Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - When the Hackers Hack Back InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

When the Hackers Hack Back

Published: 2008-10-10
Last Updated: 2008-10-11 01:59:46 UTC
by Marcus Sachs (Version: 3)
2 comment(s)

Richard, one of our readers, sent us a very interesting note today.  He was investigating a network in Germany that was known to be a source of evil, and decided to launch an nmap scan as an exploratory measure.  We do not advocate scanning somebody else's network, even you find that the other network is irritating and disfunctional.  Better to work with that network's upstream ISP to see if they can assist in taming the out of control network owners.

Here are Richard's comments.  Do not try this from your own corporate network  The results may be hazardous to your job.

     On the evening of October 7th, I Nmapped a /24 out of Germany that was a known source of malware and general nefarious activities. I saw the usual ports open 22, 53, 80 on most of the machines I scanned.
    After the scan had stopped I closed the command prompt and began to read some late night email. I just happened to glance at my router and saw the receive lights were almost solid green. I opened my web browser and try to get out to the public network and could not, I suspected something was happening and it was.
     The machines I had scanned were launching as DDoS against my IP address and had basically shut me off from the rest of the world. I turned the interface down and went to bed thinking it might clear up after a while.
    I checked at 3:00 am, and 5:30 am and the attack was still on.
    I logged into my router to look at some logs and could see that the machines were still pumping junk down the wire so I called my upstream and they were of no help at all. It took two hours on the phone before I realized that they were not going to be able to help me so here is what I did:
    Thinking that whoever wrote the [attack] script was bright enough to include resource conservation into their code I figured if I remove all physical connection to the ISP at my house, the script would eventually sense that there no longer was a live host at the other end and it would stop. I wish I had tried this first instead of wasting my time on the phone with my useless ISP. It worked and we were back up after about ten minutes of being uncabled.
     Just to make sure I was correct I went through a second run of this and the exact same thing happened. From this I have learned two things, have a good relationship with your upstrreams and be careful what you do late at night.

UPDATE 1

Reader Neal sent us some technical tips on how he gets around the problem Richard pointed out above.

After I scan something, or if I suspect I gave out my IP address to someone hostile (email, IRC, etc.), then I immediately change my address BEFORE they have a chance to scan back.

There are a couple of different ways to change your IP address...

Modem: hang up and call back. If your ISP has a phone pool, then you're hopefully on a new address. (Then again, hopefully you're not scanning some /24 from a modem...)

Cable modem: I love this -- the networked DHCP address is actually NOT tied to your account. Your cable modem has a MAC address and non-routable DHCP address that is tied to your account. All you need to do is change your routable network address:

1. Login to your external firewall (you do have an external firewall, like a Linksys or Dlink, right?).  Change the WAN MAC address.  However, do NOT commit the change yet!  If you reset it now, then you will be unable to connect to your cable modem...

2. Login to your cable modem and click on the reboot/restart button. This causes it to forget the firewall's MAC address.

3. While the cable modem is shutting down/rebooting, commit the new WAN MAC address to your firewall.

When the cable modem comes up, it will learn the new WAN MAC address from your firewall. This new MAC address will be assigned a new, routable IP address from the cable modem ISP.  You now have a totally new external IP address.  Total offline time should be around 15 seconds.  (I've got it scripted!)

DSL modem: I don't have one, but I'm told it is a similar approach to cable modems or telephone modems (depending on your ISP).

If you have a T1 or T3 or static IP address?  You're screwed.  I recommend playing from a cable modem or DSL where you can change your address.

UPDATE 2

Reader Melvin sent us these comments:

The local DSL-providers require customers to "register" their MAC-address (either over the telephone, or over the web), in order to limit their customers to the agreed-upon "two" IP-addresses for a "residential" account, i.e., two computers, or your main computer and a "spare".

So, if you want to change your IP-address, you first have to tell the DSL-provider what the "new" IP-address will be.
Then, execute the NMAP from your current IP-address, and then login to your hardware firewall applicance, and change its "WAN" MAC-address to the "new" value, and restart the appliance. The DSL modem does not need to be restarted.

However, the local TELCO also offers an "all-in-one" applicance: wireless-G router, hardware firewall, and 4-port wired router, as an incentive to new customers.  It's much more difficult to change the MAC-address on that appliance.

Heaven help anybody (on dial-up or not) who is the next person to be assigned your "old" IP-address that is being attacked by the "hack-back" people -- you've screwed their network-connectivity, for a while.

Marcus H. Sachs
Director, SANS Internet Storm Center

Keywords:
2 comment(s)
Diary Archives