The Net's new Neighborhood Watch

Knock, knock. Who's really there? Small businesses and home users flock to a new site that aims to identify the Net's shady characters.
Written by Robert Lemos, Contributor
It's a recipe for paranoia: Take a garden-variety PC, connect it to the Internet over a high-speed line, and add a personal firewall.

With red flashing icons and dialog boxes warning of more intrusions than they ever dreamed existed, it's easy for users to feel besieged. Suddenly, it feels like the entire world is knocking at their PC's electronic door.

The difficulty in separating real attackers from things that go bump in the night could make even Netophiles hit their PC power switches in panic. What makes things worse is that reports of such incidents to Internet service providers (ISPs) are, more often than not, met with silence.

For Johannes Ullrich, part-time consultant and full-time webmaster, not knowing who or what was knocking called for action.

"It was just seeing on my own firewall at home -- seeing how many hits a day you get from script kiddies, and finding a way to react to that," Ullrich said. "Initially, I reported it to ISPs, but most of the time you never get any response."

Tired of being ignored, Ullrich created Dshield.org.

The 2-week-old site aims to pinpoint the Internet addresses from which Web vandals and network intruders launch attacks. It could become the public equivalent of the information sharing and analysis centers, or ISACs, that major industries are forming to protect themselves.

Home users: A danger to the Net?
Most users connected to the Internet through a cable modem or a digital subscriber line (DSL) are still unaware of the potential for regular attacks on their systems.

Script kids, Web vandals, and the occasional cybercriminal scan vast numbers of computers on the Internet, looking for the few vulnerable to a particular security hole. Their frequent targets are Windows computers with file-sharing enabled without a password or PCs with connections left open by Trojan horses that have already compromised a system.

For script kids and vandals, it's a game of percentages.

While less than 1 percent of all computers connected to the Internet may be vulnerable to a single exploit, by scanning a million computers, network attackers can still find a few thousand PCs that have a particular flaw.

While an indiscriminate technique, such as scanning, isn't useful in taking over a particular computer, it does allow the Net's scofflaws to control a pool of machines from which to launch other, more serious attacks.

Several of the denial-of-service attacks that slowed -- and in some cases, ceased -- the information flow to several major Internet sites in February were found to have been launched from the compromised machines of home users.

Internet providers overwhelmed
The percentages work against the ISPs that provide connectivity to most home and small-business users.

Major cable providers, such as Excite@Home (with more than 2.3 million users) and RoadRunner (with about half that), are unable to handle the thousands of complaints about problems that could be caused by a serial attacker or normal Internet traffic. Providers of high-speed DSL service are in the same boat.

"If someone scans million and millions of computers, and only one-tenth of 1 percent complain to the ISP, that's still thousands of letters generated by one guy," said Gregor Freund, president and founder of firewall maker Zone Labs Inc.

Zone Labs contributes quite a bit to the Internet provider's mailbag, too. ZoneAlarm, the company's personal firewall, is currently being used on almost 6 million desktops and tends to warn users of many access attempts that are legitimate Internet traffic.

Most users would rather have a program that acts like a suspicious sheriff in a small town, but the abundant warnings create a problem. Dshield.org, billed as a distributed intrusion detection system, is an attempt to solve that problem.

The site collects voluntarily submitted logs produced by a user's firewall. Each log lists the Internet addresses that have attempted to contact the user's computer from the Internet over a certain period of time.

"Many people sent these logs to the ISPs, but the ISPs are flooded by such requests," said Dshield.org's Ullrich, who had previously created a help site for cable-modem users. "I set this up as a clearinghouse of the firewall logs."

Such connections can be the sign that a hacker is probing a user's computer to test for vulnerabilities, but are more often just legitimate traffic on the Internet. Each address could be a Web server checking to see if the computer is still online, a chat server sending a "hello," or a company doing a survey of the PCs connected to the Internet.

Yet, the address also could be an attacker's scanner software looking for chinks in the user's digital armor.

A typical scanner tries to connect to one of a computer's virtual "ports" -- each of which represents a service such as file sharing, a Web server, or printing -- that the computer is offering to others over the Internet. Which port numbers go with which services is something that has been standardized within the Internet community to prevent confusion.

By comparing hundreds of logs of Internet addresses attempting to connect to ports, it is possible to cull serial offenders from the data. The addresses that show up most frequently may belong to someone who is doing the equivalent of rattling the virtual doorknobs of a series of Internet addresses.

Already, the site lists the top 10 addresses from which users are scanned as well as the top 10 ports to which other computers are attempting to connect.

"The basic intent is great," said Zone Labs' Freund, who compared the site to a Neighborhood Watch program.

However, Freund pointed out that the site has major problems as well.

Problems with public service
Freund's largest concern is that the firewalls only keep track of the connection attempts that do not get through. That is, even if the attackers on the other end are scanning for vulnerabilities, if they don't get into the PC, they've done nothing wrong.

"Good security products will not allow the connection, so you never had a break-in that needs to be punished," he said.

One solution to that problem: Zone Labs is marketing a version of its ZoneAlarm firewall that can be configured to let attackers in on certain ports. Called a "honey pot," such software allows network administrators to catch intruders in a trap.

Another major issue: Ullrich's site will accept any data, even if it is forged, said Jim Jones, director of response services for Global Integrity, which manages the Worldwide Information Analysis and Response Center.

"The submission is not secured in any way, so misinformation is possible," he said. "It's a fundamental problem in a public reporting scheme like this."

Such misinformation has already plagued the site. Last week, an address belonging to Internet services firm Verio Inc. hit No. 1 on the site's top 10 list of offenders. When notified of the incident, a Verio spokesperson said that no other complaints had been directed at the owner of the address.

Another address that bubbled to the top of the list belonged to a site that scans a computer at the request of the computer's owner. Called HackerWhacker, the site's owners said that the Internet address that made the list is actually an old one no longer used by HackerWhacker.

The public nature of Dshield.org makes it much more difficult to ensure that its data is reliable. In an ISAC, every corporate subscriber to the service must digitally sign any submissions. In addition, the ISAC subscribers also outline any attacks on their networks, so that others in the group are warned.

Evading detection
Smart attackers will also be able to confuse or bypass the system, said "Weld Pond," a white-hat hacker (one who works to improve security) and manager of research and development for security firm @Stake Inc.

For example, several utilities let the attacker send out fake source addresses with the data used to scan PCs on the Internet. If one in every 10, for instance, uses the attacker's true address, then that increases the data that users have to look at tenfold.

"You can hide among several other addresses," said Weld Pond.

Ullrich admits that the site has a long way to go before it is truly useful, and may never be foolproof.

"Dshield won't have the same data quality (as an ISAC), but it could have a similar effect in helping home users and businesses find the true threats," he said.

Already, Ullrich has made authenticating the submissions of users a high priority.

Despite its problem, Dshield.org may be the solution that users need, Ullrich said. "They weren't asking for it, but security has been a big concern."

Editorial standards