Lasting consequences to .GU domain network due to Chinese jet colliding with U.S. SpyplaneApril 1st 2001 marked an international incident involving a U.S. Navy EP-3E Aries II surveillance plane ostensibly on autopilot colliding with a Chinese F-8 fighter which approached from a 45-degree angle under the left wing of the EP-3E. With the Chinese pilot lost at sea under international airspace and with a navy crew of 24 detained for 11 days on China's Hainan Island, the fiery public sentiments from both nations precipitated a nationalistic internet war by societies of network hackers at both ends of the pacific ocean.
CNN featured the return of the detained navy crew to Guam via Continental Airlines with agreement between Defense Secretary Donald Rumsfeld and Deputy Foreign Minister Li Zhaoxing to airlift the EP-3 out of China in pieces using a Russian AN-124 Cargo plane.
Thus Guam came into the target sights of China and the incident marked the last time an orchestrated use of human wave crackers was directed to manually penetrate internet sites. Subsequent attacks have now become automated.
The 1st Wave - Brute Force Flooding AttackInternet service to the Guam network of schools, courts, govt line agencies and university was crippled on Tuesday April 10 2001 at 7am when a cisco Guam gateway router was overwhelmed or paralyzed at the Harmon Sprint Center. Sprint's worldwide routers were cut off from guam's gateway router as data packets failed to reach the .gu dns servers.
A denial of access attack Guam's Sprint Cisco gateway router was formally confirmed by Sprint's Ernest Villaverde. UOG's systems programmer, Rudolph V shut down the downstream cisco7507 and catalyst5500 routers to remove the dept of education, Univ of Guam, Academy of Our Lady, Government of Guam, and the Judicial network as targets. With the Guam User Sites removed, the Harmon CISCO router recorded hits on each serial interface with 1,600,000 packets per minute sustained continuously through June.
For each minute, 750 spoofing of Guam's internal addresses and 57 concurrent pop3 requests was recorded. The routing advertisements from the oversubscribed cisco could not reach out to the Sprint BGP routers. A cisco3640 using IOS V12.1 was supplied by Ben Camacho and Joey Manibusah to replace the overworked sprint cisco router.
The Guam Consortium Network is characterized by a gauntlet of downstream routers with filters to distribute the inspection workload before the packets are reviewed by the firewalls.
The 1st line of defense packet inspection was relocated from the upstream cisco3640 to an interface on UOG's cisco7507 which can absorb the load. There, Rudolph Villaverde set up inspection filters to repel the flood. By freeing the smaller router, the routing advertisements for the Guam network was freed to propagate to the Sprint Backbone BGP routers which restored the internet connection paths.
In a normal 24 hour period the router receives 79,005,780 packets intercepting 123,323 attempted spoofing of Guam's class B 220.127.116.11 network address and Guam's 18.104.22.168 Class C along with 109,814 netbios-ns probes.
The 2nd Wave - Attacks on ServersBeginning May 1st 2001, Web Servers in the U.S. with no security fixes exhibited signs of intrusion from those of pro China leanings in regards to the spy plane incident. As a rule, only old servers which are past their lifecycle are culled from the network by these attacks. But such is not the case. Most notable were Windows 2000 IIS5.0 Web Servers onto which Microsoft had deployed no defense to shore up its web intrusion vulnerability. Smart Reseller's feb 14th 2000 issue reported that the Windows 2000 had 28,000 bugs. The UOG2.uog.edu website was one such site which only had win2000 service pak 1 made available by Microsoft at that time.
ATTACKING IPs were...........: 22.214.171.124 126.96.36.199 and 188.8.131.52
After the detection, the only remedial action was to apply an IIS5.0 update which resolves the "IIS Cross-Site Scripting" security vulnerability in Internet Information Services (IIS) 5.0. This vulnerability could enable a malicious user to run code on another user's computer, disguised as a third-party Web site.
Blocking the ip addresses of perceived hostile sites is futile since there are thousands of them.
The intruder issues an http port 80 command to the 184.108.40.206 uog2.uog.edu website into the C:\inetpub\scripts subdirectory and executes dos or win2000 commands such as ftp to bring in more files to execute. At any time, the sophisticated intruders could have elected to destroy the machine but mercifully, their mission centered on defacing the web pages with banners against America and against Japan to defend their nation's honor.
Here's a sample of the web command used:
2001-05-02 14:07:41 220.127.116.11 - 18.104.22.168 80 GET /scripts/ccc.exe /c%20dir%20/sc:\index.htm 502 Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0)
Rudolph encountered 2 intruders within uog2 and raced to secure the machine by removing the foreign binary executables in the "scripts" subdirectory and relocating the cmd.exe ftp.exe attrib.exe at.exe xcopy.exe from the c:\winnt\system32 subdirectory.
99% of the network equipment withstood the brunt of the attack. Other U.S. sites with expensive intrusion detection equipment also fell victim to the attacks. The resulting casulties of the battle at the UOG Demiliterized Zone (we have no information on incidences within the government of Guam itself) were 1 old proteon router to the Academy of Our Lady which was completely destroyed, 1 Alpha 800 Microsoft proxy server penetrated (due to personnel attrition, fixes to this digital alpha server was applied after the attack), 1 win2000 iis5.0 webpages altered but later repaired, 1 major cataloging database website destroyed but this may be due to failed disk drives under heavy load. A new smtp mail server guam.uog.edu collapsed under heavy disk drive accesses (i.e. hardware failure) which caused Rudolph to redesign its configuration to handle the heavy relay probes. Empirically, disk drives are proving to be the achilles heels of any server and are treated as consumables with only a year lifespan before failure.
After identifying the ip addresses of the attacking machines to the Network Administrators in China and asking them to investigate the individuals behind the attacks, I contacted CERT, the internet security coordination centre, which 24 hours later extracted a temporary microsoft fix for the win2000 web server vulnerability. Microsoft later finalized their solution and issued a cumulative official Internet Information Server IIS5.0 fix on May 18, 2001.
On May 21, 2001, Microsoft released Service Pack 2 for Windows 2000, which addresses 550 known bugs, encryption 128-bit upgrade and a major security flaw fix in IIS5.0.
Attacks Later Refined to Hide Path back to ChinaOn May 22, 2001 reports were volunteered by our users (such as Mike De LaRosa) who reported that their personal pc firewalls had tagged various intrusions from 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11
One site, 18.104.22.168 originated from a machine in Australia which was penetrated and used by a china based hackers organization H.U.C. as an attacking platform.
These probes and attacks provide valuable lessons and experience which underscore that firewalls cannot stop attacks on ports which are opened for normal internet traffic i.e. port numbers as http (port 80) or email (port 25). Internet servers have evolved to become firewall in themselves since firewall policies cannot stop all permutations of internet traffic.
The Source of Chinese windows os intrusion (provided by APNIC) using the following attacking workstations
inetnum: 22.214.171.124 - 126.96.36.199 netname: JNELA-EDU descr: Shandong Jinan Economic Leader Administration College country: CN admin-c: DS95-AP tech-c: DS95-AP mnt-by: MAINT-ZXF changed: email@example.com 20010319 person: Data Communication Bureau Shandong address: No.77 Jingsan Road,Jinan,Shandong,P.R.China country: CN phone: +86-531-6052163 fax-no: +86-531-6052245 e-mail: firstname.lastname@example.org nic-hdl: DS95-AP mnt-by: MAINT-ZXF changed: email@example.com 20010206 inetnum: 188.8.131.52 - 184.108.40.206 netname: CHINANET-CN-SHANGHAI descr: Shanghai P&T Administration country: CN admin-c: XI5-AP admin-c: ZY37-AP tech-c: LY43-AP mnt-by: MAINT-CHINANET-SH changed: firstname.lastname@example.org 19980901 address: Room 805,61 North Si Chuan Road,Shanghai,200085,PRC country: CN phone: +86-21-63630562 fax-no: +86-21-63630566 e-mail: email@example.com nic-hdl: XI5-AP mnt-by: MAINT-CHINANET-SH changed: firstname.lastname@example.org 20000706 address: No. 21,Yuanmingyuan Road,Shanghai,200002,PRC country: CN phone: +86-21-63211130-4517 fax-no: +86-21-63278259 e-mail: email@example.com nic-hdl: ZY37-AP mnt-by: MAINT-CHINANET-SH changed: firstname.lastname@example.org 19980901 source: APNIC address: No. 333,Wusheng Road,Shanghai,200003,PRC country: CN phone: +86-21-63290488 fax-no: +86-21-63722525 e-mail: email@example.com nic-hdl: LY43-AP mnt-by: MAINT-CHINANET-SH changed: firstname.lastname@example.org 19980901 inetnum: 220.127.116.11 - 18.104.22.168 netname: CHINANET-LN descr: CHINANET Liaoning province network descr: Data Communication Division descr: China Telecom country: CN admin-c: CH93-AP tech-c: GZ84-AP mnt-by: MAINT-CHINANET changed: email@example.com 20010108 person: Chinanet Hostmaster address: A12,Xin-Jie-Kou-Wai Street country: CN phone: +86-10-62370437 fax-no: +86-10-62053995 e-mail: firstname.lastname@example.org nic-hdl: CH93-AP mnt-by: MAINT-CHINANET changed: email@example.com 20000101 address: DATA Communication Bureau of Liaoning Province,China address: 38 Lianhe Road,Dadong District Shenyang 110044,China country: CN phone: +86-24-22800096 fax-no: +86-24-22800368 e-mail: firstname.lastname@example.org nic-hdl: GZ84-AP mnt-by: MAINT-CN-CHINANET-LN changed: email@example.com 20000815