removal of fuel, hydrolic fluid and oil before dismantling of reconnaissance plane.

Lasting consequences to .GU domain network due to Chinese jet colliding with U.S. Spyplane

April 1st 2001 marked an international incident involving a U.S. Navy EP-3E Aries II surveillance plane ostensibly on autopilot colliding with a Chinese F-8 fighter which approached from a 45-degree angle under the left wing of the EP-3E. With the Chinese pilot lost at sea under international airspace and with a navy crew of 24 detained for 11 days on China's Hainan Island, the fiery public sentiments from both nations precipitated a nationalistic internet war by societies of network hackers at both ends of the pacific ocean.

CNN featured the return of the detained navy crew to Guam via Continental Airlines with agreement between Defense Secretary Donald Rumsfeld and Deputy Foreign Minister Li Zhaoxing to airlift the EP-3 out of China in pieces using a Russian AN-124 Cargo plane.

Thus Guam came into the target sights of China and the incident marked the last time an orchestrated use of human wave crackers was directed to manually penetrate internet sites. Subsequent attacks have now become automated. Navy EP3 crew leaving Guam Andersen Air Force Base. Their arrival via Continental Air sparked Chinese DOS attack within hours.

The 1st Wave - Brute Force Flooding Attack

Internet service to the Guam network of schools, courts, govt line agencies and university was crippled on Tuesday April 10 2001 at 7am when a cisco Guam gateway router was overwhelmed or paralyzed at the Harmon Sprint Center. Sprint's worldwide routers were cut off from guam's gateway router as data packets failed to reach the .gu dns servers.

A denial of access attack Guam's Sprint Cisco gateway router was formally confirmed by Sprint's Ernest Villaverde. UOG's systems programmer, Rudolph V shut down the downstream cisco7507 and catalyst5500 routers to remove the dept of education, Univ of Guam, Academy of Our Lady, Government of Guam, and the Judicial network as targets. With the Guam User Sites removed, the Harmon CISCO router recorded hits on each serial interface with 1,600,000 packets per minute sustained continuously through June.

For each minute, 750 spoofing of Guam's internal addresses and 57 concurrent pop3 requests was recorded. The routing advertisements from the oversubscribed cisco could not reach out to the Sprint BGP routers. A cisco3640 using IOS V12.1 was supplied by Ben Camacho and Joey Manibusah to replace the overworked sprint cisco router.

The Guam Consortium Network is characterized by a gauntlet of downstream routers with filters to distribute the inspection workload before the packets are reviewed by the firewalls.

The 1st line of defense packet inspection was relocated from the upstream cisco3640 to an interface on UOG's cisco7507 which can absorb the load. There, Rudolph Villaverde set up inspection filters to repel the flood. By freeing the smaller router, the routing advertisements for the Guam network was freed to propagate to the Sprint Backbone BGP routers which restored the internet connection paths.

In a normal 24 hour period the router receives 79,005,780 packets intercepting 123,323 attempted spoofing of Guam's class B 168.123.0.0 network address and Guam's 192.149.202.0 Class C along with 109,814 netbios-ns probes. orange fiber OC12 multi-cables into Centrix Meridian where govguam channels oc3 atm backbone

The 2nd Wave - Attacks on Servers

Beginning May 1st 2001, Web Servers in the U.S. with no security fixes exhibited signs of intrusion from those of pro China leanings in regards to the spy plane incident. As a rule, only old servers which are past their lifecycle are culled from the network by these attacks. But such is not the case. Most notable were Windows 2000 IIS5.0 Web Servers onto which Microsoft had deployed no defense to shore up its web intrusion vulnerability. Smart Reseller's feb 14th 2000 issue reported that the Windows 2000 had 28,000 bugs. The UOG2.uog.edu website was one such site which only had win2000 service pak 1 made available by Microsoft at that time.




ATTACKING  IPs were...........: 202.110.198.78  202.101.48.18 and 61.137.176.7



After the detection, the only remedial action was to apply an IIS5.0 update which resolves the "IIS Cross-Site Scripting" security vulnerability in Internet Information Services (IIS) 5.0. This vulnerability could enable a malicious user to run code on another user's computer, disguised as a third-party Web site.

Blocking the ip addresses of perceived hostile sites is futile since there are thousands of them.

http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25533

The intruder issues an http port 80 command to the 192.149.202.102 uog2.uog.edu website into the C:\inetpub\scripts subdirectory and executes dos or win2000 commands such as ftp to bring in more files to execute. At any time, the sophisticated intruders could have elected to destroy the machine but mercifully, their mission centered on defacing the web pages with banners against America and against Japan to defend their nation's honor.

Here's a sample of the web command used:

2001-05-02 14:07:41 202.101.48.18 - 192.149.202.102 80 GET /scripts/ccc.exe /c%20dir%20/sc:\index.htm 502 Mozilla/4.0+(compatible;+MSIE+5.01;+Windows+NT+5.0)

Rudolph encountered 2 intruders within uog2 and raced to secure the machine by removing the foreign binary executables in the "scripts" subdirectory and relocating the cmd.exe ftp.exe attrib.exe at.exe xcopy.exe from the c:\winnt\system32 subdirectory.

99% of the network equipment withstood the brunt of the attack. Other U.S. sites with expensive intrusion detection equipment also fell victim to the attacks. The resulting casulties of the battle at the UOG Demiliterized Zone (we have no information on incidences within the government of Guam itself) were 1 old proteon router to the Academy of Our Lady which was completely destroyed, 1 Alpha 800 Microsoft proxy server penetrated (due to personnel attrition, fixes to this digital alpha server was applied after the attack), 1 win2000 iis5.0 webpages altered but later repaired, 1 major cataloging database website destroyed but this may be due to failed disk drives under heavy load. A new smtp mail server guam.uog.edu collapsed under heavy disk drive accesses (i.e. hardware failure) which caused Rudolph to redesign its configuration to handle the heavy relay probes. Empirically, disk drives are proving to be the achilles heels of any server and are treated as consumables with only a year lifespan before failure.

After identifying the ip addresses of the attacking machines to the Network Administrators in China and asking them to investigate the individuals behind the attacks, I contacted CERT, the internet security coordination centre, which 24 hours later extracted a temporary microsoft fix for the win2000 web server vulnerability. Microsoft later finalized their solution and issued a cumulative official Internet Information Server IIS5.0 fix on May 18, 2001.

On May 21, 2001, Microsoft released Service Pack 2 for Windows 2000, which addresses 550 known bugs, encryption 128-bit upgrade and a major security flaw fix in IIS5.0.

See http://www.microsoft.com/technet/security/current.asp

Bracing the Entire Tail Module for  separation from the fuselage.

Attacks Later Refined to Hide Path back to China

On May 22, 2001 reports were volunteered by our users (such as Mike De LaRosa) who reported that their personal pc firewalls had tagged various intrusions from 204.71.201.141, 64.4.13.49, 64.4.13.53, 204.71.202.119, 130.83.33.100

One site, 203.59.54.239 originated from a machine in Australia which was penetrated and used by a china based hackers organization H.U.C. as an attacking platform.

These probes and attacks provide valuable lessons and experience which underscore that firewalls cannot stop attacks on ports which are opened for normal internet traffic i.e. port numbers as http (port 80) or email (port 25). Internet servers have evolved to become firewall in themselves since firewall policies cannot stop all permutations of internet traffic.

The Source of Chinese windows os intrusion (provided by APNIC) using the following attacking workstations
202.110.198.78, 202.101.48.18 and 61.137.176.7
belongs to:

inetnum:     202.110.198.72 - 202.110.198.79
netname:     JNELA-EDU
descr:       Shandong Jinan Economic Leader Administration College
country:     CN
admin-c:     DS95-AP
tech-c:      DS95-AP
mnt-by:      MAINT-ZXF
changed:     zxf@sdinfo.net 20010319


person:      Data Communication Bureau Shandong
address:     No.77 Jingsan Road,Jinan,Shandong,P.R.China
country:     CN
phone:       +86-531-6052163
fax-no:      +86-531-6052245
e-mail:      ip@sdinfo.net
nic-hdl:     DS95-AP
mnt-by:      MAINT-ZXF
changed:     zxf@sdinfo.net 20010206

inetnum:     202.101.0.0 - 202.101.63.255
netname:     CHINANET-CN-SHANGHAI
descr:       Shanghai P&T Administration
country:     CN
admin-c:     XI5-AP
admin-c:     ZY37-AP
tech-c:      LY43-AP
mnt-by:      MAINT-CHINANET-SH
changed:     sptwxl@online.sh.cn 19980901


address:     Room 805,61 North Si Chuan Road,Shanghai,200085,PRC
country:     CN
phone:       +86-21-63630562
fax-no:      +86-21-63630566
e-mail:      sptwxl@online.sh.cn
nic-hdl:     XI5-AP
mnt-by:      MAINT-CHINANET-SH
changed:     sptwxl@online.sh.cn 20000706


address:     No. 21,Yuanmingyuan Road,Shanghai,200002,PRC
country:     CN
phone:       +86-21-63211130-4517
fax-no:      +86-21-63278259
e-mail:      zhangyin@public.sta.net.cn
nic-hdl:     ZY37-AP
mnt-by:      MAINT-CHINANET-SH
changed:     sptwxl@online.sh.cn 19980901
source:      APNIC

address:     No. 333,Wusheng Road,Shanghai,200003,PRC
country:     CN
phone:       +86-21-63290488
fax-no:      +86-21-63722525
e-mail:      shsh@public.sta.net.cn
nic-hdl:     LY43-AP
mnt-by:      MAINT-CHINANET-SH
changed:     sptwxl@online.sh.cn 19980901


inetnum:     61.137.128.0 - 61.137.255.255
netname:     CHINANET-LN
descr:       CHINANET Liaoning province network
descr:       Data Communication Division
descr:       China Telecom
country:     CN
admin-c:     CH93-AP
tech-c:      GZ84-AP
mnt-by:      MAINT-CHINANET
changed:     weitj@cndata.com 20010108

person:      Chinanet Hostmaster
address:     A12,Xin-Jie-Kou-Wai Street
country:     CN
phone:       +86-10-62370437
fax-no:      +86-10-62053995
e-mail:      hostmaster@ns.chinanet.cn.net
nic-hdl:     CH93-AP
mnt-by:      MAINT-CHINANET
changed:     hostmaster@ns.chinanet.cn.net 20000101

address:     DATA Communication Bureau of Liaoning Province,China
address:     38 Lianhe Road,Dadong District Shenyang 110044,China
country:     CN
phone:       +86-24-22800096
fax-no:      +86-24-22800368
e-mail:      abuse@online.ln.cn
nic-hdl:     GZ84-AP
mnt-by:      MAINT-CN-CHINANET-LN
changed:     ipgl@pub.ln.cninfo.net 20000815

Vigilante hacker Society

History will fail to acknowledge that the Hainan Incident was also fueled by a war between legacy hacker societies in the U.S. and China. During the course of analyzing the dynamics of the exchange, we had placed test pcs on the network to be attacked so that the attacking source and technique could be clarified for the skeptics. One of the test pcs had an implanted htm file from HUC who wish to be known as the 'lion' crew. The Chinese lion worm which was created by this society portends a dns attack from aug 2001 onward which paralyzed the govguam network for 12 days narrated by the redcode and nimda article posted on this website. Rudolph Villaverde.

Far Reaching Consequences of Spyplane Incident to the .GU domain network

After this incident, cyber war between the US and China became a recurring concern. To survive future attacks, the firewalled monolithic network was fractured into multiple independent network targets. Univ of Guam coordinated with Joey Manibusan and Ben Camacho to disengage/divorce Govtguam from the .GU domain. With consent from DOA acting director Joey Manibusan, Acting Gov. Moylan, and the federal DOT.GOV registry, UOG registered the "GUAM.GOV" domain. UOG transferred GUAM.GOV to the Dept. of Administration Data Processing DNS servers under Ben Camacho (who later created the Bureau of Info Technology). GUAM.GOV became the official network for the civilian Government of Guam. Its geographic vicinity to the military bases implies an association which makes Govt of Guam Network a target for cyber attacks. In Sept 2011, Army General Keith Alexander, commander of US Cyber Command and director of the National Security Agency, articulated the inevitabily of a cyber war. Source: http://www.networkworld.com/community/blog/cyber-attack-big-one-coming-says-us-cyber-com?source=NWWNLE_nit_daily_pm_2011-09-14

Link back to Cultural Guam WebSite.

Link to Guam Network Information Center