The Internet is now the world's most popular network and it is full of potential vulnerabilities. In this series of articles, we explore the vulnerabilities of the Internet and what you can do to mitigate them.
We don't protect buildings from lightning by making them lightning proof. We do it primarily by using lightning rods. Just as the lightning rod attracts the lightning thus reducing the number of lightning strikes against a building, an Internet lightning rod can attract attackers thus reducing the number of attacks against real targets.
The all.net site has been an Internet lightning rod for some time, absorbing up to several thousand attempted entries per day that would otherwise strike elsewhere. This achieves the dual purpose of reducing the available population of attackers to strike other sites and providing a healthy environment for testing out new defenses.
But unlike the lightning that strikes houses, Internet attackers are not random. They tend to strike targets based on other criteria. To be an effective lightning rod on the Internet, you have to entice the attackers to go after you instead of other sites.
Now that the all.net site is shut down, more of its story can be told.
All.net was originally created with the intent of making it into an ISP, but after 6 months of craziness, the business from which it was formed tore itself apart from the inside. As an outside advisor to the board, I ended up the owner of the computer that formed all.net and the all.net hostname in lieu of some consulting fees.
The computer in question was a 12-year-old used Sun computer with several problems - no backups and no backup capability - a broken backplane that made additional disk space impossible - no way to restore the operating system if the system crashed - no manuals - no maintenance - and no prospects for improvement. As a gift, one of our supporters provided an Ethernet converter to let us connect the all.net computer to our local area network for short periods to permit backups over-the-wire. While a full system crash could not be recovered from, at least we had the ability to store and retrieve user files if necessary.
The decision was made in about January of 1995 to turn all.net into an information security site. Using some research tools that I had developed over the years, I put a substantial collection of on-line info-sec information onto the all.net computer and opened info-sec heaven. There were 3 goals; (1) to provide refereed-journal-quality information on information protection to the Internet, (2) to provide a testbed for experimenting with Internet protection issues, and (3) to openly support the position that low-cost, well thought out defense could win out over the sorts of attacks and attackers in the Internet.
As it turns out, goals (2) and (3) go together rather well, because if you actively support the contention in (3), you are guaranteed to be in the business of being attacked. This leads to an ideal environment for experimentation with defense against real-world attacks of the sort likely to occur in the Internet environment.
During the 1.5 years of experimentation, we explored a wide range of experiments ranging from technical experiments on vulnerability rates to social experimentation to see how select elements of the Internet community acts in response to different stimuli. Many of these results have been published elsewhere, including in several articles in this series.
As time passed, one of our priorities became attracting large-scale attacks by angering a wide range of known groups that tend to attack Internet sites. These included several hacker groups, the Warez people, self-proclaimed freedom-of-expression advocates (the ones that want free expression for themselves but attack other sites when their users freely express themselves), select portions of the amateur cryptographic community, and the information wants to be free groups that struggle to free confidential information from its bondage by information security specialists. This effort had several purposes including but not limited to; (1) experimenting with the quality of our prevention, detection, and response systems, (2) testing theoretical models of multi-hop incident response to DCAs, (3) getting statistics on the sorts and sources of of attacks in the Internet environment, and (4) drawing attacks away from less well defended sites.
The rest of this article is about drawing attacks away from other sites by creating an attractive target.
So-called honey pots have been used for a long time as a means to demonstrate the existence of attackers and to draw attacks away from higher valued targets. The basic idea is to create a target that entices attack. Attackers spend time on the honey pot instead of the real target, thus reducing the threat to the real target. The honey pot can be very well defended and instrumented so as to both prevent damage and learn about the attacks underway. In some variations, the honey pot is left open to select attacks so that it yields small quantities of reward to attackers, thus enticing further attacks and keeping attention focused on the desired target.
Within the Internet today, advanced firewall technologies allow honey pots to be provided to all but authorized users. While authorized remote IP addresses get access to authorized services on the real service provider's machine, unauthorized sites get access to the honey pot instead. This legitimate use of IP address forgery provides a more secure environment by redirecting many attacks, just as a lightning rod redirects lightning around protected structures. Hence, the relationship between lightning rods and honey pots.
Most attackers, like most lightning, follow the path of least resistance based purely on local optimization. The honey pot is one way to provide a low resistance path for Internet lightning to follow. Thus honey pots provide some useful wiring for the lightning rod.
A very effective technique for implementing a lightning rod is to use a router that uses source addresses to make routing decisions. This may seem a bit strange to many network engineers because a primary concern of designing a working network is to assure that packets get routed to the proper destinations, but in the case of a lightning rod, we have a different goal. The goal is to shunt undesired traffic away from the target. One of the best ways to differentiate undesired traffic from desired traffic is based on the source address.
The basic scheme for this lightning rod technology is to have a screening router route packets into one of two subnetworks based on their source address. If the source address is undesirable or the packet content is undesirable, the packets are shunted into a subnet with a honey pot or similar system designed to deal with improper access requests. If the source address is desirable and the content is appropriate, the packets are routed into the legitimate service subnet.
If each of the subnets has a computer asserting to be the destination address of the target machine, one of them is, in essence, a forgery. In this case, it is a forgery that acts as a lightning rod.
There are a lot of ways to implement lightning rods. The IP address forgery technique described above uses hardware to address the issues, but several inexpensive software solutions also exist.
For example, using TCP wrappers, it is straight forward to identify remote users and computers and shunt undesired access. Several of the defenses we experimented with used this sort of decision procedure. This defense is at the system services protocol layer.
At the application layer, further controls have been demonstrated, including authentication and encryption, such as those in STEL and similar secure IP applications, and content-based controls, like those in our experimental SMTP front-end.
For performance and security reasons, it is almost always better to shunt things away closer to their source. As shunting gets closer to the target, it consumes more and more resources (including bandwidth), and this can be used in a denial of services attack. Similarly, the closer a packet comes to the target, the more hardware and software is involved in the decision process. As a result, there is usually more potential for exploitation.
Stretching this principle a little bit further, an ideal lightning rod pulls attacks away before they ever get to your site. This is what the all.net and similar enticing targets can provide.
In a typical multi-layer defense, redundant shunting takes place. For example, at the network router, you might shunt all traffic except from authorized sites using authorized protocols. Then at the TCP wrappers layer, you might again shunt unauthorized traffic using similar rules.
Internet lightning rods, like electrical lightning rods, have limitations. Some of them include:
Unlike lightning rods that protect buildings against accidental events, Internet attacks are concentrated against sites that appeal to attackers. For a lightning rod to be effective, it must attract attack away from the real targets.
In the case of a lightning rod such as the one provided by all.net, an important key to success is attracting as many attackers as possible from the overall Internet target audience. A special purpose lightning rod designed with corporate protection in mind would be quite different than one for a military application or the all.net lightning rod designed for the Internet at large. Although the technology of these lightning rods may be similar, a major point of differentiation is the bait used to attract the lightning.
In essence, a lightning rod is a technique of deception. Using Dunnigan and Nofi's classification scheme, [Dunnigan95] here are the ways that Internet lightning rods are used to practice deception:
At all.net, over the year of our experiments, we became very good at attracting lightning.
A good starting point was openly telling those who read many of the more radical Internet publications that we thought the best attackers couldn't do much against even moderately good defenders. Of course we had somewhat better-than-average defenses, but as far as the attackers were concerned, this was a challenge to their ego. In many cases, it was a matter of great pride to claim to have successfully attacked all.net. None of the attackers broke in.
Some of the other things we did that attracted lightning included:
One of our proudest days as a lightning rod came in the spring Computer Security Institute conference in San Francisco. There, an international group of crackers in a teleconferenced birds of a feather session responded to a question about the sites they most wanted to break into by citing all.net as their prime Internet target. Attackers from all over the world agreed that there favorite place to spend time trying to break in was the all.net site. If only we charged a fee for every attack not directed against another site because the attackers were wasting their time on us...
Lightning follows the path of least resistance, and so do most attackers. By providing an easy way to satisfy attackers without doing any real harm, you may be able to substantially reduce the number of attacks you encounter. Implementing Internet lightning rods is well within the current technology, and they are a viable solution for some of today's challenges in Internet security.