Tracing the Origin of Malicious Activity
At a conference last week I heard a speaker talk about a network security methodology in which IP addresses known to be associated with attacks are used to set up special protections for critical assets. The speaker said that in this methodology sources such as dshield.org and CERT are used to identify malicious IP addresses. After the end of the presentation I expressed doubt concerning the validity of such IP addresses. Surprisingly, he countered that he had a high degree of confidence in them.
Over the years I have learned a few principles regarding IP tracebacks that are nearly always true. One is that unless network traffic consists of IPsec packets, the source IP address of this traffic must be viewed with considerable suspicion. Why? The main reason is the prevalence of IP spoofing in Internet attacks. Another is the emergence of mobile bots, bots that inhabit hosts for a while, then leave and take over other hosts. As such, determining which particular IP address is malicious at any time is nearly impossible. Well-intentioned but mistaken reporting of malicious IP addresses on sites such as dshield.org is still another reason. Too often users of intrusion detection tools such as Snort take output at face value instead of further investigating exactly what has occurred by collecting and analyzing additional information such as packet dump data. I remember many times when I worked at Berkeley Lab how someone posted a Berkeley Lab host IP address on dshield.org. Many times investigations of supposedly malicious hosts there showed that no malicious activity whatsoever had originated from them; their IP addresses had simply been used in spoofing attacks.
Unless the IPsec protocol is used, tracing the source of any network transmission is usually difficult because the header data in a conventional IP packet (e.g., IPv4) can very easily be fabricated or altered. A few substantial advances in “source determination,” i.e., pinpointing the origin of network traffic, have surfaced at several research institutions. These advances are, however, still largely experimental in nature. All things considered, IPsec is thus still the best way to trace the origin of any packet sent from a source outside one’s internal network. Ironically, however, the fact that the IPsec protocol is so conducive to security has resulted in its being largely avoided by the black hat community. Tracing attacks thus remains a very difficult problem.
I have no particular gripe with dshield.org or any other site or organization that tries to do the Internet community a favor by providing information about potentially malicious IP addresses. My gripe is instead with amateur intrusion detection analysts who “blow the whistle” on IP addresses they believe to be malicious without investigating more thoroughly, people who take malicious IP address lists such as dshield.org’s at face value, and conference speakers who mislead audiences into believing the identifying malicious IP addresses is as simple as going to a site such as dshield.org.