)h(something)g (ab)q(out)75 106 y(the)d(source)h(of)e(the)i(request.)146 165 y(W)l(e)h(are)g(certainly)h(not)f(the)g(\014rst)g(ones)g(to)g(attempt)f(to)h (tric)o(k)g(attac)o(k)o(ers[Sto88)m(,)g(Sto89)o(,)g(HM91)o(].)75 221 y(But)j(our)f(motiv)m(ation)i(is)f(somewhat)f(di\013eren)o(t.)34 b(W)l(e)20 b(do)g(not)f(exp)q(ect)i(to)e(prosecute,)i(b)q(ecause)g(\(w)o(e)75 278 y(hop)q(e\))f(no)g(damage)f(will)j(o)q(ccur)e(to)f(our)h(mac)o(hines.)34 b(\(This)21 b(is)f(not)f(to)h(sa)o(y)f(that)g(the)h(attac)o(k)o(ers)e(do)75 334 y(not)g(try)g(suc)o(h)h(things;)h(see,)f(for)f(example,)h([Che92].\))29 b(Nor,)18 b(in)h(general,)h(do)e(w)o(e)g(care)h(m)o(uc)o(h)f(ab)q(out)75 391 y(the)e(iden)o(tit)o(y)h(of)e(an)o(y)h(particular)h(attac)o(k)o(er.)j (Rather,)c(w)o(e)g(wish)g(to)g(study)g(the)g(attac)o(k)o(ers')e(strategies,) 75 447 y(to)q(ols,)19 b(and)g(tec)o(hniques.)33 b(Our)19 b(goal)g(is)g(to)f (learn)i(what)e(kinds)i(of)e(attac)o(ks)g(are)h(emplo)o(y)o(ed,)h(b)q(oth)f (to)75 504 y(w)o(arn)14 b(others)h(and)g(to)g(protect)f(our)h(o)o(wn)f(net)o (w)o(orks)g(from)h(in)o(ternal)h(crac)o(k)o(ers)e(or)g(from)h(outsiders)g (who)75 560 y(ha)o(v)o(e)g(already)g(gained)h(a)f(fo)q(othold)g(within)i(our) e(net)o(w)o(ork.)146 619 y(A)k(w)o(ord)g(on)g(the)h(alarm)f(messages)g(sho)o (wn.)32 b(All)20 b(of)f(them)h(are)f(gen)o(uine,)i(tak)o(en)e(straigh)o(t)g (from)75 676 y(our)d(log)g(\014les.)22 b(Ho)o(w)o(ev)o(er,)15 b(the)h(domain)g(names,)g(user)g(names,)g(logins,)g(and)g(IP)g(addresses)g (ha)o(v)o(e)g(b)q(een)75 732 y(c)o(hanged)g(to)e(protect)h(the)g(priv)m(acy)h (of)f(those)g(concerned.)75 892 y Fp(2)69 b(T)-6 b(o)r(ols)23 b(and)h(T)-6 b(raps)75 999 y Fh(Our)15 b(basic)h(strategy)e(is)h(simple:)21 b(except)16 b(for)e(the)h(few)g(serv)o(ers)g(w)o(e)f(actually)i(need)g(|)f (mail,)h Fc(ftp)p Fh(,)e(and)75 1055 y Fc(telnet)j Fh(|)h(w)o(e)f(run)h(dumm) o(y)g(serv)o(ers)f(for)g(lik)o(ely)j(services.)28 b(Some)17 b(of)h(these)g(are)f(quite)h(sp)q(ecialized;)75 1112 y(others)e(are)g (generic)h(pac)o(k)o(et)f(suc)o(k)o(ers.)23 b(All)17 b(of)f(them,)g(though,)g (log)h(the)f(incoming)i(data,)d(attempt)h(to)75 1168 y(trace)e(bac)o(k)f(the) h(call,)h(and)f(|)h(when)f(feasible)i(|)e(try)f(to)h(distinguish)i(b)q(et)o (w)o(een)e(legitimate)h(users)f(and)75 1224 y(outside)i(attac)o(k)o(ers.)146 1284 y(The)d Fc(finger)g Fh(serv)o(er)g(is)i(a)e(go)q(o)q(d)g(example.)21 b(A)o(ttempts)12 b(to)h Fc(finger)g Fh(a)g(particular)i(user)e(are)h(usually) 75 1340 y(b)q(enign)h(attempts)d(to)g(learn)i(an)f(electronic)h(mail)g (address.)19 b(But)13 b(that)f(w)o(ould)i(not)f(w)o(ork)f(ev)o(en)h(without) 75 1397 y(our)f(monitor)h(program,)e(since)j(most)e(users)h(do)g(not)f(ha)o (v)o(e)g(logins)i(on)e(the)h(gatew)o(a)o(y)e(mac)o(hine.)20 b(Instead,)75 1453 y(w)o(e)11 b(prin)o(t)h(a)f(message)g(explaining)j(ho)o(w) d(to)f(send)i(mail)h(b)o(y)e(name.)19 b(Generic)12 b Fc(finger)f Fh(attempts,)f(though,)75 1510 y(are)17 b(often)h(used)g(to)f(gather)h(login) g(names)g(for)f(crac)o(king)h(attempts.)27 b(Therefore,)18 b(completely)h(b)q(ogus)75 1566 y(output)14 b(is)h(returned,)g(sho)o(wing)f (that)g Fc(guest)g Fh(and)g Fc(berferd)g Fh(|)g(a)g(dumm)o(y)h(user)f(name)h (|)g(are)f(logged)75 1622 y(in.)23 b(Coun)o(terin)o(telligence)18 b(mo)o(v)o(es,)d(whic)o(h)i(include)h(\\rev)o(erse)e Fc(finger)p Fh(s",)f(are)g(not)h(done)g(in)h(this)f(case,)75 1679 y(for)f(fear)f(of)h (triggering)g(a)g Fc(finger)g Fh(w)o(ar.)k(And)c(all)h(attempts)f(are)g (logged,)g(for)f(later)h(analysis.)146 1738 y(The)c(so-called)h(\\)p Fc(r)p Fh(-commands")f(also)g(merit)g(a)g(sp)q(ecial)i(serv)o(er,)e(b)q (ecause)h(of)f(the)g(extra)g(information)75 1795 y(they)17 b(pro)o(vide.)24 b(F)l(or)16 b Fc(rlogin)g Fh(and)h Fc(rsh)p Fh(,)f(the)h(proto)q(col)f(includes)j(b)q(oth)e(the)f(originating)i(user's)e (login)75 1851 y(name)22 b(and)g(the)g(login)h(name)e(desired)j(on)d(our)h (gatew)o(a)o(y)l(.)38 b(Th)o(us,)23 b(w)o(e)f(can)g(do)g(a)f(precisely-aimed) 75 1908 y(rev)o(erse)d Fc(finger)p Fh(,)f(and)h(w)o(e)g(can)g(assess)f(the)h (lev)o(el)i(of)d(the)h(threat.)28 b(A)18 b(login)g(attempt)f(b)o(y)h(some)g (user)75 1964 y Fc(foo)p Fh(,)h(and)g(requesting)h(the)f(same)f(login)i(on)f Fc(research.att.com)p Fh(,)e(is)j(probably)f(a)g(harmless)g(error.)75 2020 y(On)c(the)g(other)g(hand,)g(an)g(attempt)e(b)o(y)i Fc(bin)g Fh(to)f(execute)h(the)g Fc(domainname)f Fh(command)h(as)f Fc(bin)g Fh(|)i(see)75 2077 y(Figure)e(1)g(|)h(represen)o(ts)f(enem)o(y)g(action.)20 b(\(It)13 b(also)i(suggests)e(that)g(the)i(attac)o(king)e(mac)o(hine)i(has)f (b)q(een)75 2133 y(compromised.)25 b(Note,)16 b(to)q(o,)g(that)g(all)i(of)e (the)h(p)q(eople)h(sho)o(wn)f(as)f(logged)h(in)h(are)e(idle.\))26 b(A)o(ttempts)16 b(to)75 2190 y Fc(rlogin)e Fh(as)h Fc(guest)g Fh(from)f(a)h(legitimate)h(accoun)o(t)f(usually)i(fall)f(in)g(the)f(do)q (orknob-t)o(wisting)g(category)l(.)146 2249 y(F)l(or)f(most)g(other)h (services,)h(w)o(e)f(rely)g(on)g(a)g(simple)i(pac)o(k)o(et)d(suc)o(k)o(er.)20 b(That)15 b(is,)g(a)g(program)f(in)o(v)o(ok)o(ed)75 2306 y(b)o(y)k Fc(inetd)f Fh(sits)i(on)f(the)g(so)q(c)o(k)o(et,)g(reading)g(and)h(logging)f (an)o(ything)g(that)g(comes)g(along.)28 b(While)20 b(that)75 2362 y(is)e(happ)q(ening,)h(coun)o(terin)o(telligence)h(mo)o(v)o(es)d(are)g (initiated.)28 b(The)18 b(TCP)f(pac)o(k)o(et)f(suc)o(k)o(er)i(exits)f(when)75 2418 y(the)e(connection)h(is)g(closed;)g(the)f(UDP)f(v)o(ersion)i(relies)g (on)f(a)g(timeout,)g(but)g(will)i(also)e(exit)g(if)h(a)e(pac)o(k)o(et)75 2475 y(arriv)o(es)i(from)f(some)g(other)h(source.)22 b(The)16 b(information)g(gained)g(from)g(suc)o(h)g(a)f(simple)j(tec)o(hnique)f(can)75 2531 y(b)q(e)e(quite)g(in)o(teresting;)g(see)f(Figure)g(2.)20 b(It)14 b(sho)o(ws)f(an)i(attempt)e(to)g(grab)h(our)g(passw)o(ord)f(\014le)j (via)e Fc(tftp)p Fh(.)146 2591 y(Exp)q(erience)20 b(with)f(the)f(pac)o(k)o (et)g(suc)o(k)o(er)h(sho)o(w)o(ed)f(us)g(that)g(there)h(w)o(ere)f(a)g (signi\014can)o(t)i(n)o(um)o(b)q(er)e(of)75 2647 y(requests)i(for)f(the)h Fc(portmapper)e Fh(service.)35 b(The)20 b Fc(portmapper)p Fh(,)g(part)f(of)g (Sun)i(Microsystem's)e(RPC)75 2704 y(pac)o(k)m(age,)h(maps)f(a)h(program)e (iden)o(ti\014er)j(to)e(a)g(dynamically-assigned)j(p)q(ort)d(n)o(um)o(b)q (er[Sun90].)33 b(The)p eop %%Page: 3 3 2 bop 75 249 a Fj(From:)21 b(adm@research.att)o(.com)75 298 y(To:)g(trappers)75 398 y(Attempted)f(rsh)h(to)g(inet[24640])75 448 y(Call)g(from)g(host)g(Some.Random.COM)e(\(176.75.92.87\))75 498 y(remuser:)h(bin)75 547 y(locuser:)g(bin)75 597 y(command:)g(domainname) 75 747 y(\(/usr/ucb/finger)e(@176.75.92.87;)h(/usr/ucb/finger)g (bin@176.75.92.87\))f(2>&1)75 797 y([176.75.92.87])75 846 y(Login)152 b(Name)304 b(TTY)21 b(Idle)86 b(When)h(Where)75 896 y(rel)130 b(R.)22 b(Locke)304 b(co)65 b(4d)21 b(Sat)g(11:26)75 946 y(afu)130 b(Albert)21 b(Urban)217 b(p0)43 b(10:)21 b(Fri)g(13:51)43 b(seed.random.com) 75 996 y(rlh)130 b(Richard)20 b(L)i(Hart)174 b(p2)21 b(3:18)g(Sat)g(20:27)43 b(fatso1.random.c)75 1046 y(rel)130 b(R.)22 b(Locke)304 b(p4)65 b(3d)21 b(Mon)g(09:05)43 b(taxi.random.com)75 1095 y([176.75.92.87])75 1145 y(Login)21 b(name:)g(bin)75 1195 y(Directory:)f(/bin)75 1245 y(Never)h(logged)f(in.)75 1295 y(No)h(unread)g(mail)75 1345 y(No)g(Plan.)689 1492 y Fh(Figure)16 b(1:)j(An)d(attac)o(k)e(via)h Fc(rsh)p Fh(.)75 1889 y Fj(From:)21 b(adm@research.att)o(.com)75 1939 y(To:)g(trappers)75 1989 y(Subject:)f(udpsuck)g(tftp\(69\))75 2088 y(UDP)h(packet)g(from)g(host)g(some.small.edu)e(\(125.76.83.163\))o(:)g (port)i(1406,)g(23)g(bytes)162 2138 y(0:)65 b(00012f65)20 b(74632f70)g (61737377)h(64006e65)63 b(../etc/passwd.ne)140 2188 y(16:)i(74617363)20 b(696900)500 b(tascii.)75 2238 y(/usr/ucb/finger)19 b(@125.76.83.163)g(2>&1) 75 2288 y([125.76.83.163])75 2338 y(No)i(one)h(logged)e(on)75 2437 y(4)i(more)f(packets)f(received)325 2585 y Fh(Figure)15 b(2:)20 b(Sp)q(o)q(or)15 b(of)g(an)g(attac)o(k)f(detected)i(b)o(y)f(the)g (UDP)g(pac)o(k)o(et)g(suc)o(k)o(er.)p eop %%Page: 4 4 3 bop 75 49 a Fh(usual)17 b(proto)q(col)e(is)i(for)e(the)h(clien)o(t)h(to)f (con)o(tact)f(the)h(serv)o(er's)f Fc(portmapper)f Fh(to)h(learn)i(what)e(p)q (ort)h(that)75 106 y(service)i(is)g(curren)o(tly)f(using.)27 b(The)17 b Fc(portmapper)f Fh(supplies)j(that)e(information,)g(and)g(the)h (clien)o(t)g(pro-)75 162 y(ceeds)j(to)f(con)o(tact)g(the)g(serv)o(er)h (directly)l(.)37 b(This)21 b(mean)o(t,)g(though,)g(that)f(w)o(e)g(w)o(ere)g (seeing)i(only)f(the)75 219 y(iden)o(ti\014er)h(of)f(the)g(service)h(b)q (eing)g(requested,)g(and)f(not)f(the)h(actual)g(call)h(to)f(it.)37 b(Accordingly)l(,)23 b(w)o(e)75 275 y(decided)17 b(to)e(sim)o(ulate)h(the)f Fc(portmapper)f Fh(itself.)146 332 y(Our)24 b(v)o(ersion,)i(called)f(the)f Fc(portmopper)p Fh(,)g(do)q(es)g(not)g(k)o(eep)g(trac)o(k)f(of)g(an)o(y)h (real)g(registrations.)75 388 y(Rather,)18 b(when)g(someone)f(requests)h(a)f (service,)i(a)e(new)h(so)q(c)o(k)o(et)f(is)h(created,)g(and)g(its)g (\(random\))e(p)q(ort)75 445 y(n)o(um)o(b)q(er)h(is)g(used)g(in)h(the)e (reply)l(.)26 b(Naturally)l(,)17 b(w)o(e)f(attac)o(h)g(a)g(pac)o(k)o(et)g (suc)o(k)o(er)h(to)f(this)h(new)g(p)q(ort,)f(so)g(w)o(e)75 501 y(can)f(capture)h(the)f(RPC)g(call.)146 558 y(Figure)20 b(3)g(sho)o(ws)f(excerpts)i(from)e(a)h(t)o(ypical)h(session.)35 b(W)l(e)20 b(prin)o(t)h(and)f(deco)q(de)h(all)g(the)g(go)q(o)e(in)75 614 y(the)d(pac)o(k)o(et,)f(b)q(ecause)i(w)o(e)f(do)g(not)g(kno)o(w)f(if)i (someone)e(migh)o(t)h(try)g(RPC-lev)o(el)h(sub)o(v)o(ersion.)23 b(The)16 b(\014rst)75 671 y(useful)k(datum)g(is)g(delimited)h(b)o(y)f Fc(***)e Fh(lines;)23 b(it)d(sho)o(ws)f(a)g(request)g(for)g(the)g(moun)o(t)g (daemon,)h(using)75 727 y(TCP)l(.)13 b(Our)i(reply)f(\(not)f(sho)o(wn\))h (assigned)g(p)q(ort)g Fc(0x691)f Fh(to)g(this)h(session.)20 b(Finally)l(,)c(the)e(input)h(on)f(that)75 784 y(p)q(ort)f(sho)o(ws)f(that)g (pro)q(cedure)i(2)f(is)g(b)q(eing)h(called,)h(with)e(no)g(parameters.)18 b(There)c(is)f(curren)o(tly)g(no)g(co)q(de)75 840 y(to)h(in)o(terpret)g(the)g (pro)q(cedure)i(n)o(um)o(b)q(ers,)e(but)g(a)g(quic)o(k)h(glance)g(at)f Fc(/usr/include/rpcsvc/moun)o(t.h)75 897 y Fh(sho)o(ws)f(that)g(it's)h(a)f (dump)h(request,)g(i.e.,)g(a)f(request)h(for)f(a)h(list)g(of)f(all)i(mac)o (hines)g(moun)o(ting)e(an)o(y)h(of)f(our)75 953 y(\014le)h(systems.)k(It)13 b(is)g(also)f(w)o(orth)g(noting)h(that)f(our)g(coun)o(terin)o(telligence)j (attempt)d(failed;)i(the)f(mac)o(hine)75 1009 y(in)j(question)g(is)g(not)e (running)j(a)e Fc(finger)f Fh(daemon.)146 1066 y(An)j(alternate)f(approac)o (h)h(w)o(ould)g(ha)o(v)o(e)f(b)q(een)i(to)e(use)h(the)g(standard)f Fc(portmapper)p Fh(,)f(and)i(to)f(ha)o(v)o(e)75 1123 y(pac)o(k)o(et)e(suc)o (k)o(ers)h(registered)g(for)f(eac)o(h)h(in)o(teresting)g(service.)21 b(W)l(e)15 b(rejected)g(this)g(approac)o(h)g(for)f(sev)o(eral)75 1179 y(reasons.)k(First)12 b(and)h(foremost,)e(w)o(e)h(ha)o(v)o(e)g(no)h (reason)f(to)f(trust)h(the)g(securit)o(y)h(of)f(the)g Fc(portmapper)f Fh(co)q(de)75 1235 y(or)k(the)g(asso)q(ciated)g(RPC)g(library)l(.)21 b(W)l(e)15 b(are)g(not)g(sa)o(ying,)f(of)h(course,)g(that)f(they)h(ha)o(v)o (e)g(securit)o(y)h(holes;)75 1292 y(rather,)j(w)o(e)g(are)f(sa)o(ying)h(that) g(w)o(e)f(do)h(not)g(kno)o(w)f(if)i(they)f(do.)31 b(And)20 b(w)o(e)e(are)h(morally)g(certain)h(that)75 1348 y(legions)d(of)f(w)o(ould-b) q(e)h(crac)o(k)o(ers)f(are)g(studying)h(the)f(co)q(de)h(at)e(this)i(v)o(ery)f (momen)o(t,)f(lo)q(oking)i(for)f(holes.)75 1405 y(T)l(o)g(b)q(e)h(sure,)g(w)o (e)f(do)g(not)g(kno)o(w)g(that)f(our)i(co)q(de)g(is)f(bug-free;)h(it)g(is,)g (ho)o(w)o(ev)o(er,)e(smaller)i(and)g(simpler,)75 1461 y(and)e(hence)i(less)e (lik)o(ely)i(to)e(b)q(e)h(buggy)l(.)k(\(It)15 b(is)g(also)h(relativ)o(ely)g (unkno)o(wn,)f(a)g(non-trivial)i(adv)m(an)o(tage.\))146 1518 y(A)d(second)g(reason)g(for)f(esc)o(hewing)i(the)g Fc(portmapper)d Fh(is)j(that)e(w)o(e)h(do)g(not)g(kno)o(w)f(what)h(the)g(\\in)o(ter-)75 1574 y(esting")i(services)h(are.)23 b(Our)16 b(approac)o(h)g(do)q(es)h(not)e (require)i(that)f(w)o(e)g(kno)o(w)f(in)i(adv)m(ance;)h(instead,)e(w)o(e)75 1631 y(can)f(detect)h(requests)f(for)f(an)o(ything.)146 1688 y(A)i(third)h(reason)e(is)i(that)e(b)o(y)i(its)f(nature,)g(the)g(RPC)g (library)h(pro)o(vides)g(a)f(high-lev)o(el)i(abstraction)75 1744 y(to)f(the)h(actual)g(pac)o(k)o(ets.)26 b(This)18 b(is)h(useful)f(for)f (programmers,)g(but)h(bad)f(for)h(us;)g(if,)g(sa)o(y)l(,)g(someone)f(is)75 1800 y(pla)o(ying)f(games)f(with)g(the)h(authen)o(ticators,)e(w)o(e)h(w)o(an) o(t)f(to)g(kno)o(w)h(ab)q(out)g(it.)146 1857 y(Finally)l(,)20 b(w)o(e)d(w)o(an)o(ted)h(our)f(co)q(de)i(to)e(b)q(e)i(v)o(ery)e(p)q(ortable.) 29 b(In)19 b(particular,)g(w)o(e)e(w)o(an)o(t)g(it)h(to)g(run)g(on)75 1914 y(Plan)e(9)g(mac)o(hines[PPTT90)o(].)21 b(As)16 b(of)f(no)o(w,)g(no)h (one)f(has)h(p)q(orted)g(RPC)g(to)f(Plan)h(9.)21 b(Doing)16 b(so)f(migh)o(t)75 1970 y(not)g(b)q(e)h(a)f(lot)g(of)g(w)o(ork,)e(but)j(it)f (is)h(not)f(w)o(ork)f(w)o(e)h(are)g(in)o(terested)g(in)h(p)q(erforming.)75 2093 y Fb(2.1)56 b(Address)19 b(Space)f(Prob)r(es)75 2179 y Fh(Our)d(gatew)o(a)o(y)l(,)e Fc(research.att.com)p Fh(,)f(is)i(a)h(w)o (ell-kno)o(wn)g(mac)o(hine,)g(and)g(hence)g(attracts)e(crac)o(k)o(ers.)19 b(A)75 2236 y(clev)o(er)f(crac)o(k)o(er,)f(though,)g(migh)o(t)g(in)o(v)o (estigate)h(further,)f(lo)q(oking)h(for)f(other)g(lik)o(ely)i(mac)o(hines)f (to)f(try)l(.)75 2292 y(There)d(seemed)h(to)f(b)q(e)g(t)o(w)o(o)f(p)q (ossibilitie)q(s:)22 b(blind)16 b(probing)f(of)e(the)i(address)f(space,)g(or) g(examination)g(of)75 2349 y(our)h(domain)h(name)f(system)g(\(DNS\))f (data[Mo)q(c87)n(].)20 b(W)l(e)15 b(decided)i(to)e(monitor)g(for)f(suc)o(h)i (attempts.)146 2405 y(The)e(ob)o(vious)h(w)o(a)o(y)e(to)h(do)g(suc)o(h)h (monitoring)g(is)g(to)e(put)i(a)f(net)o(w)o(ork)f(con)o(troller)i(in)o(to)f (promiscuous)75 2462 y(mo)q(de)h(and)h(w)o(atc)o(h)e(the)h(pac)o(k)o(ets)f (\015y)i(b)o(y)l(.)k(Indeed,)c(w)o(e)f(did)h(do)f(just)g(that;)f(ho)o(w)o(ev) o(er,)g(the)h(solution)h(w)o(as)75 2518 y(not)f(at)f(all)j(straigh)o(t-forw)o (ard.)g(The)f(gatew)o(a)o(y)d(mac)o(hine)k(runs)e(RISC/os)1347 2502 y Ff(2)1367 2518 y Fh(;)g(to)f(our)h(kno)o(wledge,)h(it)f(has)75 2575 y(no)k(user-lev)o(el)i(mec)o(hanisms)f(analagous)e(to)h(Sun's)g Fc(nit)g Fh(driv)o(er.)32 b(W)l(e)19 b(did)i(ha)o(v)o(e)d(a)h(SP)l(AR)o (Cstation)1855 2558 y Ff(3)p 75 2615 720 2 v 127 2642 a Fe(2)144 2658 y Fd(RISC/os)14 b(is)f(a)g(trademark)h(of)f(MIPS)g(Computer)h(Corp)q (oration)127 2688 y Fe(3)144 2704 y Fd(SP)m(AR)o(Cstation)g(is)g(a)f (trademark)h(of)e(SP)m(AR)o(C)h(In)o(ternational,)i(Inc.)p eop %%Page: 5 5 4 bop 75 465 a Fj(From:)21 b(adm@research.att)o(.com)75 515 y(To:)g(trappers)75 565 y(Subject:)f(UDP)h(portmopper)f(from)h(Another.COM)f (\(176.143.143.17)o(5\))75 665 y(Request:)162 714 y(0:)65 b(2974eaca)20 b(00000000)g(00000002)h(000186a0)63 b(\)t..............)140 764 y(16:)i(00000002)20 b(00000003)g(00000000)h(00000000)63 b(................)140 814 y(32:)i(00000000)20 b(00000000)g(000186a5)h (00000001)63 b(................)140 864 y(48:)i(00000006)20 b(00000000)456 b(........)75 914 y(xid:)21 b(2974eaca)f(msgtype:)g(0)i (\(call\))75 964 y(rpcvers:)e(2)i(prog:)e(100000)h(\(portmapper\))41 b(vers:)21 b(2)g(proc:)g(3)h(\(getport\))75 1013 y(Authenticator:)d (credentials)75 1063 y(Authtype:)h(0)i(\(none\))e(length:)g(0)75 1113 y(Authenticator:)f(verifier)75 1163 y(Authtype:)h(0)i(\(none\))e (length:)g(0)75 1262 y(***)75 1312 y(reqprog:)g(100005)h(\(mountd\))f(vers:)h (1)g(proto:)g(6)g(port:)g(0)75 1362 y(***)75 1412 y(...)75 1462 y(/usr/ucb/finger)e(@176.143.143.175)f(2>&1)75 1511 y([176.143.143.175]) 75 1561 y(connect:)i(Connection)g(refused)75 1661 y(Server)h(input:)162 1711 y(0:)65 b(2976c57d)20 b(00000000)g(00000002)h(000186a5)63 b(\)v.}............)140 1761 y(16:)i(00000001)20 b(00000002)g(00000000)h (00000000)63 b(................)140 1810 y(32:)i(00000000)20 b(00000000)456 b(........)75 1860 y(xid:)21 b(2976c57d)f(msgtype:)g(0)i (\(call\))75 1910 y(rpcvers:)e(2)i(prog:)e(100005)h(\(mountd\))42 b(vers:)21 b(1)g(proc:)g(2)75 1960 y(Authenticator:)e(credentials)75 2010 y(Authtype:)h(0)i(\(none\))e(length:)g(0)75 2059 y(Authenticator:)f (verifier)75 2109 y(Authtype:)h(0)i(\(none\))e(length:)g(0)75 2159 y(Parameters:)576 2307 y Fh(Figure)c(3:)j(Output)d(from)e(the)i Fc(portmopper)p Fh(.)p eop %%Page: 6 6 5 bop 75 49 a Fh(that)17 b(w)o(e)h(could)i(connect)e(to)g(the)g(net;)i(since) f(that)e(mac)o(hine)i(is)g(not)f(adequately)h(secure,)g(w)o(e)f(had)g(a)75 106 y(wire)e(cutter)f(in)o(tro)q(duce)h(itself)g(to)e(the)i(transmit)e(leads) i(on)f(the)h(drop)f(cable.)146 164 y(Although)20 b(w)o(e)g(could)i(no)o(w)d (listen,)k(w)o(e)d(could)h(not)f(learn)h(as)f(m)o(uc)o(h)g(as)g(w)o(e)g(w)o (ould)g(lik)o(e.)36 b(Up)q(on)75 220 y(seeing)16 b(a)f(pac)o(k)o(et)f(for)h (a)g(new)g(mac)o(hine,)h(our)f(router's)f(instinct)i(is)g(to)e(issue)i(an)f (ARP)h(request[Plu82].)75 276 y(F)l(or)g(non-existen)o(t)h(mac)o(hines,)g(of) f(course,)h(no)f(one)h(can)f(answ)o(er.)23 b(Ideally)l(,)c(the)d(monitoring)h (mac)o(hine)75 333 y(w)o(ould)h(pic)o(k)g(up)f(suc)o(h)h(requests)f(and)g (pro)o(vide)h(a)f(pro)o(xy)f(ARP)i(reply)l(.)27 b(Unfortunately)l(,)18 b(our)f(securit)o(y)75 389 y(measures)d(rendered)h(that)e(idea)i (impractical.)21 b(W)l(e)14 b(th)o(us)f(ha)o(v)o(e)h Fc(research.att.com)e Fh(handling)j(pro)o(xy)75 446 y(ARP)j(for)f(non-existen)o(t)h(mac)o(hines)g (to)f(p)q(oin)o(t)h(them)f(to)o(w)o(ards)f(the)h(monitoring)h(mac)o(hine,)g (a)f(bizarre)75 502 y(situation)d(indeed.)21 b(A)13 b(\014nal)h(problem)g(w)o (as)f(that)f(the)h(ARP)h(table)g(is)g(limited)h(in)f(size,)g(so)f(w)o(e)g (could)h(not)75 559 y(pro)o(vide)j(complete)h(co)o(v)o(erage)e(of)g(the)h (address)g(space.)25 b(W)l(e)16 b(settled)i(for)e(the)h(mac)o(hines)g(listed) h(in)g(the)75 615 y(DNS,)d(and)h(for)g(a)f(few)h(mac)o(hines)g(at)g(either)g (end)h(of)e(the)h(range)g(to)f(detect)h(coun)o(ting)g(up)g(or)g(coun)o(ting) 75 672 y(do)o(wn.)23 b(Finally)l(,)17 b(w)o(e)f(used)h(the)f Fc(tcpdump)g Fh(program)f(to)g(do)h(the)h(monitoring;)f(there)g(w)o(as)g(no)g (p)q(oin)o(t)h(to)75 728 y(building)h(a)d(sp)q(ecial-purp)q(ose)i(pac)o(k)o (et)e(deco)q(der)h(when)g(a)f(v)o(ery)g(nice)h(general)g(one)f(already)h (existed.)146 786 y(The)c(results)g(of)f(this)i(trap)e(ha)o(v)o(e)g(b)q(een)i (rather)f(curious.)19 b(W)l(e)12 b(ha)o(v)o(e)g(noticed)g(a)g(large)g(n)o(um) o(b)q(er)g(of)f Fc(ftp)75 842 y Fh(connection)16 b(requests)f(to)g Fc(192.20.225.1)p Fh(,)e(a)h(mac)o(hine)i(that)f(has)f(not)h(existed)h(for)e (quite)i(some)f(time.)75 899 y(F)l(urthermore,)f(the)i(large)f(ma)s(jorit)o (y)f(of)g(these)i(connection)g(attempts)e(ha)o(v)o(e)h(come)g(from)g(abroad.) k(W)l(e)75 955 y(sp)q(eculate)d(that)f(some)g(old)h(databases)e(still)j(list) f(its)f(address.)146 1013 y(W)l(e)f(ha)o(v)o(e)f(noticed)i(a)e(few)h (attempts)f(to)g(connect)h(to)g(other)f(mac)o(hines.)20 b(F)l(or)14 b(the)g(most)f(part,)g(these)75 1070 y(ha)o(v)o(e)i(b)q(een)i(to)e (DNS-listed)j(addresses,)d(rather)h(than)f(to)g(random)h(places)g(on)g(our)f (net)o(w)o(ork,)g(and)h(the)75 1126 y(one)h(or)g(t)o(w)o(o)e(exceptions)j (app)q(ear)f(to)g(b)q(e)h(acciden)o(tal.)26 b(This)18 b(log)f(\014le)h(is)f (not)g(examined)h(in)g(real)f(time,)75 1183 y(so)f(w)o(e)g(ha)o(v)o(e)f(not)h (b)q(een)h(able)g(to)f(engage)g(in)h(our)f(usual)h(coun)o(terin)o(telligence) i(measures.)j(Comparing)75 1239 y(the)16 b(source)g(addresses)g(and)h (timestamps)e(with)i(our)f(other)f(log)h(\014les)h(tends)g(to)e(sho)o(w)h (other)f(forms)g(of)75 1295 y(sno)q(oping)h(going)f(on.)20 b(Suc)o(h)c(prob)q(es)f(should)i(lik)o(ely)g(b)q(e)e(considered)i(as)e (hostile.)146 1353 y(One)21 b(set)g(of)g(prob)q(es)g(w)o(as)f(esp)q(ecially)k (alarming.)37 b(Immediately)23 b(follo)o(wing)f(the)f(arrest)f(of)g(t)o(w)o (o)75 1410 y(alleged)h(non-U.S.)e(system)f(crac)o(k)o(ers,)i(someone)f(else)h (from)e(that)h(coun)o(try)g(launc)o(hed)h(a)f(systematic)75 1466 y(prob)q(e)f(of)f(our)g(net)o(w)o(ork's)g(address)g(space.)27 b(Our)18 b(kno)o(wn)g(mac)o(hine)g(w)o(as)f(ignored.)27 b(W)l(e)18 b(b)q(eliev)o(e)i(that)75 1523 y(this)j(w)o(as)f(an)h(attempt)e(at)h(rev)o (enge,)j(and)d(that)g(our)h(w)o(ell-instrumen)o(ted)h(gatew)o(a)o(y)d(mac)o (hine)j(w)o(as)75 1579 y(ignored)16 b(b)q(ecause)g(the)f(attac)o(k)o(ers)f (knew)h(it)h(for)e(what)h(it)g(w)o(as.)146 1637 y(Of)g(late,)h(w)o(e)f(ha)o (v)o(e)g(seen)h(concerted)g(attempts)f(to)f(connect)i(to)f(random)g (addresses)h(of)f(ours.)21 b(The)75 1693 y(pattern)15 b(do)q(es)h(not)e (suggest)h(an)g(attac)o(k;)f(rather,)g(it)i(suggests)f(hosts)f(that)h(are)g (quite)h(confused)g(ab)q(out)75 1750 y(our)g(prop)q(er)g(IP)g(address.)23 b(The)16 b(problem)h(app)q(ears)f(to)f(b)q(e)i(corrupted)f(DNS)g(en)o(tries,) h(whic)o(h)g(w)o(e)e(ha)o(v)o(e)75 1806 y(also)j(exp)q(erienced,)j(rather)c (than)h(an)o(y)g(securit)o(y)g(problem.)30 b(This)18 b(problem)h(is)g (discussed)g(further)f(in)75 1863 y([Bel92].)75 1993 y Fb(2.2)56 b(Coun)n(terin)n(telligence)75 2081 y Fh(When)13 b(a)f(prob)q(e)h(o)q(ccurs,) f(w)o(e)h(try)e(to)h(learn)h(as)f(m)o(uc)o(h)g(ab)q(out)h(the)f(originating)h (mac)o(hine)g(and)g(user)f(as)g(w)o(e)75 2138 y(can.)21 b(Th)o(us)16 b(far,)e(the)i(only)g(generally-a)o(v)m(ailable)j(mec)o(hanism)d(to)f(do)g (that)g(is)h(the)g Fc(finger)e Fh(command.)75 2194 y(While)19 b(far)d(b)q(etter)h(than)g(nothing,)h(it)f(has)h(some)e(w)o(eaknesses.)26 b(Clev)o(er)18 b(crac)o(k)o(ers)e(ha)o(v)o(e)h(an)o(y)g(n)o(um)o(b)q(er)75 2251 y(of)e(w)o(a)o(ys)f(to)g(co)o(v)o(er)h(their)h(trac)o(ks,)d(suc)o(h)j (as)f(o)o(v)o(erwriting)g Fc(/etc/utmp)e Fh(\(it)j(is)f(w)o(orld-writable)h (on)f(man)o(y)75 2307 y(systems\))d(or)h(using)h(the)f(appropriate)g(options) g(to)g Fc(xterm)p Fh(.)18 b(And)c(indeed,)h(w)o(e)e(ha)o(v)o(e)f(seen)i (attac)o(ks)e(from)75 2363 y(mac)o(hines)k(that)e(claim)j(to)d(ha)o(v)o(e)h (no)g(one)g(logged)h(in,)g(viz.)k(Figure)c(2.)146 2421 y(There)21 b(is)h(also)f(the)g(problem)h(of)f(p)q(ok)o(es)g(originating)h(from)e (securit)o(y-conscious)j(sites.)38 b(Often,)75 2478 y(these)20 b(sites)h(restrict)f(or)f(disable)j(the)e Fc(finger)g Fh(daemon,)h(for)e(all) i(the)f(ob)o(vious)h(reasons.)34 b(Figure)20 b(3)75 2534 y(sho)o(ws)13 b(an)h(example.)20 b(\(That)13 b(particular)h(prob)q(e)g(turned)g(out)f(to)h (b)q(e)g(an)g(exp)q(erimen)o(t)g(b)o(y)g(a)f(friend.\))20 b(T)l(o)75 2591 y(b)q(e)c(sure,)f(securit)o(y-conscious)i(sites)e(are)g(probably)h(the)g (least-lik)o(ely)h(to)e(b)q(e)h(p)q(enetrated.)k(But)c(no)f(one)75 2647 y(is)j(imm)o(une;)i(one)e(of)f(our)h(o)o(wn)f(theoretically-secure)j (gatew)o(a)o(ys)c(w)o(as)h(successfully)j(attac)o(k)o(ed)c(o)o(v)o(er)h(a)75 2704 y(w)o(eek)o(end,)e(due)h(to)f(op)q(erator)f(error.)p eop %%Page: 7 7 6 bop 146 49 a Fh(Some)18 b(sites)h(tak)o(e)f(their)i(o)o(wn)e(securit)o(y)h (precautions.)31 b(One)19 b(\(unsolicited\))i(prob)q(er)e(noticed)g(our)75 106 y(rev)o(erse)c Fc(finger)f Fh(attempt,)g(and)i(congratulated)f(us)g(on)g (it.)20 b(Others)c(who)f(though)o(t)f(w)o(e)h(w)o(ere)g(running)75 162 y(a)k(\\crac)o(k)o(er)f(c)o(hallenge)j(con)o(test")e(w)o(ere)g(able)h(to) f(detect)g(our)g(activities)i(when)f(sp)q(eci\014cally)i(lo)q(oking)75 219 y(for)17 b(them.)26 b(The)18 b(w)o(orst)e(p)q(ossibilit)o(y)j(w)o(ould)f (b)q(e)g(an)f(activ)o(e)h(resp)q(onse)g(to)e(our)h(prob)q(e;)i(it)f(could)g (easily)75 275 y(trigger)e(a)g(recursiv)o(e)i Fc(finger)p Fh(ing)e(con)o (test.)24 b(F)l(or)16 b(this)h(reason,)f(among)g(others,)g(w)o(e)h(do)f(not)g (curren)o(tly)75 332 y(do)i(rev)o(erse)h Fc(finger)p Fh(s)e(in)j(resp)q(onse) f(to)e Fc(finger)h Fh(queries,)i(but)e(the)h(problem)g(could)h(still)g (arise.)30 b(F)l(or)75 388 y(example,)14 b(an)f Fc(rusers)g Fh(query)g(to)g(us)g(w)o(ould)h(trigger)e(the)i Fc(portmopper)p Fh('s)d(coun)o(terin)o(telligence)16 b(prob)q(es;)75 444 y(these)d(in)h(turn) g(could)g(cause)f(the)h(remote)e(site)i(to)e(query)i(our)f Fc(rusers)f Fh(daemon.)19 b(It)13 b(ma)o(y)g(b)q(e)h(necessary)75 501 y(to)h(add)g(some)g(lo)q(c)o(king)h(to)f(our)g(daemons.)146 559 y(W)l(e)f(ha)o(v)o(e)h(con)o(templated)g(adding)h(other)e(arro)o(ws)f(to) i(our)f(coun)o(terin)o(telligence)k(quiv)o(er,)d(but)g(there)75 615 y(are)21 b(few)g(c)o(hoices)h(a)o(v)m(ailable.)40 b(The)22 b Fc(rusers)e Fh(command)h(is)h(an)f(ob)o(vious)h(p)q(ossibilit)o(y)l(,)j (but)c(it)h(o\013ers)75 672 y(less)c(information)f(than)h Fc(finger)e Fh(do)q(es.)27 b(T)l(o)17 b(b)q(e)h(sure,)f(b)q(ecause)i(it)e(go)q(es)g (through)g(the)h Fc(portmapper)p Fh(,)75 728 y(it)i(is)g(harder)g(to)f(blo)q (c)o(k)h(or)f(monitor;)i(unfortunately)l(,)g(man)o(y)e(sites)h(blo)q(c)o(k)g (all)h(outside)f(calls)h(to)e(the)75 785 y Fc(portmapper)f Fh(b)q(ecause)j(of)e(\(v)m(alid\))i(concerns)g(ab)q(out)e(the)h(securit)o(y)g (of)g(some)f(RPC-based)h(services.)75 841 y(Another)14 b(c)o(hoice)i(w)o (ould)f(b)q(e)g(the)g(Authen)o(tication)g(Serv)o(er[Joh85)o(],)f(but)h(our)f (exp)q(erimen)o(ts)i(sho)o(w)e(that)75 898 y(v)o(ery)k(few)g(sites)g(supp)q (ort)g(it.)29 b(And)19 b(SNMP[CFSD90)n(])f(is)h(generally)g(implemen)o(ted)h (on)e(routers,)f(not)75 954 y(hosts.)146 1012 y(A)f(totally)g(di\013eren)o(t) g(set)g(of)g(in)o(v)o(estigations)g(are)g(p)q(erformed)h(using)g(DNS)f(data.) 22 b(First)16 b(of)f(all,)i(w)o(e)75 1068 y(attempt)c(to)h(learn)h(the)g (host)e(name)i(asso)q(ciated)f(with)h(the)g(prob)q(er's)f(IP)g(address,)h (whic)o(h)g(should)g(b)q(e)g(a)75 1125 y(trivial)f(matter.)j(In)d(theory)l(,) e(all)h(addresses)g(should)h(listed)f(in)h(the)e(in)o(v)o(erse)h(mapping)g (tree;)g(in)h(practice,)75 1181 y(man)o(y)f(are)g(not.)19 b(This)c(problem)f (seems)g(to)f(b)q(e)h(esp)q(ecially)i(commonplace)f(o)o(v)o(erseas,)d (probably)i(due)h(to)75 1238 y(the)f(newness)h(of)e(the)h(connections.)21 b(In)14 b(suc)o(h)h(cases,)f(w)o(e)f(ha)o(v)o(e)h(to)f(lo)q(ok)i(for)e(the)h (SO)o(A)h(and)f(NS)g(records)75 1294 y(asso)q(ciated)i(with)h(the)f(in)o(v)o (erse)g(domain;)h(using)g(them,)e(w)o(e)h(attempt)f(a)h(zone)g(transfer)g(of) f(the)i(in)o(v)o(erse)75 1351 y(domain,)f(and)f(scan)h(it)g(for)e(an)o(y)i (host)f(names)g(at)g(all.)22 b(That,)14 b(\014nally)l(,)j(giv)o(es)f(the)f (zone)h(name;)f(w)o(e)h(then)75 1407 y(transfer)e(the)i(forw)o(ard-mapping)f (zone)g(and)g(searc)o(h)g(for)g(the)g(target's)f(address.)146 1465 y(On)i(a)f(few)h(o)q(ccasions,)g(this)g(pro)q(cedure)h(has)f(failed;)h (w)o(e)e(ha)o(v)o(e)h(b)q(een)h(forced)f(to)f(resort)g(to)g(the)h(use)75 1522 y(of)h Fc(traceroute)p Fh(s,)f(man)o(ual)i Fc(finger)f Fh(attempts,)f(and)i(ev)o(en)g(a)f(few)g Fc(telnet)g Fh(connections)i(to)d(v) m(arious)75 1578 y(p)q(orts)c(to)f(see)h(if)h(an)o(y)e(serv)o(ers)h(announce) g(the)g(host)g(and)g(domain)g(name.)19 b(Needless)14 b(to)d(sa)o(y)l(,)h (none)g(of)g(this)75 1635 y(is)i(automated;)f(if)h(a)f(simple)i Fc(gethostbyaddr\(\))d Fh(call)j(fails,)f(w)o(e)f(p)q(erform)h(an)o(y)f (further)h(in)o(v)o(estigations)75 1691 y(ourselv)o(es.)146 1749 y(There)f(is)h(one)g(DNS-related)g(c)o(hec)o(k)f(that)g(w)o(e)g(do)h (automate,)e(ho)o(w)o(ev)o(er.)18 b(It)c(is)g(b)o(y)f(no)o(w)g(w)o(ell-kno)o (wn)75 1805 y(that)g(evil)i(games)e(can)h(b)q(e)g(pla)o(y)o(ed)g(with)g(the)g (in)o(v)o(erse)g(mapping)g(tree)g(of)f(the)h(DNS.)f(T)l(o)g(detect)h(this,)g (w)o(e)75 1862 y(p)q(erform)j(a)g(cross-c)o(hec)o(k;)h(using)g(the)f (returned)h(name,)f(w)o(e)g(do)g(a)g(forw)o(ard)f(c)o(hec)o(k)h(to)g(learn)h (the)f(legal)75 1918 y(addresses)d(for)f(that)g(host.)19 b(If)13 b(that)g(name)h(is)g(not)f(listed,)i(or)e(if)h(the)g(addresses)g(do)f(not)h (matc)o(h,)f(alarms,)75 1975 y(gongs,)h(and)i(to)q(csins)f(are)g(sounded.)75 2105 y Fb(2.3)56 b(Log-Based)18 b(Monitoring)g(T)-5 b(o)r(ols)75 2194 y Fh(A)17 b(n)o(um)o(b)q(er)h(of)f(our)g(monitors)g(are)g(based)g(on)h (p)q(erio)q(dic)h(analyses)f(of)f(logs.)26 b(F)l(or)17 b(example,)h(attempts) 75 2250 y(to)d(grab)g(a)g(\(phon)o(y\))g(passw)o(ord)f(\014le)j(via)f Fc(ftp)e Fh(are)i(detected)g(b)o(y)f(a)g Fc(grep)g Fh(job)g(run)h(via)g Fc(cron)p Fh(.)k(W)l(e)15 b(th)o(us)75 2307 y(cannot)g(engage)g(in)h(coun)o (terin)o(telligence)i(activit)o(y)d(in)h(resp)q(onse)g(to)f(suc)o(h)g(p)q(ok) o(es.)20 b(Nev)o(ertheless,)c(they)75 2363 y(remain)k(v)o(ery)g(useful.)34 b(These)20 b(monitors)g(|)g(and)g(a)f(serious)h(attac)o(k)f(disco)o(v)o(ered) h(via)g(them)g(|)g(are)75 2420 y(describ)q(ed)d(more)e(fully)h(in)g([Che92].) 146 2478 y(W)l(e)g(also)h(disco)o(v)o(ered)g(that)f(our)g(gatew)o(a)o(y)f (mac)o(hine)j(w)o(as)e(b)q(eing)i(used)f(as)f(a)g(rep)q(ository)h(for)f (\(pre-)75 2534 y(sumably)22 b(stolen\))f(PC)g(soft)o(w)o(are.)35 b(Assorted)21 b(individuals)j(w)o(ould)e(store)e(suc)o(h)i(programs)d(under)j (a)75 2591 y(directory)c(named)f(\\)p Fc(..^T)p Fh(",)f(where)i(\\)p Fc(^T)p Fh(")e(represen)o(ts)h(the)h(con)o(trol-T)f(c)o(haracter;)g(others)g (w)o(ould)h(re-)75 2647 y(triev)o(e)d(it)g(at)f(their)h(leisure.)21 b(W)l(e)15 b(idly)h(discussed)g(replacing)g(these)e(\014les)i(with)f (programs)e(that)h(prin)o(ted)75 2704 y(nast)o(y)19 b(w)o(arnings,)i(but)g (settled)f(for)g(clearing)h(out)f(the)g(incoming)h Fc(ftp)f Fh(area)g(at)f(least)h(daily)l(.)37 b(That)p eop %%Page: 8 8 7 bop 75 49 a Fh(seems)16 b(to)f(ha)o(v)o(e)g(stopp)q(ed)h(the)g(problem)g (for)f(no)o(w,)g(though)g(a)h(b)q(etter)f(solution)i(w)o(ould)f(b)q(e)g(to)f (add)h(the)75 106 y(notion)d(of)f(\\inside)j(v)o(ersus)d(outside")h(to)f(the) h(daemon,)g(and)g(to)f(prohibit)i(transfers)e(that)g(did)i(not)e(cross)75 162 y(the)j(b)q(oundary)l(.)20 b(\(Other)15 b(sites)g(rep)q(ort)f(similar)i (inciden)o(ts,)g(often)f(in)o(v)o(olving)h(digitized)g(erotic)f(images.)75 219 y(W)l(e)g(lea)o(v)o(e)h(to)e(the)h(readers')g(imagination)h(what)f(w)o(e) g(could)h(insert)g(in)g(place)g(of)f(these)g(\014les.\))146 275 y(W)l(e)i(are)g(curren)o(tly)g(adding)h(real-time)g(analyzers)g(to)e (some)h(of)g(our)g(logs.)25 b(The)18 b(implemen)o(tation)75 332 y(is)e(simple:)662 409 y Fc(tail)23 b(-f)15 b Fg(lo)n(g\014le)f Fc(|)24 b(awk)f(-f)15 b Fg(script)75 486 y Fh(This)23 b(is)f(an)g(esp)q (ecially)j(useful)e(tec)o(hique)g(for)f(the)g Fc(ftp)g Fh(daemon's)f(logs;)26 b(attempts)21 b(to)g(add)h(more)75 543 y(sophisticated)16 b(mec)o(hanisms)g (to)e(the)h(daemon)h(itself)g(w)o(ould)f(run)g(afoul)h(of)e(the)h Fc(chroot)g Fh(en)o(vironmen)o(t)75 599 y(it)g(curren)o(tly)h(runs)g(in.)146 655 y(There)j(is)g(danger)g(lurking)h(here.)32 b(Our)20 b(early)f(v)o (ersions)g(could)h(easily)g(ha)o(v)o(e)f(fallen)h(victim)g(to)e(a)75 712 y(sophisticated)e(attac)o(k)o(er)e(who)h(used)h(\014le)h(names)e(con)o (taining)h(em)o(b)q(edded)h(shell)g(commands.)j(F)l(or)15 b(this)75 768 y(reason,)c(among)f(others,)h(w)o(e)g(run)g(all)h(of)e(our)h(traps)f (with)h(as)g(few)g(privileges)h(as)f(p)q(ossible.)20 b(In)12 b(particular,)75 825 y(where)j(p)q(ossible)i(w)o(e)e(do)g(not)g(run)h(them)f (as)g Fc(root)p Fh(.)75 965 y Fp(3)69 b(A)n(ttac)n(ks)23 b(Disco)n(v)n(ered) 75 1066 y Fh(Th)o(us)16 b(far,)e(w)o(e)i(ha)o(v)o(e)f(seen)h(a)g(wide)g(v)m (ariet)o(y)g(of)g(attac)o(ks.)k(Some)15 b(of)h(them)f(are)h(w)o(ell-kno)o (wn,)g(of)f(course;)75 1123 y(there)i(is)h(nothing)g(no)o(v)o(el)g(ab)q(out)f (passw)o(ord-guessing)g(crac)o(k)o(ers.)26 b(A)18 b(t)o(ypical)g(scenario)f (starts)g(with)g(a)75 1179 y Fc(finger)e Fh(attempt;)g(our)h(pseudo-serv)o (er)g(returns)g(output)f(indicating)j(that)d Fc(guest)g Fh(and)h Fc(berferd)f Fh(are)75 1236 y(logged)g(in.)21 b(Both)15 b(of)f(these)h (accoun)o(ts)g(ha)o(v)o(e)f(ob)o(vious)i(passw)o(ords;)d(if)j(the)f(crac)o(k) o(er)f(tak)o(es)g(the)h(bait,)g(w)o(e)75 1292 y(initiate)j(coun)o(terin)o (telligence)i(measures.)25 b(An)17 b(attempt)f(to)h(log)g(in)g(as)g Fc(guest)f Fh(is)h(in)h(some)f(sense)g(less)75 1349 y(serious;)g(one)g(can)g (mak)o(e)f(a)g(plausible)j(argumen)o(t)d(that)g(sites)h(that)e(do)i(not)f(w)o (an)o(t)g(guests)g(should)h(not)75 1405 y(ha)o(v)o(e)g(a)g Fc(guest)g Fh(accoun)o(t.)27 b(No)18 b(suc)o(h)f(excuse)i(can)e(b)q(e)i (o\013ered)e(for)g(trying)h(to)f(log)g(in)i(as)e(an)g(apparen)o(t)75 1462 y(gen)o(uine)f(user.)146 1518 y(The)i(next)h(lev)o(el)h(up)e(are)h (folks)f(who)g(w)o(an)o(t)g(our)g(passw)o(ord)f(\014le.)31 b(Our)19 b Fc(ftp)f Fh(daemon)g(pro)o(vides)h(a)75 1574 y(dumm)o(y)14 b(one)h(\(see)f([Che92])g(for)f(details\);)i(a)g(pac)o(k)o(et)e(suc)o(k)o(er) i(catc)o(hes)f Fc(tftp)g Fh(requests)g(for)g(it.)20 b(W)l(e)14 b(ha)o(v)o(e)75 1631 y(con)o(templated)j(the)f(idea)h(of)f(distributing)i (the)e(same)g(dumm)o(y)h(\014le)g(via)f Fc(tftp)p Fh(,)g(but)g(ha)o(v)o(e)g (rejected)h(it;)75 1687 y(the)c(b)q(ene\014t)i(to)d(us)h(w)o(ould)h(b)q(e)g (minimal,)h(and)e(w)o(e)g(w)o(ould)h(ha)o(v)o(e)e(to)h(exp)q(ose)h(ourselv)o (es)f(to)g(p)q(ossible)i(bugs)75 1744 y(in)h(the)f Fc(tftp)g Fh(daemon.)146 1800 y(There)i(ha)o(v)o(e)h(b)q(een)h(a)e(fair)h(n)o(um)o(b)q (er)g(of)f(attempts)f(to)h Fc(rlogin)g Fh(to)g(our)h(mac)o(hine.)28 b(Most)16 b(of)i(these)75 1857 y(app)q(ear)f(to)g(b)q(e)h(inno)q(cen)o(t,)h (though)e(curious)h(nev)o(ertheless:)25 b(wh)o(y)17 b(w)o(ould)h(an)o(y)o (one)f(exp)q(ect)h(to)e(b)q(e)i(able)75 1913 y(to)k(log)h(in)g(to)g(another)f (compan)o(y's)g(mac)o(hines?)44 b(Sometimes,)25 b(w)o(e)d(see)h(attempts)f (to)g(connect)h(as)75 1970 y Fc(netlib)p Fh(,)c(or)f(to)h Fc(rcp)f Fh(the)h Fc(netlib)f Fh(distribution[DG87];)j(these)e(most)f(lik)o(ely)j (denote)e(a)g(somewhat-)75 2026 y(naiv)o(e)f(attempt)f(to)g(a)o(v)o(oid)g (the)h(use)g(of)f Fc(ftp)g Fh(when)h(retrieving)h(the)e Fc(netlib)g Fh(pac)o(k)m(age)h(w)o(e)f(distribute.)75 2083 y(F)l(or)e(other)f (connections,)i(w)o(e)f(b)q(eliev)o(e)i(that)e(\014ngers)g(are)g(faster)f (than)h(brains;)g(the)h(real)f(in)o(ten)o(t)g(w)o(as)g(to)75 2139 y(use)h Fc(ftp)e Fh(or)h Fc(telnet)f Fh(to)h(reac)o(h)g(us.)20 b(Regardless,)c(suc)o(h)f(attempts)f(represen)o(t)h(noise)h(in)g(the)g(log)f (\014les.)146 2195 y(Other)g(connection)i(requests)e(ha)o(v)o(e)g(not)g(b)q (een)h(so)f(gen)o(teel.)21 b(W)l(e)16 b(ha)o(v)o(e)f(seen)h(attempts)e(to)h Fc(rlogin)75 2252 y Fh(as)f Fc(root)g Fh(coming)h(from)f(military)i(sites.)k (Figure)15 b(1)f(sho)o(ws)g(an)h(attempt)e(to)h(execute)i(the)e Fc(domainname)75 2308 y Fh(command;)j(apart)e(from)h(the)g(ob)o(vious)h (problem)g(that)f(exists)g(if)h Fc(bin)f Fh(can)h(connect)g(to)e(our)h(mac)o (hine,)75 2365 y(w)o(e)f(susp)q(ect)h(that)e(the)i(attac)o(k)o(er)d(planned)k (misc)o(hief)f(in)o(v)o(olving)h(Sun's)e(NIS.)146 2421 y(The)h Fc(portmopper)p Fh(,)e(and)i(b)q(efore)g(that)f(the)h(UDP)g(pac)o(k)o(et)f (suc)o(k)o(er,)g(ha)o(v)o(e)h(pic)o(k)o(ed)g(up)h(a)e(n)o(um)o(b)q(er)h(of)75 2478 y(RPC-related)h(prob)q(es;)f(the)g(in)o(ten)o(t)g(of)f(some)h(of)f (these)h(is)h(unclear.)23 b(W)l(e)16 b(ha)o(v)o(e)f(no)h(idea,)g(for)f (example,)75 2534 y(wh)o(y)i(someone)h(w)o(ould)f(try)g(to)g(con)o(tact)g (the)g Fc(rstatd)g Fh(daemon.)27 b(There)18 b(ma)o(y)e(b)q(e)i(securit)o(y)g (problems)75 2591 y(lurking)e(there.)k(Other)c(requests)f(are)g(most)f(lik)o (ely)j(malicious;)f(when)g(someone)f(tries)g(to)g(con)o(tact)f(our)75 2647 y(\(non-existen)o(t\))d Fc(NFS)g Fh(moun)o(t)g(daemon,)h(w)o(e)f(assume) g(that)f(they)i(are)f(lo)q(oking)h(for)f(\014le)h(systems)f(exp)q(orted)75 2704 y(to)k(the)g(w)o(orld.)20 b(\(Y)l(es,)15 b(there)g(are)g(man)o(y)f (sites)i(with)f(that)g(problem.\))p eop %%Page: 9 9 8 bop 75 139 a Fj(From:)21 b(adm@research.att)o(.com)75 189 y(To:)g(trappers)75 238 y(Subject:)f(udpsuck)g(nfs\(2049\))75 338 y(UDP)h(packet)g(from)g(host)g(a.non-us.edu)e(\(173.46.173.146\):)f(port) j(804,)g(40)h(bytes)162 388 y(0:)65 b(2964e5a6)20 b(00000000)g(00000002)h (000186a3)63 b(\)d..............)140 438 y(16:)i(00000002)20 b(00000000)g(00000000)h(00000000)63 b(................)140 487 y(32:)i(00000000)20 b(00000000)456 b(........)75 537 y(/usr/ucb/finger)19 b(@173.46.173.146)f(2>&1)75 587 y([173.46.173.146])75 637 y(Login)152 b(Name)304 b(TTY)21 b(Idle)86 b(When)h(Where)75 687 y(lu)152 b(Lee)21 b(User)305 b(a)43 b(8:41)21 b(Fri)g(12:55)43 b(direct)20 b(to)i(room)f(101)75 737 y(ano)130 b(A.N.)21 b(One)305 b(h6)65 b(3d)21 b(Tue)g(00:49)43 b(direct)20 b(to)i(719)75 786 y(nsa)130 b(Nun)21 b(Atall)283 b(p0)65 b(36)21 b(Thu)g(18:56)43 b(eqg01:0.0)75 836 y(nsa)130 b(Nun)21 b(Atall)283 b(p1)65 b(24)21 b(Thu)g(18:57)43 b(eqg01:0.0)641 984 y Fh(Figure)16 b(4:)j(A)c(captured)h Fc(NFS)f Fh(request)146 1122 y(There)d(ha)o(v)o(e)f(b)q(een)i(some)f(connection)h (requests)e(to)h(more)f(obscure)h(services.)20 b(Sev)o(eral)12 b(p)q(eople)h(ha)o(v)o(e)75 1178 y(p)q(ok)o(ed)j(a)f(pac)o(k)o(et)g(suc)o(k)o (er)g(sitting)h(on)g(the)f Fc(whois)g Fh(p)q(ort.)21 b(Those)15 b(ha)o(v)o(e)g(b)q(een)i(inno)q(cen)o(t;)f(generally)l(,)h(the)75 1235 y(captured)g(data)e(sho)o(w)o(ed)h(that)g(the)g(caller)h(w)o(an)o(ted)f (the)h(email)g(address)f(of)g(researc)o(hers)g(here.)24 b(When)75 1291 y(feasible,)e(w)o(e)e(reply)h(b)o(y)f(email,)i(doubtless)f(causing)f(m)o (uc)o(h)g(confusion)h(and)f(puzzlemen)o(t.)36 b(W)l(e)20 b(will)75 1348 y(lik)o(ely)c(disable)g(that)e(trap)g(in)h(the)g(near)g(future.)k(Other) c(prob)q(ers)g(ha)o(v)o(e)f(connected)h(to)f(things)h(lik)o(e)h(lik)o(e)75 1404 y(the)h Fc(nntp)f Fh(p)q(ort.)24 b(W)l(e)16 b(do)h(not)f(kno)o(w)g(for)g (certain)h(what)f(they)h(had)g(in)g(mind;)h(lik)o(ely)h(guesses)e(include)75 1461 y(attempts)f(to)f(read)i(newsgroups)f(not)h(carried)g(at)f(their)h(o)o (wn)f(sites,)h(or)f(attempts)f(to)h(forge)g Fc(netnews)75 1517 y Fh(p)q(ostings.)146 1574 y(The)h(most)f(sophisticated)i(p)q(ok)o(es)f(ha)o (v)o(e)g(b)q(een)h(attempted)e Fc(NFS)h Fh(op)q(erations[Sun90].)24 b(They)18 b(ma)o(y)75 1630 y(ha)o(v)o(e)13 b(b)q(een)i(hand-crafted,)f(as)f (most)g(normal)g Fc(NFS)g Fh(op)q(erations)h(are)f(preceded)i(b)o(y)f(moun)o (t)f(requests.)19 b(A)75 1687 y(sample)e(alarm)g(message)f(is)h(sho)o(wn)g (as)f(Figure)h(4.)24 b(P)o(erhaps)16 b(not)h(surprisingly)l(,)h(the)f(users)g (sho)o(wn)f(as)75 1743 y(logged)f(in)h(ha)o(v)o(e)f(all)h(b)q(een)h(idle)g (for)d(quite)i(some)f(time.)146 1800 y(Th)o(us)e(far,)g(all)h(of)f(the)h Fc(NFS)e Fh(pac)o(k)o(ets)h(w)o(e)g(ha)o(v)o(e)g(captured)h(ha)o(v)o(e)f(b)q (een)i Fc(no-ops)p Fh(.)j(In)c(a)f(few)h(instances,)75 1856 y(w)o(e)j(ha)o(v)o(e)f(b)q(een)i(able)g(to)e(con)o(tact)g(the)h(individuals)j (resp)q(onsible;)f(they)e(generally)h(replied)h(that)d(they)75 1913 y(w)o(ere)h(c)o(hec)o(king)h(to)f(see)g(if)h(our)f(arc)o(hiv)o(es)g(w)o (ere)g(accessible)i(b)o(y)e Fc(NFS)g Fh(as)g(w)o(ell)h(as)f(b)o(y)g Fc(ftp)p Fh(.)26 b(\(A)17 b(n)o(um)o(b)q(er)75 1969 y(of)g(sites)g(do)h(pro)o (vide)g(this)f(option;)i(w)o(e)e(marv)o(el)g(at)f(their)i(courage.\))26 b(In)18 b(fact,)f(at)f(least)i(one)f(p)q(opular)75 2026 y(program)d(|)h(the)f Fc(amd)g Fh(auto-moun)o(ter[P)o(en)o(])h(|)g(apparen)o(tly)f(generates)h Fc(NFS)f(no-ops)g Fh(automatically)l(.)146 2082 y(W)l(e)j(are)g(starting)g (to)g(see)h(w)o(orrisome)f(lev)o(els)i(of)e(suc)o(h)h(queries.)27 b(Giv)o(en)18 b(the)g(existence)h(of)e(public)75 2139 y Fc(NFS)f Fh(arc)o(hiv)o(es,)h(c)o(hec)o(king)h(to)e(see)i(if)f(w)o(e)f(o\013er)g(suc)o (h)i(a)e(service)i(cannot)f(b)q(e)g(considered)h(a)f(hostile)h(act.)75 2195 y(On)f(the)f(other)g(hand,)h(what)f(w)o(e)g(see)h(with)g(our)f(curren)o (t)g(to)q(ols)g(|)h Fc(NFS)24 b(no-ops)15 b Fh(and)i(queries)g(to)f(the)75 2252 y(moun)o(t)f(daemon)g(|)h(are)f(not)f(distinguishable)19 b(from)14 b(a)h(gen)o(uine)h(attac)o(k.)j(Our)d(c)o(hoices)g(are)f(either)h (to)75 2308 y(ignore)i(all)h(suc)o(h)f(requests,)g(or)f(to)g(em)o(ulate)h (more)f(of)g(the)h(proto)q(col,)g(so)f(w)o(e)h(can)g(see)g(what)f(is)h (really)75 2364 y(in)o(tended.)j(Neither)16 b(alternativ)o(e)g(is)f(app)q (ealing.)146 2421 y(W)l(e)j(ha)o(v)o(e)f(recen)o(tly)i(seen)g(sev)o(eral)f (determined)h(attempts)e(to)g(grab)h(our)g(passw)o(ord)f(\014le)i(via)f(NIS) 75 2478 y(\(Figure)10 b(5\).)18 b(The)10 b(attac)o(k)o(ers')f(programs)g (made)h(rep)q(eated)h(attempts)e(to)h(guess)g(our)h(NIS)g(domain)f(name,)75 2534 y(whic)o(h)19 b(is)g(need)h(in)f(order)f(to)g(p)q(erform)g(the)h (transfer.)29 b(P)o(erhaps)18 b(not)g(surprisingly)l(,)j(these)e(attempts)75 2590 y(o)q(ccurred)d(just)f(a)g(few)g(w)o(eeks)g(after)f(the)h(appropriate)h (program)e(w)o(as)g(p)q(osted)i(to)e(a)h(newsgroup.)146 2647 y(There)20 b(are)g(sev)o(eral)g(lik)o(ely)i(services)f(where)f(w)o(e)g(ha)o (v)o(e)f(not,)i(or)e(not)h(y)o(et,)h(receiv)o(ed)g(an)o(y)f(serious)75 2704 y(p)q(ok)o(es,)14 b(suc)o(h)g(as)g Fc(bootp)f Fh(or)g Fc(X11)p Fh(.)19 b(\(Actually)l(,)c(w)o(e)e(ha)o(v)o(e)h(seen)g(a)g(few)g (connection)h(attempts)e(to)g(our)g Fc(X11)p eop %%Page: 10 10 9 bop 75 247 a Fj(From:)21 b(adm@research.att)o(.com)75 297 y(To:)g(trappers)75 347 y(Subject:)f(UDP)h(portmopper)f(from)h (several.different)o(.plac)o(es)e(\(230.154.230.241\))75 446 y(Request:)75 496 y(....)75 546 y(***)75 596 y(reqprog:)h(100004)h (\(ypserv\))f(vers:)h(2)g(proto:)g(6)g(port:)g(0)75 645 y(***)75 745 y(...)75 845 y(/usr/ucb/finger)e(@230.154.230.241)75 895 y([230.154.230.241])75 944 y(No)i(one)h(logged)e(on)75 1094 y(Server)h(input:)162 1144 y(0:)65 b(2a36be5f)20 b(00000000)g(00000002)h (000186a4)63 b(*6._............)140 1193 y(16:)i(00000002)20 b(00000004)g(00000001)h(0000001c)63 b(................)140 1243 y(32:)i(2a3b6cfa)20 b(00000004)g(69736673)h(00000000)63 b(*;l.....isfs....)140 1293 y(48:)i(00000000)20 b(00000001)g(00000000)h (00000000)63 b(................)140 1343 y(64:)i(00000000)20 b(0000000c)g(3139322e)h(32302e32)63 b(........192.20.2)140 1393 y(80:)i(32352e32)20 b(0000000d)g(70617373)h(77642e62)63 b(25.2....passwd.b)140 1442 y(96:)i(796e616d)20 b(65000000)g(80000060)h (2a36be5e)63 b(yname......`*6.^)119 1492 y(112:)h(00000000)20 b(00000002)g(000186a4)h(00000002)63 b(................)119 1542 y(128:)h(00000004)20 b(00000001)g(0000001c)h(2a3b6cfa)63 b(............*;l.)119 1592 y(144:)h(00000004)20 b(69736673)g(00000000)h (00000000)63 b(....isfs........)119 1642 y(160:)h(00000001)20 b(00000000)g(00000000)h(00000000)63 b(................)119 1692 y(176:)h(00000003)20 b(31393200)g(0000000d)h(70617373)63 b(....192.....pass)119 1741 y(192:)h(77642e62)20 b(796e616d)g(65000000)h (80000064)63 b(wd.byname......d)119 1791 y(208:)h(2a36be5d)20 b(00000000)g(00000002)h(000186a4)63 b(*6.]............)119 1841 y(224:)h(00000002)20 b(00000004)g(00000001)h(0000001c)63 b(................)119 1891 y(240:)h(2a3b6cfa)20 b(00000004)g(69736673)h (00000000)63 b(*;l.....isfs....)119 1941 y(256:)h(00000000)20 b(00000001)g(00000000)h(00000000)63 b(................)119 1990 y(272:)h(00000000)20 b(00000008)g(32302e32)h(32352e32)63 b(........20.225.2)119 2040 y(288:)h(0000000d)20 b(70617373)g(77642e62)h (796e616d)63 b(....passwd.bynam)119 2090 y(304:)h(65000000)20 b(80000060)g(2a36be5c)h(00000000)63 b(e......`*6.\\....)119 2140 y(320:)h(00000002)20 b(000186a4)g(00000002)h(00000004)63 b(................)119 2190 y(336:)h(00000001)20 b(0000001c)g(2a3b6cfa)h (00000004)63 b(........*;l.....)119 2240 y(352:)h(69736673)20 b(00000000)g(00000000)h(00000001)63 b(isfs............)119 2289 y(368:)h(00000000)20 b(00000000)g(00000000)h(00000002)63 b(................)119 2339 y(384:)h(32300000)20 b(0000000d)g(70617373)h (77642e62)63 b(20......passwd.b)119 2389 y(400:)h(796e616d)20 b(65000000)g(80000064)h(2a36be5b)63 b(yname......d*6.[)75 2439 y(...)420 2587 y Fh(Figure)15 b(5:)20 b(P)o(art)14 b(of)g(the)i(alert)f (message)g(from)f(an)h(NIS)h(attac)o(k.)p eop %%Page: 11 11 10 bop 75 49 a Fh(monitor;)19 b(in)o(v)o(estigation)g(sho)o(w)o(ed)f(that)f (they)h(w)o(ere)g(inno)q(cen)o(t.\))30 b(P)o(erhaps)18 b(the)g(crac)o(k)o(er) g(comm)o(unit)o(y)75 106 y(has)d(not)f(y)o(et)h(ac)o(hiev)o(ed)g(a)g (su\016cien)o(t)g(lev)o(el)i(of)d(sophistication,)i(or)e(p)q(erhaps)i(the)f (traps)f(ha)o(v)o(e)g(not)h(b)q(een)75 162 y(around)f(long)g(enough)g(\(the)f (pac)o(k)o(et)h(suc)o(k)o(ers)f(w)o(ere)h(\014rst)f(deplo)o(y)o(ed)i(in)f (mid-Decem)o(b)q(er)h(of)f(1991\).)k(The)75 219 y(frequency)h(of)f(attac)o (ks)f(seems)h(to)g(b)q(e)h(link)o(ed)h(to)d(the)i(academic)g(calendar;)h(w)o (e)e(sa)o(w)f(a)h(considerable)75 275 y(upsurge)c(in)g(early)f(Jan)o(uary)l (,)h(when)g(studen)o(ts)f(w)o(ould)h(b)q(e)g(returning)f(to)g(their)h (campuses)g(\(in)f(the)h(U.S.,)75 332 y(at)h(least\),)f(and)i(a)e(drop-o\013) h(as)g(their)h(w)o(orkload)e(presumably)i(increased.)146 397 y(When)c(w)o(e)g(detect)g(an)g(in)o(trusion,)h(w)o(e)f(send)g(a)g(casual)g (note)g(to)g(the)g(system)f(administrator.)19 b(Gener-)75 453 y(ally)l(,)c(it)g(sa)o(ys)e(something)h(lik)o(e)i(\\someone)d(from)h(y)o(our) g(site)g(did)h Fa()g Fh(y)o(esterda)o(y)l(,)f(and)g(while)i(w) o(e)d(don't)75 509 y(care)k(m)o(uc)o(h,)h(w)o(e)f(though)o(t)f(y)o(ou)h(migh) o(t)g(lik)o(e)i(to)d(kno)o(w,)h(since)i(suc)o(h)e(prob)q(es)h(often)f(come)g (from)g(stolen)75 566 y(accoun)o(ts.")33 b(Resp)q(onses)21 b(are)f(mixed.)35 b(Some)20 b(administrators)f(resp)q(ond)i(immediately)l(,)h (ask)e(for)f(all)75 622 y(the)14 b(details)h(w)o(e)f(can)g(pro)o(vide,)h(and) f(tak)o(e)f(immediate)i(action)g(to)e(trac)o(k)g(do)o(wn)h(the)g(part)o(y)f (resp)q(onsible.)75 679 y(Others)h(nev)o(er)h(answ)o(er)e(us.)20 b(P)o(erhaps)14 b(they)g(do)g(not)g(care,)g(p)q(erhaps)h(they)f(nev)o(er)g(c) o(hec)o(k)h Fc(postmaster)p Fh('s)75 735 y(mailb)q(o)o(x,)h(or)e(p)q(erhaps)i (the)g(in)o(truder)f(has)g(detected)h(and)g(deleted)g(the)g(mail.)k(That)15 b(last)g(w)o(ould)h(seem)75 792 y(to)11 b(b)q(e)h(a)g(plausible)i (explanation;)g(one)d(w)o(ould)i(think)f(that)f(sites)h(w)o(ould)g(care)g (that)f(their)h(o)o(wn)f(mac)o(hines)75 848 y(had)h(b)q(een)i(compromised.)19 b(Commercial)13 b(sites)f(generally)h(react)f(the)g(most;)g(academic)h(sites) g(the)f(least.)75 905 y(On)17 b(at)f(least)h(three)g(o)q(ccasions,)g(w)o(e)g (ha)o(v)o(e)f(had)h(to)f(notify)h(administrators)f(at)g(\(U.S.\))f(military)j (sites;)75 961 y(to)c(our)h(surprise,)g(w)o(e)f(nev)o(er)h(receiv)o(ed)h(an)o (y)e(resp)q(onse)i(at)e(all.)20 b(Copies)c(of)e(all)h(alarm)g(messages)f(and) h(all)75 1018 y(administrator)d(noti\014cations)i(are)e(k)o(ept)g(on)h(an)g (optical)g(disk;)h(additionally)l(,)h(CER)l(T)e(sees)g(these)g(notes.)75 1210 y Fp(4)69 b(Where)23 b(the)f(Wild)f(Things)i(Are)75 1328 y Fh(Not)14 b(surprisingly)l(,)i(most)e(of)g(the)g(attac)o(ks)f(w)o(e)h(ha)o (v)o(e)g(seen)h(come)g(from)e(univ)o(ersities,)j(b)q(oth)f(in)g(the)f(U.S.)75 1384 y(and)e(abroad.)310 1368 y Ff(4)348 1384 y Fh(The)h(distribution)h(is)e (highly)i(non-linear;)g(a)e(few)g(sites)h(accoun)o(t)e(for)h(a)g(high)h(p)q (ercen)o(tage)75 1441 y(of)f(the)h(misb)q(eha)o(vior)g(w)o(e)g(see.)19 b(One)13 b(should)h(not)e(conclude,)j(though,)d(that)g(the)h(attac)o(k)o(ers) e(are)h(actually)75 1497 y(at)17 b(those)g(sites;)i(v)o(ery)e(often,)h(w)o(e) f(see)h(evidence)h(of)e(connection-launderin)q(g.)29 b(This)18 b(ma)o(y)f(tak)o(e)g(place)75 1554 y(b)q(ecause)12 b(of)f(op)q(en)h(terminal) g(serv)o(ers,)f(whic)o(h)h(p)q(ermit)g(hop-on/hop-o\013)f(access,)h(or)f(b)q (ecause)h(of)f(a)g(lib)q(eral)75 1610 y(attitude)k(to)o(w)o(ards)e(guest)h (accoun)o(ts,)g(or)g(b)q(ecause)i(their)f(o)o(wn)f(mac)o(hines)i(ha)o(v)o(e)e (b)q(een)i(p)q(enetrated.)k(W)l(e)75 1667 y(ha)o(v)o(e)e(seen)h(evidence)i (for)d(all)h(three)g(explanations.)31 b(\(One)19 b(p)q(ersisten)o(t)g (o\013ender)f(also)h(hosts)f(a)g(w)o(ell-)75 1723 y(kno)o(wn)i(source)h(arc)o (hiv)o(e)g(accessible)i(via)e(NFS.)f(W)l(e)h(w)o(onder)f(if)h(there)g(is)g(a) g(connection.)37 b(W)l(e)21 b(also)75 1779 y(w)o(onder)15 b(ab)q(out)g(the)g (in)o(tegrit)o(y)g(of)g(the)h(co)q(de)f(in)h(the)g(arc)o(hiv)o(e.\))146 1845 y(T)l(able)f(1)g(sho)o(ws)f(the)h(frequency)h(of)e(prob)q(es)i(during)f (F)l(ebruary)g(and)g(Marc)o(h)g(of)f(1992.)19 b(The)c(\\ARP)75 1901 y(c)o(hec)o(ks")i(indicate)i(an)f(address)f(space)h(prob)q(e)g(judged)g (to)f(b)q(e)h(suspicious)h(enough)f(to)f(log;)h(the)f(other)75 1957 y(en)o(tries)e(are)f(based)h(on)f(a)g(coun)o(t)g(of)g(the)h(automated)e (trap)h(messages)g(generated.)19 b(The)c Fc(ftp)f Fh(and)h Fc(tftp)75 2014 y Fh(en)o(tries)j(are)g(of)f(particular)h(in)o(terest,)g (since)h(they)f(are)g(rarely)l(,)g(if)g(ev)o(er,)g(inno)q(cen)o(t.)29 b(Other)18 b(inciden)o(ts,)75 2070 y(i.e.,)d(the)g Fc(whois)f Fh(connections,)i(a)e(few)h(of)f(the)h Fc(portmopper)f Fh(traps,)g(and)h(the) g Fc(SNMP)f Fh(messages,)h(turned)75 2127 y(out)g(to)f(b)q(e)i(b)q(enign.)146 2192 y(The)h(essen)o(tial)i(fact,)e(though,)h(is)g(that)f(the)h(In)o(ternet)f (can)h(b)q(e)g(a)g(dangerous)f(place.)28 b(Individuals)75 2248 y(attempted)17 b(to)f(grab)h(our)f(passw)o(ord)h(\014le)h(at)e(a)h(rate)g (exceeding)h(once)g(ev)o(ery)f(other)f(da)o(y)l(.)26 b(Suspicious)75 2305 y(RPC)15 b(requests,)f(whic)o(h)h(are)f(di\016cult)i(to)e(\014lter)h (via)f(external)h(mec)o(hanisms,)g(arriv)o(ed)f(at)g(least)h(w)o(eekly)l(.)75 2361 y(A)o(ttempts)i(to)g(connect)h(to)f(non-existen)o(t)i(bait)f(mac)o (hines)g(o)q(ccurred)h(at)e(least)h(ev)o(ery)f(t)o(w)o(o)g(w)o(eeks.)27 b(It)75 2418 y(is)16 b(w)o(orth)e(noting)h(that)f(during)i(the)f(\\Berferd")g (inciden)o(t[Che92)q(],)g(w)o(e)f(attempted,)h(without)g(success,)75 2474 y(to)f(lure)i(the)f(in)o(truders)h(to)e(that)g(mac)o(hine,)i(whic)o(h)g (actually)f(existed)h(at)f(the)g(time.)20 b(No)o(w,)14 b(connection)75 2531 y(requests)f(ha)o(v)o(e)g(b)q(ecome)h(commonplace.)20 b(W)l(e)13 b(do)g(not)g(kno)o(w)g(if)h(there)f(are)g(that)f(man)o(y)h(more)g (crac)o(k)o(ers,)75 2587 y(or)i(if)g(they)h(ha)o(v)o(e)e(simply)j(gotten)d (more)h(sophisticated)h(in)g(their)g(targeting.)p 75 2661 720 2 v 127 2688 a Fe(4)144 2704 y Fd(This)e(section)g(is)g(based)g(on)f(data)g (compiled)i(b)o(y)f(Bill)h(Cheswic)o(k.)p eop %%Page: 12 12 11 bop 385 137 a Fh(T)l(able)16 b(1:)k(F)l(requency)c(of)e(A)o(ttac)o(ks)g (During)i(F)l(ebruary)f(and)g(Marc)o(h)615 299 y(Inciden)o(t)p 1149 316 2 57 v 400 w(Num)o(b)q(er)p 590 318 770 2 v 615 357 a(guest/demo/visitor)g(logins)p 1149 374 2 57 v 143 w(296)615 414 y(rlogins)p 1149 430 V 544 w(62)615 470 y(ftp)g(passwd)g(fetc)o(hes)p 1149 487 V 312 w(27)615 526 y(nn)o(tp)p 1149 543 V 583 w(16)615 583 y(p)q(ortmopp)q(er)p 1149 600 V 440 w(11)615 639 y(whois)p 1149 656 V 564 w(10)615 696 y(snmp)p 1149 713 V 591 w(9)615 752 y(x11)p 1149 769 V 627 w(8)615 809 y(tftp)p 1149 826 V 622 w(5)615 865 y(ARP)h(c)o(hec)o(ks)p 1149 882 V 458 w(4)615 922 y(systat)p 1149 939 V 578 w(2)615 978 y(nfs)p 1149 995 V 640 w(2)p 1149 1051 V 615 1091 a(Num)o(b)q(er)g(of)e(evil)j(sites)p 1149 1108 V 277 w(95)75 1291 y Fp(5)69 b(Ethical)21 b(Concerns)75 1398 y Fh(T)l(o)e(some,)g(our)g(activities)i(are)e(of)f(dubious)j(ethical)f (c)o(haracter.)31 b(The)20 b(claim)g(has)f(b)q(een)h(made)g(that)75 1454 y(the)14 b(existence)i(of)e(some)g(of)f(our)h(monitors)g(amoun)o(t)g(to) f(en)o(trapmen)o(t.)19 b(W)l(e)c(w)o(elcome)f(|)h(and)f(share)h(|)75 1511 y(their)h(sensitivit)o(y)g(to)f(ethical)h(issues,)g(but)f(not)g(their)g (conclusions.)22 b(W)l(e)15 b(are)g(comfortable)g(with)h(what)75 1567 y(w)o(e)f(are)g(doing.)146 1626 y(W)l(e)h(do)g(not)g(regard)g(it)g(as)g (at)g(all)h(wrong)e(to)h(monitor)g(our)g(o)o(wn)g(mac)o(hine.)23 b(It)17 b(is,)f(after)g(all,)h Fg(ours)p Fh(;)75 1682 y(w)o(e)c(ha)o(v)o(e)h (the)g(righ)o(t)f(to)g(con)o(trol)h(ho)o(w)f(it)h(is)g(used,)g(and)g(b)o(y)g (whom.)19 b(\(More)13 b(precisely)l(,)i(it)f(is)h(a)e(compan)o(y-)75 1739 y(o)o(wned)20 b(mac)o(hine,)i(but)f(w)o(e)f(ha)o(v)o(e)g(b)q(een)h(giv)o (en)g(the)f(righ)o(t)g(and)h(the)f(resp)q(onsibilit)o(y)j(to)d(ensure)h(that) 75 1795 y(it)e(is)h(used)f(in)h(accordance)f(with)h(compan)o(y)e (guidelines.\))34 b(Most)18 b(other)h(sites)g(on)g(the)g(In)o(ternet)g(feel) 75 1852 y(the)e(same)g(w)o(a)o(y)l(.)26 b(W)l(e)17 b(are)g(not)g(impressed)h (b)o(y)g(the)f(argumen)o(t)g(that)f(idle)j(mac)o(hine)f(cycles)h(are)e(b)q (eing)75 1908 y(w)o(asted.)22 b(Most)14 b(individual)q(s')k(needs)f(for)e (computing)i(p)q(o)o(w)o(er)e(can)h(b)q(e)h(met)f(at)f(a)h(remark)m(ably)g (mo)q(dest)75 1965 y(cost.)26 b(F)l(urthermore,)17 b(giv)o(en)h(the)f(curren) o(t)g(ab)o(ysmal)h(state)e(of)h(host)g(securit)o(y)l(,)h(w)o(e)f(kno)o(w)g (of)g(no)g(other)75 2021 y(w)o(a)o(y)d(to)h(ensure)h(that)e(our)h(gatew)o(a)o (y)e(itself)k(is)e(not)g(compromised.)146 2080 y(Equally)j(imp)q(ortan)o(t,)e (w)o(e)h(are)g(not)g(attempting)f(to)h(prosecute)g(an)o(y)o(one.)25 b(Our)17 b(goal)g(is)h(to)e(under-)75 2137 y(stand)f(what)g(is)i(happ)q (ening,)g(and)e(to)g(sho)q(o)h(a)o(w)o(a)o(y)e(n)o(uisances.)22 b(The)16 b(reaction)g(from)e(system)i(adminis-)75 2193 y(trators)e(whom)h(w)o (e)g(ha)o(v)o(e)g(con)o(tacted)g(has)h(generally)g(b)q(een)h(quite)f(p)q (ositiv)o(e.)22 b(In)16 b(most)f(cases,)g(w)o(e)g(ha)o(v)o(e)75 2249 y(b)q(een)k(told)g(that)f(either)h(the)f(prob)q(e)h(w)o(as)e(inno)q(cen) o(t,)j(in)f(whic)o(h)g(case)g(nothing)g(is)f(done,)h(or)f(that)g(the)75 2306 y(attac)o(k)o(er)d(w)o(as)i(in)g(fact)g(a)f(kno)o(wn)h(troublemak)o(er.) 25 b(In)18 b(that)e(case,)h(the)g(v)o(ery)g(concept)g(of)g(en)o(trapmen)o(t) 75 2362 y(do)q(es)c(not)f(apply)l(,)i(since)g(b)o(y)f(de\014nition)h(it)f(is) h(an)e(inducemen)o(t)i(to)e(commit)h(a)g(violation)g(that)f(the)h(victim)75 2419 y(w)o(ould)j(not)f(otherwise)g(ha)o(v)o(e)g(b)q(een)i(inclined)h(to)d (commit.)20 b(In)c(a)f(few)g(cases,)g(a)g(system)g(administrator)75 2475 y(has)g(learned,)h(through)f(our)g(messages,)f(that)g(his)i(or)f(her)h (system)e(w)o(as)h(itself)h(compromised.)146 2534 y(The)g(most)g(problematic) i(monitor)e(is)h(that)f(on)g(the)h Fc(guest)f Fh(login.)25 b(W)l(e)16 b(ha)o(v)o(e)g(b)q(een)i(told)f(that)f(its)75 2591 y(existence)f(is)f(itself)h(a)e(lure.)20 b(W)l(e)14 b(do)g(not)f(agree.)19 b(Most)13 b(attempts)g(to)g(use)h(it)g(are)f(blind;)j(the)e(individual)75 2647 y(has)21 b(no)f(reason)h(to)f(b)q(eliev)o(e)j(that)d(w)o(e)g(pro)o(vide) i(suc)o(h)f(a)f(service.)38 b(Rather,)21 b(w)o(e)g(are)f(simply)i(one)f(of)75 2704 y(man)o(y)15 b(systems)h(that)f(is)h(searc)o(hed)g(for)g(op)q(en)g (accoun)o(ts.)22 b(T)l(o)15 b(b)q(e)i(sure,)f(suc)o(h)g(a)f(searc)o(h)h(is)g (lik)o(ely)i(to)d(b)q(e)p eop %%Page: 13 13 12 bop 75 49 a Fh(futile;)14 b(guest)d(login)i(accoun)o(ts)e(ha)o(v)o(e)h(b)q (ecome)g(quite)h(rare)e(on)h(the)g(In)o(ternet,)g(ev)o(en)g(on)g (historically)h(op)q(en)75 106 y(systems.)28 b(This)18 b(is)h(in)f(mark)o(ed) g(con)o(trast)e(to)i(the)g(ARP)l(ANET)g(of)g(15)f(y)o(ears)g(ago.)28 b(The)18 b(c)o(hange)g(w)o(as)75 162 y(lik)o(ely)g(inevitable;)g(the)e(v)m (astly-increased)i(access)e(to)g(the)g(In)o(ternet)g(has)g(also)g(increased)h (the)g(n)o(um)o(b)q(er)75 219 y(of)c(users)h(who)f(do)h(not)f(share)h(the)f (same)h(moral)f(credo)h(with)g(resp)q(ect)g(to)f(prop)q(er)h(b)q(eha)o(vior.) 20 b(F)l(ew)13 b(sites,)75 275 y(if)j(an)o(y)l(,)f(are)h(willing)h(to)e(exp)q (ose)h(themselv)o(es)h(to)e(unkno)o(wn)g(individual)q(s.)24 b(Ev)o(en)15 b(sites)h(w)o(ell-kno)o(wn)h(for)75 332 y(c)o(hampioning)h(the)f (principles)j(of)c(univ)o(ersal)i(access)f(ha)o(v)o(e)g(b)q(een)h(forced)f (to)f(close)i(do)o(wn,)e(b)q(ecause)i(of)75 388 y(abuses)d(b)o(y)h(a)e(few)i (guests.)146 447 y(The)g(area)g(of)g(coun)o(terin)o(telligence)k(raises)d (other)f(serious)h(issues.)25 b(What)15 b(sorts)h(of)g(net)o(w)o(ork)g(con-) 75 504 y(nections)g(to)f(other)h(sites)g(are)f(prop)q(er?)22 b(W)l(e)16 b(m)o(ust)f(b)q(e)i(v)o(ery)e(careful)h(here)g(not)f(to)g(step)h (o)o(v)o(er)f(the)h(line.)75 560 y(Giv)o(en)g(that)g(w)o(e)g(log)g Fc(finger)f Fh(attempts,)g(and)h(trace)g(bac)o(k)g Fc(rusers)f Fh(calls,)i(are)e(w)o(e)h(justi\014ed)h(in)g(using)75 617 y(those)g(proto)q (cols)g(ourselv)o(es?)27 b(What)16 b(ab)q(out)h(the)h(aforemen)o(tioned)f Fc(telnet)f Fh(op)q(erations?)27 b(On)18 b(o)q(cca-)75 673 y(sion,)d(w)o(e)g(ha)o(v)o(e)f(had)i(mail)f(to)g(a)f(site)i(administrator)e (b)q(ounce;)i(w)o(e)f(ha)o(v)o(e)f(had)i(to)e(resort)g(to)g(things)i(lik)o(e) 75 730 y(hand-en)o(tered)j Fc(VRFY)e Fh(commands)g(on)h(the)g(SMTP)g(p)q(ort) f(to)g(determine)i(where)f(the)g(mail)g(should)h(b)q(e)75 786 y(sen)o(t.)h(Is)15 b(that)g(prop)q(er?)146 846 y(T)l(o)i(carry)h(matters)f(a) h(step)g(farther,)g(the)g(suggestion)g(has)g(b)q(een)i(made)e(that)f(in)i (the)g(ev)o(en)o(t)f(of)f(a)75 902 y(successful)f(attac)o(k)d(in)j(progress,) d(w)o(e)i(migh)o(t)f(b)q(e)h(justi\014ed)h(in)g(p)q(enetrating)f(the)f(attac) o(k)o(er's)f(computers)75 959 y(under)20 b(the)g(do)q(ctrine)g(of)f (\\immediate)h(pursuit".)33 b(That)19 b(is,)h(it)g(ma)o(y)f(b)q(e)h(p)q (ermissible)i(to)d(stage)f(our)75 1015 y(o)o(wn)d(coun)o(terattac)o(k)f(in)i (order)f(to)f(stop)h(an)g(immediate)h(and)g(presen)o(t)f(danger)g(to)g(our)g (o)o(wn)f(prop)q(ert)o(y)l(.)75 1072 y(The)19 b(legal)g(status)e(of)h(suc)o (h)h(an)f(action)g(is)h(quite)g(m)o(urky)l(,)g(though)f(analagous)g(preceden) o(ts)h(do)f(exist.)75 1128 y(Regardless,)e(w)o(e)f(ha)o(v)o(e)g(not)g (carried)g(out)g(an)o(y)g(suc)o(h)h(action,)f(and)g(w)o(e)g(w)o(ould)h(b)q(e) g(extremely)g(reluctan)o(t)75 1184 y(to;)j(if)h(nothing)f(else,)h(w)o(e)e(w)o (ould)h(prefer)g(to)f(adhere)h(to)g(a)f(higher)h(moral)g(standard)f(than)h (migh)o(t)f(b)q(e)75 1241 y(strictly)e(required)g(b)o(y)f(la)o(w.)146 1300 y(W)l(e)f(do)g(not)g(claim)h(to)f(kno)o(w)f(de\014nitiv)o(e)j(answ)o (ers)e(to)g(these)g(ethical)i(questions.)k(Th)o(us)14 b(far,)f(w)o(e)h(are)75 1357 y(comfortable)g(with)h(what)f(w)o(e)h(ha)o(v)o(e)f(done.)20 b(If)15 b(nothing)g(else,)g(our)f(actions)h(are)f(\(a\))g(harmless,)h(and)f (\(b\))75 1413 y(undertak)o(en)k Fg(only)f Fh(in)i(resp)q(onse)f(to)f(a)g (\\\014rst)h(strik)o(e")f(from)g(the)h(other)f(site.)28 b(But)18 b(w)o(e)f(are)h(willing)i(to)75 1470 y(listen)c(to)f(argumen)o(ts)f(that)h(w) o(e)g(ha)o(v)o(e)g(gone)g(to)q(o)f(far.)75 1630 y Fp(6)69 b(F)-6 b(uture)23 b(Extensions)75 1738 y Fh(There)11 b(are)f(sev)o(eral)g(in)o (teresting)h(w)o(a)o(ys)e(to)h(extend)h(the)f(curren)o(t)g(set)h(of)e (monitors.)18 b(The)11 b(most)e(imp)q(ortan)o(t)75 1794 y(c)o(hange)k(w)o (ould)g(b)q(e)g(to)f(monitor)g(all)i(requests)f(for)f(TCP)g(or)g(UDP)g (services,)i(and)f(not)f(just)h(a)f(select)h(few.)75 1851 y(Curren)o(tly)l(,) j(the)g(gatew)o(a)o(y)e(mac)o(hine)j(is)f(blind)i(to)d(suc)o(h)h(prob)q(es,)g (but)g(the)g(TCP)g(listener)h(on)e(a)h(Plan)g(9)75 1907 y(mac)o(hine)e(has)f (pic)o(k)o(ed)g(up)h(requests)f(for)f(some)h(v)o(ery)f(un)o(usual)i(p)q(ort)f (n)o(um)o(b)q(ers,)g(as)g(part)f(of)g(an)h(apparen)o(t)75 1964 y(attac)o(k[Bel92)o(].)19 b(The)d(ideal)g(w)o(a)o(y)e(to)g(implemen)o(t)j (this)e(monitoring)g(w)o(ould)h(b)q(e)f(for)g(the)g(k)o(ernel)h(to)e(pass)75 2020 y(un)o(w)o(an)o(ted)21 b(pac)o(k)o(ets)g(to)g(a)g(user-lev)o(el)i (daemon,)f(rather)f(than)g(issuing)i(its)f(o)o(wn)f(rejections.)39 b(That)75 2076 y(daemon)19 b(could)h(do)f(what)f(it)h(w)o(an)o(ted)f(|)i (fork)e(a)g(c)o(hild)j(pro)q(cess)e(to)f(handle)j(the)e(connection,)h(issue) 75 2133 y(a)d(reject,)h(log)f(the)h(inciden)o(t,)h(etc.)27 b(Unfortunately)l(,)18 b(no)g(suc)o(h)f(mec)o(hanism)h(exists)g(at)f(presen)o (t)h(in)g(the)75 2189 y(systems)d(w)o(e)g(use.)20 b(W)l(e)15 b(ma)o(y)g(p)q(erform)g(the)g(necessary)g(k)o(ernel)h(surgery)f(some)g(da)o (y)l(.)146 2249 y(Our)20 b(pac)o(k)o(et)g(suc)o(k)o(ers)g(could)h(gather)f(m) o(uc)o(h)g(more)g(information)g(if)h(they)f(had)g(more)g(abilit)o(y)i(to)75 2305 y(resp)q(ond.)e(W)l(e)14 b(do)f(not)h(wish)g(to)f(write)h(custom)f(co)q (de)h(for)g(ev)o(ery)f(p)q(ossible)j(service;)e(ho)o(w)o(ev)o(er,)f(a)g (simple)75 2362 y(script)19 b(in)o(terpreter)g(migh)o(t)g(b)q(e)g(useful.)31 b(F)l(or)18 b(example,)i(the)f Fc(nntp)f Fh(listener)i(could)g(emit)f(the)g (prop)q(er)75 2418 y(greetings,)14 b(thereb)o(y)g(eliciting)i(further)e (input)h(that)e(migh)o(t)h(sho)o(w)g(the)g(real)g(lo)q(cation)h(of)e(the)h (presumed)75 2475 y(securit)o(y)i(hole.)146 2534 y(Along)c(the)f(same)h (lines,)h(w)o(e)f(need)g(b)q(etter)g(facilities)i(for)d(in)o(terp)q(eting)i (RPC)f(requests.)18 b(The)12 b(curren)o(t)75 2591 y(analysis)17 b(program)f(con)o(tains)g(a)h(lot)f(of)g(messy)h(co)q(de;)g(it)g(should)g(b)q (e)g(fairly)h(easy)e(to)g(write)g(a)h Fc(printf)p Fh(-)75 2647 y(st)o(yle)d(in)o(terpreter)g(for)g(the)g(messages.)19 b(A)14 b(b)q(etter)g(reply)h(creator)e(w)o(ould)i(b)q(e)g(useful;)g(for)e(that,)g (though,)75 2704 y(w)o(e)k(migh)o(t)h(b)q(e)g(b)q(est)g(o\013)f(using)h(the)g (real)g(RPC)g(library)l(,)h(our)e(concerns)h(not)o(withstanding.)27 b(It)18 b(migh)o(t)p eop %%Page: 14 14 13 bop 75 49 a Fh(b)q(e)18 b(useful)g(to)f(b)q(eef)h(up)f(the)g Fc(portmopper)f Fh(to)h(resp)q(ond)h(to)e Fc(rpcinfo)23 b(-p)p Fh(;)17 b(w)o(e)g(ha)o(v)o(e)g(seen)h(a)f(few)g(suc)o(h)75 106 y(queries,)f(and)f(our)g(o)o(wn)g(sim)o(ulated)h(attac)o(k)e(scenarios)h (ha)o(v)o(e)g(relied)i(on)e(it.)146 162 y(The)20 b(DNS)h(serv)o(er)f(\()p Fc(named)p Fh(\))f(needs)j(to)d(ha)o(v)o(e)i(logging)f(added)i(as)e(w)o(ell.) 37 b(While)22 b(it)e(is)h(probably)75 219 y(inadvisable)15 b(to)d(note)h(ev)o(ery)g(single)h(request,)f(zone)g(transfers)f(can)h(and)g (should)h(b)q(e)g(logged.)19 b(In)14 b(theory)l(,)75 275 y(v)o(ery)c(few)g (sites)h(ha)o(v)o(e)f(legitimate)i(reasons)e(for)f(examining)j(our)e(zone)h (data,)f(but)h(w)o(e)f(ha)o(v)o(e)g(seen)h(evidence)75 332 y(that)f(crac)o(k)o(ers)g(are)h(already)g(doing)g(so.)18 b(Some)11 b(sites,)h(in)g(fact,)f(already)g(restrict)f(zone)i(transfers,)e(though)75 388 y(do)q(dging)16 b(bugs)f(is)h(the)f(usual)h(reason)f(giv)o(en)h(for)e (suc)o(h)i(p)q(olicies.)146 444 y(W)l(e)22 b(w)o(ould)h(lik)o(e)h(to)e(hear)h (ab)q(out)g(the)f(results)h(of)g(similar)h(monitoring)f(at)f(other)g(sites.) 43 b(Our)75 501 y(exp)q(eriences)19 b(ma)o(y)d(b)q(e)i(at)o(ypical,)g(for)e (a)h(n)o(um)o(b)q(er)g(of)f(reasons.)25 b(W)l(e)17 b(are)g(in)h(the)f(\\)p Fc(.com)p Fh(")f(domain,)h(our)75 557 y(mac)o(hine)h(is)g(listed)h(in)g(the)e (o\016cial)i Fc(hosts.txt)d Fh(\014le,)j(some)e(p)q(eople)i(still)g(think)f (w)o(e)g(are)f(\\the)g(phone)75 614 y(compan)o(y",)f(and)g(w)o(e)g(ha)o(v)o (e)g(published)j(sev)o(eral)d(pap)q(ers)h(describing)h(our)e(securit)o(y)g (arrangemen)o(ts.)22 b(A)75 670 y(small)16 b(univ)o(ersit)o(y)g(mac)o(hine)g (migh)o(t)f(see)h(a)f(v)o(ery)f(di\013eren)o(t)i(pattern)f(of)f(attac)o(ks.) 19 b(On)d(the)f(other)g(hand,)75 727 y(w)o(e)g(ha)o(v)o(e)g(seen)h(enough)g (connections)g(that)f(w)o(ere)g(apparen)o(tly)g(laundered)i(through)e(small)h (univ)o(ersit)o(y)75 783 y(mac)o(hines)i(that)f(w)o(e)h(advise)g(against)f (complacency)l(.)29 b(Others)18 b(rep)q(ort)f(similar)i(phenomena;)g(see,)g (for)75 840 y(example,)d([Ran92)o(].)146 896 y(F)l(or)11 b(serious)i(in)o(v)o (estigations)f(of)g(crac)o(k)o(er)f(b)q(eha)o(vior,)i(a)f(dedicated)h (sacri\014cial)h(mac)o(hine)f(is)f(probably)75 953 y(a)17 b(b)q(etter)f(idea) i(than)f(installing)i(trap)d(programs.)24 b(As)16 b(noted,)h(w)o(e)g(made)g (suc)o(h)g(a)g(mac)o(hine)g(a)o(v)m(ailable)75 1009 y(when)e(trying)f(to)g (trac)o(k)f(Berferd,)i(but)f(it)h(attracted)e(little)i(in)o(terest.)20 b(Our)15 b(new)f(monitors)g(sho)o(w)g(m)o(uc)o(h)75 1065 y(more)h(in)o (terest)g(in)h(it)g(to)q(da)o(y)e(than)h(w)o(e)g(sa)o(w)f(then.)146 1122 y(Despite)h(all)h(this,)g(it)f(is)h(imp)q(ortan)o(t)e(to)h(view)g (securit)o(y)h(in)g(its)f(prop)q(er)h(p)q(ersp)q(ectiv)o(e.)21 b(The)15 b(purp)q(ose)75 1178 y(of)k(our)g(gatew)o(a)o(y)f(mac)o(hine)i(is)g (to)f(pass)g(messages,)h(not)f(to)f(en)o(tice)j(crac)o(k)o(ers.)31 b(W)l(e)20 b(do)f(not)g(w)o(an)o(t)g(to)75 1235 y(sp)q(end)d(more)f(e\013ort) f(\014gh)o(ting)i(them)f(than)g(is)g(necessary)l(.)75 1378 y Fp(7)69 b(Recommendations)257 1479 y Fi(It)13 b(do)q(es)h(not)g(do)f(to)g (lea)o(v)o(e)h(a)f(liv)o(e)i(dragon)e(out)g(of)g(y)o(our)g(calculations,)i (if)f(y)o(ou)g(liv)o(e)g(near)189 1536 y(him.)25 b(Dragons)15 b(ma)o(y)h(not)h(ha)o(v)o(e)f(m)o(uc)o(h)h(real)g(use)g(for)f(all)h(their)h (w)o(ealth,)e(but)h(they)g(kno)o(w)189 1592 y(it)e(to)g(an)g(ounce)h(as)e(a)h (rule.)706 1696 y Fh(J.R.R.)g(T)l(olkien,)h Fg(The)g(Hobbit)146 1800 y Fh(It)f(is,)h(of)f(course,)g(no)h(surprise)g(to)f(an)o(y)o(one)g(that) g(crac)o(k)o(ers)g(are)g(activ)o(e)g(on)h(the)g(In)o(ternet.)21 b(What)14 b(is)75 1857 y(surprising,)i(w)o(e)f(think,)g(is)h(the)f(lev)o(el)i (of)d(activit)o(y)l(.)21 b(W)l(e)15 b(see)g(at)g(least)g(one)g(hostile)h (action)f(a)g(w)o(eek,)g(plus)75 1913 y(sev)o(eral)k(do)q(orknob)g(c)o(hec)o (ks)g(a)g(da)o(y)l(.)31 b Fg(F)m(urthermor)n(e,)20 b(we)g(know)g(of)g(most)f (of)h(these)g(solely)e(b)n(e)n(c)n(ause)h(of)75 1970 y(our)e(monitoring)f(pr) n(o)n(gr)n(ams.)k(No)c(standar)n(d)g(host)g(softwar)n(e)g(we)g(ar)n(e)g(awar) n(e)h(of)f(pr)n(ovides)g(an)f(ade)n(quate)75 2026 y(level)j(of)g(monitoring.) 28 b Fh(More)17 b(precisely)l(,)j(if)e(y)o(ou)g(nev)o(er)g(lo)q(ok)g(out)f (the)h(windo)o(w,)g(y)o(ou)f(will)j(nev)o(er)e(see)75 2083 y(an)o(y)d(dragons.)k(And)d(y)o(ou)f(will)i(nev)o(er)e(kno)o(w)g(if)g(one)h (has)f(decided)i(that)d(y)o(our)h(passw)o(ords)f(are)h(just)g(the)75 2139 y(things)i(to)e(add)h(to)g(its)g(treasure)g(hoard)g(underneath)h(the)f (Moun)o(tain.)23 b(The)16 b(In)o(ternet)g(app)q(ears)h(to)e(b)q(e)75 2195 y(lousy)j(with)h(dragons)p Fa(:)8 b(:)g(:)d Fh(.)28 b(\(N.B.)17 b(W)l(e)h(m)o(ust)f(confess)h(that)f(w)o(e)h(do)f(not)h(visualize)i(these)e (dragons)f(as)75 2252 y(grandiose)e(or)g(magni\014cen)o(t.)20 b(T)l(olkien,)d(of)d(course,)h(sometimes)h(refers)f(to)f(dragons)h(as)f(\\w)o (orms".\))146 2308 y(The)k(most)f(imp)q(ortan)o(t)g(thing)h(that)f(can)h(and) g(should)h(b)q(e)f(done)g(is)h(for)e(v)o(endors)g(to)h(add)g(logging)75 2365 y(to)e(net)o(w)o(ork)f(soft)o(w)o(are.)21 b(Muc)o(h)c(more)f (information)g(needs)h(to)f(b)q(e)h(logged,)g(at)e(the)i(option)f(of)g(the)h (site)75 2421 y(administrator.)25 b(It)17 b(is)g(useful)h(to)e(b)q(e)i(able)g (to)e(log)h Fg(al)r(l)g Fh(incoming)h(connections,)g(with)f(some)f(precis)i (of)75 2478 y(the)f(parameters)g(passed.)26 b(These)17 b(need)h(not)f(b)q(e)h (as)f(detailed)h(as)f(our)g(traps,)g(of)f(course,)i(but)f(should)75 2534 y(con)o(tain)e(the)h(essen)o(tial)g(information.)k(Naturally)l(,)15 b(success)h(or)f(failure)h(should)g(b)q(e)g(indicated)h(as)e(w)o(ell.)146 2591 y(While)22 b(m)o(uc)o(h)f(of)g(the)g(logging)g(can)g(and)h(should)g(b)q (e)f(done)h(in)g Fc(inetd)p Fh(,)f(that)f(is)i(not)f(su\016cien)o(t.)75 2647 y(Other)14 b(programs)e(need)j(to)e(create)g(net)o(w)o(ork)f(log)i(en)o (tries)g(as)f(w)o(ell.)20 b(F)l(or)13 b(example,)i Fc(named)e Fh(should)h(note)75 2704 y(the)i(source)g(of)g(all)h(zone)f(transfer)f (requests.)23 b(\(Optionally)l(,)17 b(suc)o(h)f(requests)g(should)h(b)q(e)g (denied)h(if)e(not)p eop %%Page: 15 15 14 bop 75 49 a Fh(from)14 b(kno)o(wn)g(secondary)g(serv)o(ers)g(for)g(the)g (zone.)20 b(Some)15 b(reasons)f(w)o(ere)g(presen)o(ted)g(ab)q(o)o(v)o(e;)g (others)g(are)75 106 y(discussed)j(in)f([Bel89].\))k(The)15 b Fc(ftp)g Fh(daemon,)g Fc(login)p Fh(,)g(and)g(an)o(ything)h(else)g(that)f (do)q(es)g(authen)o(tication)75 162 y(should)i(note)f(an)o(y)g(session)g (that)f(do)q(es)i(not)e(end)i(in)g(a)f(successful)h(login.)23 b(\(T)l(ruly)17 b(paranoid)f(mac)o(hines)75 219 y(should)h(log)g(ev)o(ery)f (attempt)f(to)h(log)g(in,)h(successful)h(or)e(not.)23 b(But)16 b(caution)h(is)g(indicated;)h(exp)q(erience)75 275 y(suggests)d(that)f(one)h (is)h(lik)o(ely)h(to)e(collect)h(passw)o(ords)e(that)h(w)o(a)o(y[GM84)m(].\)) 146 332 y(W)l(e)g(urge)h(the)g(creation)g(of)f(a)h(standardized)h(logging)f (in)o(terface.)22 b(Do)15 b(not)g(confuse)h(this)h(in)o(terface)75 388 y(with)12 b(the)g Fc(syslog)f Fh(daemon.)18 b(The)12 b(daemon)g(is)g(a)f (mec)o(hanism)i(for)e(collecting)i(en)o(tries,)f(not)g(for)f(creating)75 445 y(them.)23 b(The)16 b(messages)g(w)o(e)g(wish)h(should)g(b)q(e)g(in)g(a)f (form)f(suitable)j(for)d(manipulation)j(b)o(y)e Fc(grep)p Fh(,)g Fc(awk)p Fh(,)75 501 y Fc(join)p Fh(,)h(and)g(other)g(standard)g(to)q(ols,)g (and)g(that)g(will)i(only)e(happ)q(en)i(if)e(they)h(are)e(created)i(b)o(y)f (a)g(single)75 558 y(subroutine.)146 615 y(Standardized)h(\014ltering)f(mec)o (hanisms)h(are)e(also)h(useful.)26 b(Giv)o(en)17 b(the)g(n)o(um)o(b)q(er)g (of)f(daemons)h(that)75 671 y(are)e(useful)i(in)o(ternally)l(,)g(but)e(are)g (susceptible)j(to)d(attac)o(k)f(from)h(outside,)g(man)o(y)g(administrators)g (wish)75 727 y(to)k(den)o(y)h(access)g(to)f(them)h(to)f(outsiders.)34 b(Router-lev)o(el)21 b(\014ltering)g(is)f(insu\016cien)o(t,)i(if)f(for)e(no)g (other)75 784 y(reason)c(than)f(that)h(the)g(routers)f(ma)o(y)g(b)q(e)i(run)f (b)o(y)g(di\013eren)o(t)g(organizations.)20 b(Some)15 b(v)o(endors)g(supp)q (ort)75 840 y(\014ltering)h(in)g Fc(inetd)p Fh(;)e(most)h(do)g(not.)146 897 y(Unless)f(and)f(un)o(til)h(standard)f(logging)h(and)f(\014ltering)h(mec) o(hanisms)g(are)f(created,)g(use)h(of)e(outb)q(oard)75 954 y(programs)k(is)h(a)g(useful)h(stopgap.)25 b(There)17 b(are)f(a)h(n)o(um)o(b) q(er)g(of)g(programs)f(a)o(v)m(ailable)i(to)f(do)g(that.)24 b(One)75 1010 y(lists)19 b(them)e(in)i Fc(/etc/inetd.conf)d Fh(instead)i(of)g(the)g(actual)g(serv)o(er;)g(they)g(create)g(the)g(log)g (message,)75 1067 y(\014lter)e(based)f(on)g(origin)h(address,)f(and)h(only)f (then)h(pass)f(con)o(trol)g(to)f(the)i(actual)f(serv)o(er.)75 1212 y Fp(8)69 b(Conclusions)257 1314 y Fi(\\Nev)o(er)15 b(laugh)g(at)g(liv)o (e)h(dragons,)f(Bilb)q(o)h(y)o(ou)f(fo)q(ol!")20 b(he)c(said)f(to)g(himself.) 706 1422 y Fh(J.R.R.)g(T)l(olkien,)h Fg(The)g(Hobbit)146 1530 y Fh(It)i(is)g(all)h(w)o(ell)g(and)f(go)q(o)q(d)g(to)f(decry)i(computer)f (securit)o(y)l(,)h(and)f(to)f(preac)o(h)h(the)g(religion)i(of)d(op)q(en)75 1587 y(access.)j(Unfortunately)l(,)14 b(there)g(are)g(an)g(increasing)h(n)o (um)o(b)q(er)f(of)g(p)q(eople)i(with)e(access)g(to)g(the)g(In)o(ternet)75 1643 y(who)g(do)f(not)h(share)g(the)f(moralit)o(y)h(necessary)g(to)f(mak)o(e) h(suc)o(h)g(sc)o(hemes)g(w)o(ork.)k(One)d(can)f(assume)g(that)75 1700 y(one)i(is)g(b)q(eing)h(attac)o(k)o(ed;)d(the)i(only)g(questions)g(are)f (ho)o(w,)g(and)h(ho)o(w)f(often.)21 b(\(Just)16 b(who)f(the)h(attac)o(k)o (ers)75 1756 y(are)e(is)h(in)g(some)e(sense)i(unin)o(teresting;)g(if)g(one)f (group)g(passes)g(on,)g(another)g(is)h(sure)f(to)g(tak)o(e)f(its)i(place.\)) 146 1813 y(Our)g(goal)f(is)i(to)e(pro)o(vide)i(information)f(to)f(the)h(comm) o(unit)o(y)l(,)g(and)g(to)f(the)h(prop)q(er)g(authorities,)g(on)75 1870 y(just)j(ho)o(w)h(the)f(crac)o(k)o(ers)g(are)h(op)q(erating.)30 b(Our)19 b(sp)q(eci\014c)i(metho)q(ds)e(are)f(not)g(for)g(ev)o(ery)o(one,)h (but)g(our)75 1926 y(lessons)d(|)f(and)h(our)f(w)o(arnings)g(|)g(are.)75 2071 y Fp(9)69 b(Av)l(ailabilit)n(y)75 2173 y Fh(A)o(t)19 b(this)g(time,)h (neither)g(the)g(gatew)o(a)o(y)d(co)q(de)j(nor)f(the)g(v)m(arious)g(monitors) g(are)g(a)o(v)m(ailable)i(outside)e(of)75 2230 y(A)l(T&T.)c(That)g(ma)o(y)f (c)o(hange)h(in)h(the)g(future.)k(Then)15 b(again,)g(it)h(ma)o(y)e(not.)75 2375 y Fp(10)69 b(Ac)n(kno)n(wledgemen)n(ts)75 2477 y Fh(Bill)25 b(Cheswic)o(k)e(and)f(Diana)h(D'Angelo)g(implemen)o(ted)h(the)f(\014rst)f (hac)o(k)o(er)g(traps)g(on)g(our)h(gatew)o(a)o(y)75 2534 y(mac)o (hine[Che92].)31 b(Bill)21 b(also)e(did)h(a)f(lot)f(of)h(w)o(ork)f (collecting)j(and)e(collating)h(log)f(\014le)h(data)e(for)h(this)75 2590 y(pap)q(er.)h(He)c(and)f(Da)o(v)o(e)f(Presotto)g(designed)j(our)e(o)o(v) o(erall)g(securit)o(y)h(arc)o(hitecture.)146 2647 y(T)l(esting)22 b(the)f(traps)g(describ)q(ed)j(here)e(required)h(mac)o(hines)f(from)f(whic)o (h)h(to)f(launc)o(h)i(sim)o(ulated)75 2704 y(attac)o(ks.)18 b(A)e(n)o(um)o(b)q(er)f(of)g(sites)h(gran)o(ted)e(us)h(access)h(to)e(their)i (systems;)e(w)o(e)h(thank)g(them.)p eop %%Page: 16 16 15 bop 75 49 a Fp(References)137 151 y Fh([Bel89])23 b(Stev)o(en)14 b(M.)f(Bello)o(vin.)20 b(Securit)o(y)14 b(problems)g(in)h(the)f(TCP/IP)f (proto)q(col)h(suite.)k Fg(Computer)296 207 y(Communic)n(ations)d(R)n(eview)p Fh(,)g(19\(2\):32{48,)c(April)17 b(1989.)137 296 y([Bel92])23 b(Stev)o(en)15 b(M.)g(Bello)o(vin.)22 b(P)o(ac)o(k)o(ets)14 b(found)h(on)g(an)g(in)o(ternet,)h(1992.)i(In)e(preparation.)80 385 y([CFSD90])21 b(J.D.)15 b(Case,)h(M.)f(F)l(edor,)g(M.L.)h(Sc)o (ho\013stall,)g(and)g(C.)f(Da)o(vin.)22 b Fg(Simple)17 b(Network)g(Manage-) 296 442 y(ment)f(Pr)n(oto)n(c)n(ol)g(\(SNMP\))p Fh(,)c(Ma)o(y)j(1990.)j(RF)o (C)d(1157.)124 531 y([Che90])22 b(W.R.)e(Cheswic)o(k.)37 b(The)21 b(design)g(of)f(a)h(secure)g(in)o(ternet)g(gatew)o(a)o(y)l(.)35 b(In)21 b Fg(Pr)n(o)n(c.)g(Summer)296 588 y(USENIX)14 b(Confer)n(enc)n(e)p Fh(,)f(Anaheim,)j(June)g(1990.)124 677 y([Che92])22 b(W.R.)15 b(Cheswic)o(k.)20 b(An)c(ev)o(ening)g(with)f(Berferd,)h(in)g(whic)o(h)g(a)f (crac)o(k)o(er)f(is)i(lured,)g(endured,)296 733 y(and)c(studied.)i(In)f Fg(Pr)n(o)n(c.)f(Winter)h(USENIX)e(Confer)n(enc)n(e)p Fh(,)e(San)j(F)l (rancisco,)g(Jan)o(uary)f(1992.)132 822 y([DG87])21 b(Jac)o(k)d(J.)h (Dongarra)e(and)i(Eric)g(Grosse.)29 b(Distribution)19 b(of)f(mathematical)h (soft)o(w)o(are)e(via)296 879 y(electronic)g(mail.)j Fg(Communic)n(ations)c (of)g(the)h(A)o(CM)p Fh(,)c(30:403{407,)f(1987.)125 968 y([GM84])21 b(F)l(red)14 b(T.)g(Grampp)g(and)g(Rob)q(ert)h(H.)f(Morris.)j(Unix)f(op)q (erating)e(system)g(securit)o(y)l(.)19 b Fg(A)m(T&T)296 1024 y(Bel)r(l)d(L)n(ab)n(or)n(atories)f(T)m(e)n(chnic)n(al)f(Journal)p Fh(,)h(63\(8,)f(P)o(art)g(2\):1649{1672)o(,)e(Octob)q(er)k(1984.)127 1114 y([HM91])21 b(Katie)i(Hafner)g(and)g(John)g(Mark)o(o\013.)40 b Fg(Cyb)n(erpunk)22 b(:)35 b(Outlaws)23 b(and)g(Hackers)g(on)g(the)296 1170 y(Computer)17 b(F)m(r)n(ontier)p Fh(.)i(Simon)d(&)f(Sc)o(h)o(uster,)g (1991.)131 1259 y([Joh85])22 b(Mik)o(e)15 b(St.)g(Johns.)20 b Fg(A)o(uthentic)n(ation)c(Server)p Fh(,)e(Jan)o(uary)h(1985.)k(RF)o(C)c (931.)117 1348 y([Mo)q(c87])21 b(P)l(.V.)16 b(Mo)q(c)o(k)m(ap)q(etris.)23 b Fg(Domain)17 b(Names)g(|)h(Conc)n(epts)d(and)i(F)m(acilities)p Fh(,)e(No)o(v)o(em)o(b)q(er)g(1987.)296 1405 y(RF)o(C)g(1034.)173 1494 y([P)o(en])22 b(Jan-Simon)12 b(P)o(endry)l(.)g Fc(Amd)e Fh(|)h(An)g(automoun)o(ter.)f(Departmen)o(t)g(of)g(Computing,)h(Imp)q(erial) 296 1550 y(College,)16 b(London.)134 1639 y([Plu82])22 b(D.C.)c(Plummer.)34 b Fg(Ethernet)21 b(A)n(ddr)n(ess)e(R)n(esolution)h(Pr)n(oto)n(c)n(ol)p Fh(,)g(No)o(v)o(em)o(b)q(er)f(1982.)32 b(RF)o(C)296 1696 y(826.)75 1785 y([PPTT90])21 b(Rob)f(Pik)o(e,)g(Da)o(v)o(e)f(Presotto,)f(Ken)i (Thompson,)g(and)g(Ho)o(w)o(ard)e(T)l(ric)o(k)o(ey)l(.)33 b(Plan)20 b(9)f(from)296 1842 y(Bell)e(Labs.)j(In)c Fg(Pr)n(o)n(c)n(e)n(e)n(dings)e(of) j(the)f(Summer)h(1990)g(UKUUG)f(Confer)n(enc)n(e)p Fh(,)d(pages)i(1{9,)296 1898 y(London,)g(July)i(1990.)c(UKUUG.)121 1987 y([Ran92])22 b(Marcus)17 b(J.)h(Ran)o(um.)28 b(A)18 b(net)o(w)o(ork)e(\014rew)o(all.)29 b(In)18 b Fg(Pr)n(o)n(c.)g(World)i(Confer)n(enc)n(e)c(on)j(System)296 2044 y(A)n(dministr)n(ation)c(and)h(Se)n(curity)p Fh(,)f(W)l(ashington,)g (D.C.,)e(July)k(1992.)137 2133 y([Sto88])k(C.)d(Stoll.)32 b(Stalking)20 b(the)f(wiley)i(hac)o(k)o(er.)31 b Fg(Communic)n(ations)19 b(of)g(the)i(A)o(CM)p Fh(,)c(31\(5\):484,)296 2189 y(Ma)o(y)d(1988.)137 2278 y([Sto89])21 b(C.)e(Stoll.)34 b Fg(The)20 b(Cucko)n(o's)g(Egg:)29 b(T)m(r)n(acking)19 b(a)h(Spy)g(Thr)n(ough)h(the)g(Maze)f(of)g(Computer)296 2335 y(Espionage)p Fh(.)f(Doubleda)o(y)l(,)d(1989.)127 2424 y([Sun90])22 b(Sun)15 b(Microsystems,)e(Inc.,)h(Moun)o(tain)g(View,)g(CA.)k Fg(Network)d(Interfac)n(es)e(Pr)n(o)n(gr)n(ammer's)296 2480 y(Guide)p Fh(,)i(Marc)o(h)g(1990.)k(SunOS)d(4.1.)138 2570 y([T)l(ol65])22 b(J.R.R.)15 b(T)l(olkien.)22 b Fg(L)n(or)n(d)15 b(of)i(the)f(R)o(ings)p Fh(.)j(Ballan)o(tine)e(Bo)q(oks,)d(1965.)138 2659 y([T)l(ol66])22 b(J.R.R.)15 b(T)l(olkien.)22 b Fg(The)15 b(Hobbit)p Fh(.)20 b(Ballan)o(tine)d(Bo)q(oks,)e(1937,)e(1938,)h(1966.)p eop %%Trailer end userdict /end-hook known{end-hook}if %%EOF