Network Breaches Blamed on Curious Source

There is no law against port scanning. Although snooping around someone
else’s network is frowned upon and certainly poor Netiquette, there is no
legal authority to call upon until a crime is committed.

But what action should be taken when a network intrusion appears to have
originated at Network Solutions? For that matter, what would merit a
legitimate reason for Network Solutions to scan someone’s network?

Jason Straight is looking for answers to each of these questions. Straight
is the Chief Network Engineer at Northern
Michigan Online
. He has recently identified that several attacks made
on his network potentially originated from Network Solutions.

Port scanning is like someone knocking at your door, they could deliver pizza or
flowers, turn and run away before you answer, or violate the sanctity of
your home and your privacy.

Sites that spider the Web may sound off an intrusion alarm, but that
doesn’t make them bad. The same alarm would sound from a malcontent seeking
a way to exploit security holes in a network, as it would for a benevolent
watchdog group looking to point out flaws and shore up Net security.

If a network server detects a port scan, one could argue that the act was
in effect a denial-of-service attack, which is a punishable offense. Detail
from a log file can show a great deal about the network snoop, even if the
intruder tries to fool the source, but the data cannot show intent behind
the act.

Network Solutions, Inc. is
the world’s largest registrar with more than 10 million domains in its
grasp since 1993. It has recorded data for maintaining the .com,
.net and .org top level domains, as well as access to more
than 200 country-code domain names.

The firm provides access to the dot com
directory
, one of the largest “find engines” on the Net and Network
Solutions continues to play a critical role developing
the infrastructure of the Internet as we know it.

“On three different occasions and on two different servers more than 50
simultaneous connections completed the scans,” Straight said.

Straight said that two people he spoke with displayed a certain amount of
shock about the incidents, but both said that they had no explanation as to
why their machines would access an outside server in such a way.

Chris Clough, Network Solutions spokesperson, said the company is
officially investigating the incidents.

“Right now, this appears to be far outside normal business practices at
Network Solutions,” Clough said. “We don’t have all the details, but it
appears to be some sort of anomaly and our operations team is investigating.”

Northern Michigan Online’s Straight said that it’s nearly impossible to
verify who sent the packets, unless it can be determined at the source.
Security systems that Straight had in place alerted him to the port scan,
but it was the nature of the requests that caused his Snort program to
identify the activity as a potential network intrusion.

“Even if my IDS software incorrectly identified the scan, why was there a
scan at all,” Straight asked.

SANS Institute is an online security a
resource for IT personnel and network administrators. Alan Paller, SANS
Institute director of research said there were three reasons why a firm
like Network Solutions would complete a port scan.

“It could legitimately scan partners,” Paller said. “It is not unreasonable
for me to scan your system to check for vulnerabilities if I do business
with you. I may need your permission, but most business-to-business
contracts determine business partners rights to complete a network audit
from time to time.”

Paller said

a second possibility was if Network Solutions security was
breached.

“Perhaps someone took over a machine at Network Solutions to do the
attack,” Paller said. “An intruder could have compromised a sever at
Network Solutions and launched the attack if it were angry with the firm
and wanted to created trouble for the registrar by embarrassing them.”

Paller said the third and most likely reason why Network Solutions would be
accused of port scanning is because even the best tools available today can
not determine if attack was spoofed.

“The way IP works there is not much of a chance to prove that Network
Solutions was behind the scan,” Paller said. “The most advanced scanning
tools allow someone to be nearly anyone they want to be. That’s the problem
with IPv.4, its easily fooled.”

Northern Michigan Online is not a Network Solutions partner, but as a full
service ISP it does complete domain name services with the firm. Naturally,
Straight said he gave serious consideration to the possibility that the
attack was spoofed.

“DoS attacks are often spoofed because sending data to the victim does the
damage, receiving return packets are not needed or desired,” Straight said.
“In this case there was no desire to disrupt my network, only to find out
what was there. Spoofing the attack would mean the spoofer wouldn’t get
information returned. Also, why would a spoofer return on two other
occasions to do it again?”

A final possibility is that the port scan was an inside job, there is a
potential that a disgruntled employee on either side of the server could
have completed or spoofed the port scan. The source of the port scan holds
the key to providing an answer.

Network Solutions Clough said it is not clear where the port scans originated.

“We hope to have more information shortly,” Clough said. “Our operations
team has contacted Straight directly to better determine what the situation
is. Right now it’s not clear where this originated or what the exact
details are at this time.”

In the meantime, network engineers like Straight have to take every port
scan seriously to determine what game of hide-and-seek is being played on a
network, even though no one can be sure who is knocking at their door.

News Around the Web