Lasting consequences to .GU domain network due to Chinese jet colliding with U.S. Spyplane
April 1st 2001 marked an international incident involving a U.S. Navy EP-3E Aries II surveillance plane ostensibly on autopilot colliding with a Chinese F-8 fighter which approached from a 45-degree angle under the left wing of the EP-3E. With the Chinese pilot lost at sea under international airspace and with a navy crew of 24 detained for 11 days on China's Hainan Island, the fiery public sentiments from both nations precipitated a nationalistic internet war by societies of network hackers at both ends of the pacific ocean.CNN featured the return of the detained navy crew to Guam via Continental Airlines with agreement between Defense Secretary Donald Rumsfeld and Deputy Foreign Minister Li Zhaoxing to airlift the EP-3 out of China in pieces using a Russian AN-124 Cargo plane.
Thus Guam came into the target sights of China and the incident marked the last time an orchestrated use of human wave crackers
was directed to manually penetrate internet sites. Subsequent attacks have now become automated.
The 1st Wave - Brute Force Flooding Attack
Internet service to the Guam network of schools, courts, govt line agencies and university was crippled on Tuesday April 10 2001 at 7am when a cisco Guam gateway router was overwhelmed or paralyzed at the Harmon Sprint Center. Sprint's worldwide routers were cut off from guam's gateway router as data packets failed to reach the .gu dns servers.A denial of access attack Guam's Sprint Cisco gateway router was formally confirmed by Sprint's Ernest Villaverde. UOG's systems programmer, Rudolph V shut down the downstream cisco7507 and catalyst5500 routers to remove the dept of education, Univ of Guam, Academy of Our Lady, Government of Guam, and the Judicial network as targets. With the Guam User Sites removed, the Harmon CISCO router recorded hits on each serial interface with 1,600,000 packets per minute sustained continuously through June.
For each minute, 750 spoofing of Guam's internal addresses and 57 concurrent pop3 requests was recorded. The routing advertisements from the oversubscribed cisco could not reach out to the Sprint BGP routers. A cisco3640 using IOS V12.1 was supplied by Ben Camacho and Joey Manibusah to replace the overworked sprint cisco router.
The Guam Consortium Network is characterized by a gauntlet of downstream routers with filters to distribute the inspection workload before the packets are reviewed by the firewalls.
The 1st line of defense packet inspection was relocated from the upstream cisco3640 to an interface on UOG's cisco7507 which can absorb the load. There, Rudolph Villaverde set up inspection filters to repel the flood. By freeing the smaller router, the routing advertisements for the Guam network was freed to propagate to the Sprint Backbone BGP routers which restored the internet connection paths.
In a normal 24 hour period the router receives 79,005,780 packets
intercepting 123,323 attempted spoofing of Guam's class B 168.123.0.0 network address
and Guam's 192.149.202.0 Class C along with 109,814 netbios-ns probes.
The 2nd Wave - Attacks on Servers
Beginning May 1st 2001, Web Servers in the U.S. with no security fixes exhibited signs of intrusion from those of pro China leanings in regards to the spy plane incident. As a rule, only old servers which are past their lifecycle are culled from the network by these attacks. But such is not the case. Most notable were Windows 2000 IIS5.0 Web Servers onto which Microsoft had deployed no defense to shore up its web intrusion vulnerability. Smart Reseller's feb 14th 2000 issue reported that the Windows 2000 had 28,000 bugs. The UOG2.uog.edu website was one such site which only had win2000 service pak 1 made available by Microsoft at that time.ATTACKING IPs were...........: 202.110.198.78 202.101.48.18 and 61.137.176.7
After the detection, the only remedial action was to apply an IIS5.0 update which resolves the "IIS Cross-Site Scripting" security vulnerability in Internet Information Services (IIS) 5.0. This vulnerability could enable a malicious user to run code on another user's computer, disguised as a third-party Web site.
Blocking the ip addresses of perceived hostile sites is futile since there are thousands of them.
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25533
The intruder issues an http port 80 command to the 192.149.202.102 uog2.uog.edu website into the C:\inetpub\scripts subdirectory and executes dos or win2000 commands such as ftp to bring in more files to execute. At any time, the sophisticated intruders could have elected to destroy the machine but mercifully, their mission centered on defacing the web pages with banners against America and against Japan to defend their nation's honor.
Here's a sample of the web command used:
2001-05-02 14:07:41 202.101.48.18 - 192.149.202.102 80 GET /scripts/ccc.exe /c%20dir%20/sc:\index.htm 502 Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0)
Rudolph encountered 2 intruders within uog2 and raced to secure the machine by removing the foreign binary executables in the "scripts" subdirectory and relocating the cmd.exe ftp.exe attrib.exe at.exe xcopy.exe from the c:\winnt\system32 subdirectory.
99% of the network equipment withstood the brunt of the attack. Other U.S. sites with expensive intrusion detection equipment also fell victim to the attacks. The resulting casulties of the battle at the UOG Demiliterized Zone (we have no information on incidences within the government of Guam itself) were 1 old proteon router to the Academy of Our Lady which was completely destroyed, 1 Alpha 800 Microsoft proxy server penetrated (due to personnel attrition, fixes to this digital alpha server was applied after the attack), 1 win2000 iis5.0 webpages altered but later repaired, 1 major cataloging database website destroyed but this may be due to failed disk drives under heavy load. A new smtp mail server guam.uog.edu collapsed under heavy disk drive accesses (i.e. hardware failure) which caused Rudolph to redesign its configuration to handle the heavy relay probes. Empirically, disk drives are proving to be the achilles heels of any server and are treated as consumables with only a year lifespan before failure.
After identifying the ip addresses of the attacking machines to the Network Administrators in China and asking them to investigate the individuals behind the attacks, I contacted CERT, the internet security coordination centre, which 24 hours later extracted a temporary microsoft fix for the win2000 web server vulnerability. Microsoft later finalized their solution and issued a cumulative official Internet Information Server IIS5.0 fix on May 18, 2001.
On May 21, 2001, Microsoft released Service Pack 2 for Windows 2000, which addresses 550 known bugs, encryption 128-bit upgrade and a major security flaw fix in IIS5.0.
See http://www.microsoft.com/technet/security/current.asp
Attacks Later Refined to Hide Path back to China
On May 22, 2001 reports were volunteered by our users (such as Mike De LaRosa) who reported that their personal pc firewalls had tagged various intrusions from 204.71.201.141, 64.4.13.49, 64.4.13.53, 204.71.202.119, 130.83.33.100One site, 203.59.54.239 originated from a machine in Australia which was penetrated and used by a china based hackers organization H.U.C. as an attacking platform.
These probes and attacks provide valuable lessons and experience which underscore that firewalls cannot stop attacks on ports which are opened for normal internet traffic i.e. port numbers as http (port 80) or email (port 25). Internet servers have evolved to become firewall in themselves since firewall policies cannot stop all permutations of internet traffic.
The Source of Chinese windows os intrusion (provided by APNIC) using the following attacking workstations
202.110.198.78, 202.101.48.18 and 61.137.176.7
belongs to:
inetnum: 202.110.198.72 - 202.110.198.79 netname: JNELA-EDU descr: Shandong Jinan Economic Leader Administration College country: CN admin-c: DS95-AP tech-c: DS95-AP mnt-by: MAINT-ZXF changed: zxf@sdinfo.net 20010319 person: Data Communication Bureau Shandong address: No.77 Jingsan Road,Jinan,Shandong,P.R.China country: CN phone: +86-531-6052163 fax-no: +86-531-6052245 e-mail: ip@sdinfo.net nic-hdl: DS95-AP mnt-by: MAINT-ZXF changed: zxf@sdinfo.net 20010206 inetnum: 202.101.0.0 - 202.101.63.255 netname: CHINANET-CN-SHANGHAI descr: Shanghai P&T Administration country: CN admin-c: XI5-AP admin-c: ZY37-AP tech-c: LY43-AP mnt-by: MAINT-CHINANET-SH changed: sptwxl@online.sh.cn 19980901 address: Room 805,61 North Si Chuan Road,Shanghai,200085,PRC country: CN phone: +86-21-63630562 fax-no: +86-21-63630566 e-mail: sptwxl@online.sh.cn nic-hdl: XI5-AP mnt-by: MAINT-CHINANET-SH changed: sptwxl@online.sh.cn 20000706 address: No. 21,Yuanmingyuan Road,Shanghai,200002,PRC country: CN phone: +86-21-63211130-4517 fax-no: +86-21-63278259 e-mail: zhangyin@public.sta.net.cn nic-hdl: ZY37-AP mnt-by: MAINT-CHINANET-SH changed: sptwxl@online.sh.cn 19980901 source: APNIC address: No. 333,Wusheng Road,Shanghai,200003,PRC country: CN phone: +86-21-63290488 fax-no: +86-21-63722525 e-mail: shsh@public.sta.net.cn nic-hdl: LY43-AP mnt-by: MAINT-CHINANET-SH changed: sptwxl@online.sh.cn 19980901 inetnum: 61.137.128.0 - 61.137.255.255 netname: CHINANET-LN descr: CHINANET Liaoning province network descr: Data Communication Division descr: China Telecom country: CN admin-c: CH93-AP tech-c: GZ84-AP mnt-by: MAINT-CHINANET changed: weitj@cndata.com 20010108 person: Chinanet Hostmaster address: A12,Xin-Jie-Kou-Wai Street country: CN phone: +86-10-62370437 fax-no: +86-10-62053995 e-mail: hostmaster@ns.chinanet.cn.net nic-hdl: CH93-AP mnt-by: MAINT-CHINANET changed: hostmaster@ns.chinanet.cn.net 20000101 address: DATA Communication Bureau of Liaoning Province,China address: 38 Lianhe Road,Dadong District Shenyang 110044,China country: CN phone: +86-24-22800096 fax-no: +86-24-22800368 e-mail: abuse@online.ln.cn nic-hdl: GZ84-AP mnt-by: MAINT-CN-CHINANET-LN changed: ipgl@pub.ln.cninfo.net 20000815
Vigilante hacker Society
History will fail to acknowledge that the Hainan Incident was also fueled by a war between legacy hacker societies in the U.S. and China. During the course of analyzing the dynamics of the exchange, we had placed test pcs on the network to be attacked so that the attacking source and technique could be clarified for the skeptics. One of the test pcs had an implanted htm file from HUC who wish to be
known as the 'lion' crew. The Chinese lion worm which was created by this society portends a dns attack from aug 2001 onward
which paralyzed the govguam network for 12 days narrated by the redcode and nimda article posted on this website. Rudolph Villaverde.
Far Reaching Consequences of Spyplane Incident to the .GU domain network
After this incident, cyber war between the US and China became a recurring concern. To survive future attacks, the firewalled monolithic network
was fractured into multiple independent network targets. Univ of Guam coordinated with Joey Manibusan and Ben Camacho to disengage/divorce Govtguam from the
.GU domain. With consent from DOA acting director Joey Manibusan, Acting Gov. Moylan, and the federal DOT.GOV registry, UOG registered the "GUAM.GOV"
domain. UOG transferred GUAM.GOV to the Dept. of Administration Data Processing DNS servers under Ben Camacho (who later created
the Bureau of Info Technology). GUAM.GOV became the official network for the civilian Government of Guam. Its geographic vicinity to the military bases
implies an association which makes Govt of Guam Network a target for cyber attacks. In Sept 2011, Army General Keith Alexander, commander of US Cyber Command and director of the National Security Agency, articulated the inevitabily of a cyber war.
Source: http://www.networkworld.com/community/blog/cyber-attack-big-one-coming-says-us-cyber-com?source=NWWNLE_nit_daily_pm_2011-09-14