Descan your network
- 23 July, 2002 10:20
A small company is about to go live with a big idea that you can greatly benefit from.
The company is Descan.net, and the idea is to identify and halt the "script kiddies" who are infiltrating and subsequently attacking our computer networks.
An example of the kind of attack I'm talking about is the recent infestation known as SQLSnake or Spida, which attempts to take control of systems running Microsoft Corp. SQL Server.
Shortly after security groups sent out their first announcements about SQLSnake on May 20, its probes briefly became the most prevalent attack on the Internet, according to Dshield.org, which monitors such intrusions.
Methodically testing IP addresses around the world, SQLSnake looks for SQL Server machines with a system-administrator account of "sa" and a blank password, which was at one time installed by default. Whether you blame novices who don't know they need to set the password or Microsoft for distributing a product with such a weak default, there are a lot of such systems. The vulnerable components may also be installed by Visio Enterprise Network Tools or Microsoft's Access 2000, Project Central, or Visual Studio 6.
SQLSnake isn't just a harmless nuisance. Once it finds an opening, it sends the vulnerable system's password database to an e-mail address in Singapore. (This address is now shut down, but we may never know how many passwords it received.)Even worse, infected machines begin their own scans. This creates mucho traffic. MyNetWatchman, another monitoring group, at one point detected 300 new servers being infected per hour. (For additional information, see http://www.mynetwatchman.com/kb/security/ports/6/1433.htm and http://online.securityfocus.com/news/444.)Descan.net is a well-thought-out effort to stop this nonsense. You download a small, free listening agent and install it on a firewall or a machine outside your firewall that's running Linux 2.4 or later. (A version for Windows servers is coming.)The agent reads only one small part of Internet traffic, called the SYN packet, and ignores all other content. This alone is enough to catch scanners.
Descan.net engineering manager David Graves says there are hundreds, not thousands, of bad actors in the world, and they can be stopped. The company's logs show that its agent issued an alarm about SQLSnake probes on April 27, more than three weeks before the first public warnings.
Richard Leeds, chairman of Descan.net, says ISPs and the FBI could use these alarms to shut down and prosecute offenders. The for-profit company plans to sell add-on services to ISPs and corporations, which means Descan.net will have enough revenue to continue supporting its agent.
I'll have more next week, but meanwhile go to http://www.descan.net/joinin.html and get the code.