What The IPS Saw

Researchers have drilled down into billions of alerts from intrusion prevention system (IPS) worldwide in an effort to get better picture of the anatomy of today's attacks.

The preliminary findings shed light on spikes in attacks, as well as the source of the types of attacks plaguing organizations. HP researchers Sathya Chandran Sundaramurthy and Sandeep Bhatt of HP Labs, and Marc Eisenbarth of HP TippingPoint, analyzed more than 35 billion alerts issued by its TippingPoint IPS devices between 2007 and 2012 at more than 1,000 of its customer sites around the world, and plan to present their findings at a big data conference next month called BADGERS'12 in Raleigh, N.C.

One thing they found: those old-school attacks like SQL Slammer are alive and well. The HP researchers saw the IPSes triggered alerts for the near-decade old Slammer worm more than one hundred times as much as any other threat. "In fact, Slammer accounts for almost 2% of all alerts raised by 6,000 filters over the 5 year period," the researchers wrote in their paper.

More than half of its customers had a Slammer infection, followed by Nimda (46 percent); Back Orifice (31.4 percent); Storm (8.29 percent); and Code Red (2.29 percent). Slammer, which was first discovered in 2003, was spotted in HP's data set in January of 2009, and hasn't been seen since mid-February of this year, the report says. The alerts for the worm hit a high of 42 million on February 15, 2011.

"There have been reports ... that Slammer activity, which always exists in the background, dipped significantly between March 1 and April 12, 2011. This is consistent with our findings; it is likely that, in response to the February 15 spike, administrators initially took measures to weed out Slammer infections," the researchers said. "Many people have noted that Slammer persists on the Internet as a sort of background radiation and our results are consistent with this, except for a specific high volume denial-of-service attack using the Slammer payload targeting just one customer. While it is certainly possible that the target was a vulnerable instance of Microsoft SQL Server, it is also quite possible that the intended victim was a piece of security or networking equipment in hopes that it could not keep up with the attack volume."

Bob Walder, chief research officer for NSSLabs, says the phenomenon of old-school malware re-emerging is a good reality-check. "The frequency and volume of probes from machines infected by 10-year old malicious code is a constant source of amazement, and a reminder that some of these machines may never be disinfected, at least not until they simply die of old age," says Bob Walder, chief research officer for NSSLabs. "It is also a salutary reminder that when choosing a security product like an IPS it is important to verify that the vendor does not age out older signatures too aggressively in order to improve performance of the product. SQL Slammer is showing no signs of dying out, and even old chestnuts like the LAND attack can reemerge as programmers forget lessons learned years ago. If any IPS vendor tries to tell you that old vulnerability signatures don't matter, it is time to run far, run fast."

The IPS alerts also provided a glimpse into how attackers respond to vendors disclosing and patching their bugs. It basically illustrated the concept of Exploit Wednesday, the day after Microsoft's Patch Tuesday release. The data shows in some cases, a vendor's patch results in jump in exploit attack attempts, researchers say. HP TippingPoint's IPS had a filter back in 2005 to detect some JavaScript bugs in Mozilla Firefox, Thunderbird, and SeaMonkey that had not yet been patched by the company. Mozilla issued a fix for the bugs in April of 2010: and it was then that the IPS spit out a wave of alerts about attacks it detected exploiting those bugs: "The number of alerts increased after the patch release date, while there was very little activity for the prior years," the researchers said in their report.

When Microsoft on October 12, 2010, issued a patch for its Extended OpenType fonts flaw, the IPSes detected a massive increase in exploit attempts. (TippingPoint had a filter to detect exploits of the flaws back in 2006). "We believe that attackers became aware of this vulnerability and started hosting malicious websites that contain EOT fonts crafted and embedded in a way that would compromise Windows client machines," the researchers wrote. "Even though the filter just detects the download of EOT font over the network (which could be benign), the fact that the download increased after a patch disclosure is suspicious."

[UPDATE]: HD Moore, CSO of Rapid7 and chief architect of the Metasploit Project, says while it's true that patches often drive exploitation, there are a few catches here. "Notably, IPS signatures are frequently subject to false positives. My hunch is that most of the pre-disclosure and post-disclosure baseline levels of alerts are actually false positives with those specific filters," Moore says. "I saw this firsthand while testing IPS products at BreakingPoint -- sending enough random data for a long enough period of time results in all sorts of signatures firing on benign traffic. The nature of client-side exploits ... is that evasion is incredibly easy: the true level of attacks could be much higher, but hidden in gzip compression, chunked encoding, JavaScript encoding, SSL, and other forms of evasion, all of which are common in typical drive-by attacks."

NSSLabs' Walder says exploit spikes are inevitable after vulnerabilities get disclosed. "Many of these will be successful as security practitioners struggle to keep up with patching vulnerable software deployed on their network, or are unable to do so due to vulnerabilities being disclosed without first giving the software vendors time to formulate a fix," Walder says.

Take the recent Java exploit exposed last month, which quickly was added to the BlackHole crimeware kit and the open-source Metasploit penetration testing tool. "Within days, it [the exploit] became a major threat to Internet users," he says.

[Hundreds of domains serving up attack, tens of thousands of new victim machines since Java exploit was added to BlackHole toolkit. See New 'Reliable' Java Attack Spreading Fast, Uses Two Zero-Day Bugs.]

That's where IPSes with timely signatures can come in handy as a stopgap measure prior the release and application of a patch. "When purchasing an IPS, it is very important to focus on the signature-writing capabilities of the vendor, whether or not they have a history of producing timely and accurate updates, and whether their signatures are vulnerability- or exploit-focused," he says.

[UPDATE]: Rapid7's Moore says he'd like to see more analysis of the initial IPS data from HP. "I would love to see a deeper dive into this data with more clear-cut examples of the pre-disclosure and post-disclosure periods. The report includes a lot of great data to chew on, but I don't believe they make a compelling case for post-patch exploitation increases today," he says.

The researchers say they plan to continue their analysis, according to the report.

Moore says the publication of HP's analysis of the data was intriguing. "The most surprising thing about this report was the fact it was released at all. It is amazing that 1,000 of TippingPoint's customers agreed to provide their IPS alert data for this analysis," he says.

HP's research paper is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.