Responding to a Security Incident

I spend a good chunk of my time on mailing lists and organizations concerned with monitoring hacker activity. Such lists are the INCIDENTS list from SecurityFocus.com and the SANS GIAC effort, providing a daily update of hacker activities from various parties around the world. Often, the question of the value of reporting an incident is debated. I routinely counsel people to report most incidents they see. What this does for the ISP is help them gather information about a set of independently correlated data about a nefarious customer or a compromised machine on their network. Just don't expect much to be done about it. Most ISPs don't react and aren't very neighborly. Some of us in the business routinely block entire networks from connecting to our networks based on their patterns of allowing unseemly activity to continue.

We'll not go into detecting incidents, but we will define them as port probes, port scans, denial of service (DoS) attempts and unauthorized access attempts. Each of these warrants investigation, some more than others. Combining intrusion detection software with log analysis (which you should be doing anyhow), these events should stand out.

We'll start with a simple detect and extract information from it, deciding how best to proceed. This first one is a log message of a refused connect request from a service, wrapped using TCP wrappers (tcpd). As of this writing, FTP sweeps are all the rage:

   $ grep refuse /var/log/secure
   Nov 8 15:26:31 linux ftpd[3689]: refused connect from
   7dyn94.ztm.casema.net
 

TCP_wrappers makes an excellent basic intrusion detection system, logging both successes and failures. You should be using at least TCP_wrappers for access control and minimizing what services people can connect to at all.

A brief note about connection attempts: One important thing that gets overlooked by the casual paranoid Internet user is the threshold of what defines a probe or an attack, and what is worth reporting. Usually it's not worth reporting SMTP (port 25/TCP) or HTTP (port 80/TCP) probes, unless you can demonstrate that it was more than a simple connection attempt. Why? Say I see you on a chatline, and I want to send you some mail directly or see if you have an interesting web site. If you are blocking those requests, they would show up as port probes. But they're usually more innocent than they may appear. The same goes for ping requests (ICMP_ECHO), which are used, for example, in gaming and Napster to determine latency. Don't get in a tizzy about simple things; focus on actual intrusion attempts, like an FTP exploit or a network sweep for a service.

One of the first things we do is map an IP address to that hostname. I prefer to work with IP addresses rather than hostnames, as sometimes ISPs will sell their netblocks in smaller quantities, yet retain administrative control of them.

   $ nslookup 7dyn94.ztm.casema.net
   
   Name: 7dyn94.ztm.casema.net
   Address: 212.64.110.94

Now we begin to dig around for domain information using this network address. You can use command line "whois" information to find out about this network address.

Two different major types of databases exist, depending on if you are searching by hostname or network addresses. Network names are handled by registries like Network Solutions, and network numbers are handled by the ARIN (American Registry of Internet Numbers) database. Because we're using a network number, we'll be using the ARIN database, but we'll do both to illustrate how it is done.

A quick note on using whois. You can specify query@whois-engine using fwhois, which is very common on Linux boxes. However, this doesn't work on normal whois clients. You have to use the -h whois-engine option, instead. Hence, the queries fwhois domain.com@whois.networksolutions.com and whois -h whois.networksolutions.com domain.com are equivalent. In these examples, we'll be using the fwhois command-line tool or web-based whois searches, and whois is just a symbolic link to fwhois.

First, the ARIN search:

   $ whois 212.64.110.94@whois.arin.net
[whois.arin.net]
European Regional Internet Registry/RIPE NCC (NET-RIPE-NCC-)
   These addresses have been further assigned to European users.
   Contact information can be found in the RIPE database, via the
   WHOIS and TELNET servers at whois.ripe.net, and at
   http://www.ripe.net/db/whois.html
   Netname: RIPE-NCC-212
   Netblock: 212.0.0.0 - 212.255.255.255
   Maintainer: RIPE
   Coordinator:
      RIPE Network Coordination Centre  (RIPE-NCC-ARIN) nicdb@RIPE.NET
      +31 20 535 4444
Fax- - +31 20 535 4445
   Domain System inverse mapping provided by:
   NS.RIPE.NET                  193.0.0.193
   NS.EU.NET                    192.16.202.11
   AUTH03.NS.UU.NET             198.6.1.83
   NS2.NIC.FR                   192.93.0.4
   SUNIC.SUNET.SE               192.36.125.2
   MUNNARI.OZ.AU                128.250.1.21
   NS.APNIC.NET                 203.37.255.97
   To search on arbitrary strings, see the Database page on
   the RIPE NCC web-site at http://www.ripe.net/db/
   Record last updated on 16-Oct-1998.
   Database last updated on 9-Nov-2000 07:02:34 EDT.
The ARIN Registration Services Host contains ONLY Internet
network information: Networks, ASNs and related POCs.
Use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.

Aside from all the extraneous information, we can see from this record that ARIN doesn't handle exact information for this network block. We'll then use network name in a query:

   $ whois casema.net@whois.networksolutions.com 
Registrant:
N.V. Casema (CASEMA-DOM)
   P.O. Box 345
   Delft, 2600 AH
   THE NETHERLANDS
   Domain Name: CASEMA.NET
   Administrative Contact:
      Network Operations Centre  (NOC137-ORG)  domain-tech@EURO.NET
      EuroNet Internet BV
      Muiderstraat 1
      Amsterdam
      NL
      +31 20 5355555
      Fax- +31 20 5355400
   Technical Contact, Zone Contact:
      Davids, Marco  (MD2446)  domaintech1@CASEMA.NET
      N.V. Casema - IKC
      Brassersplein 2
      Delft
      ZH
      2612 CT
      NL
      +31(0)15 8881000 (FAX) +31(0)15 8881099
   Billing Contact:
      Finance Departement  (FD5-ORG)  nic-invoices@EURONET.NL
      EuroNet Internet BV
      Postbus 11095
      Amsterdam
      NL
      +31 20 5355555
      Fax- +31 20 5355400
   Record last updated on 13-Jun-2000.
   Record expires on 30-Jan-2001.
   Record created on 28-Jan-1997.
   Database last updated on 7-Nov-2000 19:15:09 EST.
   Domain servers in listed order:
   NS.CASEMA.NL                 195.96.96.97
   NS1.CASEMA.NET               195.96.96.33

We now have the information we need to proceed. We'll be sending our memo to the addresses listed as the billing contact, technical contact and the administrative contact. For good measure, we'll toss in the often used addresses security@ and abuse@, hopefully targeting the right people.

Additional information you may want to gather include a traceroute to find their upstream network providers and the AUP (acceptable use policy) of the ISP. Usually digging around on www.domain.com can turn it up. Rarely do ISPs have hacker-friendly AUP terms, but it's been known to happen.