Recent Posts


« | Main | »

Bot Battles – defense on ‘the edge’

By Dale Reagan | August 2, 2010

If you have been asleep then you missed the news about Wang Jun – the Chinese* Cyber Army.  A speaker at Black Hat (USA) was scheduled to discuss Wang Jun reportedly cancelled the presentation after pressure from the Taiwanese (and perhaps Chinese) government. Hmmm… what you may not know is that at least one company/researcher has been documenting what seems to be a China & Taiwan cooperative cyber-warfare effort.  Curious now?

** Disclaimer – this post is somewhat speculative and is intended to get folks thinking about how to better manage/protect their computing systems and networks… 🙂

Oh, and what about other countries?  Are they doing similar research?  My guess is that all nations have some sort of similar activity or program(s) (of course, I do not have any personal knowledge – just a guess since it does make some sense.)

Back to China: “Operation Aurora, GhostNet, Titan Rain. Reactions were totally different in the US and in Asia. While the US media gave huge attention, Asia find it unbelievable and interesting, that cyber warfare and government-backed commercial espionage efforts that have been well established and conduced since 2002, and have almost become a part of people’s lives in Asia, caused so much “surprise” in the US. Here we’ll call this organization as how they’ve been properly known for the past eight years as the “Cyber Army,” or “Wang Jun” in Mandarin. This is a study of Cyber Army based on incidences, forensics, and investigation data since 2001. Using facts, we will reconstruct the face of Cyber Army (CA), including who they are, where they are, who they target, what they want, what they do, their funding, objectives, organization, processes, active hours, tools, and techniques.” (The quote above is an extract from Kaspersky Lab Security news site.) My guess is that this would have been quite an interesting talk – but probably not much news to anyone working in the network security arena.

So, where does that leave the public_Internet_user?

What can you do to reduce the chance that you will be cyber-attacked-infiltrated-compromised? (whether by criminals or by foreign governments)  What is your weakest/least secure network link?

Your systems/networks can be attacked from any location with a network connection (some remote desert, jungle, the coffee shop on the corner, from a mobile phone user driving on a highway…)  Any network-connected device that you have could be targeted (desktop computer, laptop, cell phone, printer, alarm system, etc.)  You may want to review other posts on this site that discuss measures that you can take (Defense in Depth.)

Things beyond your control – edge networks.

The edge (network perimeter) is a key component.  If you control/manage the edge then you significantly reduce any direct-connect bad stuff.  I am defining ‘edge network’ as any outside/external one-step-link-network-connection beyond your network connection point:

Visualize ring of circles (like a bull’s eye) where passing through each ring (edge) leads to the next connection/edge.

If you are designing a network chances are you will segment it in some fashion – if not then you are most likely not managing the network and you will (most likely) spend lots of time resolving any ‘network problems’.  D&C again. Chances are good that many ISPs divide networks geographically (esp. for large networks) – I suggest taking it a bit further.

If  an ISP offers more than one type of service (i.e. residential and commercial/corporate) then I would suggest that they keep these offerings on separate networks or network segments. Why?  Simply put  – so network traffic could be easily (or more easily) adjusted/tweaked/managed.  For this post the emphasis in on access control (ACL) – what types of network connections are allowed (protocols supported) AND are there any origin/endpoint ACLs for network connections?

If I am in the US and I can document nefarious network activity from site/location/IP_Address X, then I can contact the ISP that manages that  IP address to report the problem – as long as they are in the US.  I could also contact US law enforcement about such activity.  If the ISP that manages that IP address is outside of the US then there is (most likely) little that I could do (or at least it is probably less likely that the ISP would respond to my complaint/report.)  From experience I can report that US ISPs respond well (i.e. investigate my report, confirm and remove the problem system.)  In one instance my cable modem was being scanned non-stop for 2 days – I did not get a resolution (on a  weekend) until I contacted the sales/marketing side of the business; I was not impressed with the ISP.  In most instances US ISPs are as interested as you are in stopping such rogue network/system use.  Note that I am including Web Hosting providers under the ISP umbrella – hacked web sites are a significant source of nefarious network activity.

Are ACLs (Access Control Lists) a form of censorship?

Yes and no.  It really depends on your perspective – and mine is simple:  as a cable-modem customer in the US I have little/no need for access to web sites in Asia.  It is highly unlikely that I would use my browser or other network program to directly request access to a server (or other computer) anywhere in Asia.  So, why am I seeing hundreds of network connection requests from that part of the world on my cable-modem?  I will speculate that either multiple armies of bot-nets or an army of miscreants is attempting to access computing devices on my network for nefarious purposes. What could they hope to gain?  Sensitive information?  trying to add another system to a bot-net? simply disrupting network use?   A few questions:

  1. What would happen if ISPs offered a ‘filtered’ Internet service? (ACLs of your choosing.)
    • Chances are customers would be less vulnerable to such activities.  Many ISPs offer free Anti-virus solutions which help secure your PC/laptop but do nothing to thwart ‘network abuse’ (I would prefer an additional level of access control coming into my network…)
    • businesses may prefer a more open (less restrictive ACLs) service – but, if you don’t provide services or products in Asia (or other regions of the world) do you really need to expose yourself to nefarious network connections?
    • ACL example:  unless the connection initiates from my network, deny all in-coming network traffic from Asia, Europe, Africa, South America, the Middle east, OR simply deny all in-coming network traffic from Asia, Europe, Africa, South America, the Middle east (and/or other selected GeoIP locations.)
  2. What types of filtering can the Internet-street-user use?
    • in addition to Anti-Virus (end-point security) you could add a local network-proxy AND
    • your own set of ACLs if you have a firewall or a router with firewall-type filtering (network access control lists.)
    • turn your ‘edge connection‘ (cable/DSL modem or the wireless NIC on your laptop) OFF when you are not using it – the bad guys can’t connect without a gateway…
    • on your PC/Laptop – there are tools (firewall type filters or other methods) that can provide some level of ACL.

What could be the result of implementing ACLs on edge networks (ISPs) as discussed above?



Some data ** (using GeoIP data which can have ‘errors’)

Reviewing ~18 months of recent data (just looking at entries for Sundays) I have logged connection attempts to my cable-modem from ~400 unique IP addresses which appear to be located in China. On the day of this post by mid-afternoon I have logged 13 nefarious connection attempts with 11 of them appearing to be from China (along with one attempt from a US IP address and one IP address from Venezuela…)

001. |  CN, 02, Huzhou, N/A, 30.866100, 120.096397, 0, 0
002. |  CN, 02, Ningbo, N/A, 29.875000, 121.541901, 0, 0
003. |  CN, 08, Harbin, N/A, 45.750000, 126.650002, 0, 0
004. |  CN, 10, Hebei, N/A, 39.889702, 115.275002, 0, 0
005. |  CN, 10, Hebei, N/A, 39.889702, 115.275002, 0, 0
006. |  CN, 10, Hebei, N/A, 39.889702, 115.275002, 0, 0
007. |  CN, 22, Beijing, N/A, 39.928902, 116.388298, 0, 0
008. |  CN, 22, Beijing, N/A, 39.928902, 116.388298, 0, 0
009. |  CN, 22, Beijing, N/A, 39.928902, 116.388298, 0, 0
010. |  CN, 23, Shanghai, N/A, 31.004999, 121.408600, 0, 0
011. |  CN, 24, Taiy�an, N/A, 37.726898, 112.470802, 0, 0

Looking at one IP address:

  1.  Sun Nov 01 20:54:55 2009 Blocked incoming UDP packet from to myPC:1434
  2.  Sun Nov 08 14:10:48 2009 Blocked incoming UDP packet from to myPC:1434
  3.  Sun Nov 15 08:36:08 2009 Blocked incoming UDP packet from to myPC:1434
  4.  Sun Dec 13 22:12:11 2009 Blocked incoming UDP packet from to myPC:1434
  5.  Sun Dec 20 15:55:22 2009 Blocked incoming UDP packet from to myPC:1434
  6.  Sun Dec 27 08:39:37 2009 Blocked incoming UDP packet from to myPC:1434
  7.  Sun Jan 24 18:37:38 2010 Blocked incoming UDP packet from to myPC:1434
  8.  Sun Jun 13 21:47:29 2010 Blocked incoming UDP packet from to myPC:1434
  9.  Sun Jul 25 11:37:56 2010 Blocked incoming UDP packet from to myPC:1434

Looking at APNIC Whois information for the IP address I find a very small (4 distinct IP addresses – of course there could be hundreds of systems behind each IP) network?:

inetnum: -
netname:      ZHU-ZHENHUA
country:      CN
descr:        Zhu Zhenhua

Additional review of log data shows the same ports with the same IP address being used in 66 different instances (beginning in September of 2009.)  Since I don’t log outbound requests I do not have an easy means to identify if some system/device on my network  may be attracting attention in some way (could be a router/switch/printer or other device – remember most of our/your network gear is manufactured in Asia – could be the vendor has a ‘phone home feature’…)

BTW- port 1434 is documented as used by the writesrv daemon: “allows users to send messages to users on a remote system and receive responses from users on a remote system with the write command.”  It is quite possible that whatever device is making the request is using the port in some other fashion, i.e  this simply could be from a PC on a bot-net…  Also note that this port has been referenced as a vector for some Microsoft database related attacks.

Looking further I find ~900 requests for connections to port 1434 from ~190 unique IP addresses.

  1.   131      CN - China
  2.    20      US - United_States
  3.     5      JP - Japan
  4.     5      AR - Argentina
  5.     4      RO - Romania
  6.     4      KR - _Republic_of
  7.     4      IT - Italy
  8.     4      IN - India
  9.     4      DE - Germany
 10.     3      BR - Brazil
 11.     2      TW - Taiwan
 12.     2      RU - Russian_Federation
 13.     2      HU - Hungary
 14.     2      CA - Canada
 15.     1      TR - Turkey
 16.     1      NA - Namibia
 17.     1      CO - Colombia
 18.     1      BE - Belgium
 19.     1      AU - Australia

Note that the list above is for in-coming packets (that were blocked.)  Based on my log data the numbers seem to indicate that China leads the pack in potentially nefarious network traffic.  Some other possibilities/speculation:

Bottom line:

I started this post prior to the 2010 summer Blackhat event in Las Vegas – One article from Information Week is titled, “Black Hat: U.S. Infrastructure Vulnerable To Cyber Attack“…  Note that the article mentions examining/monitoring the ‘edge network’ – I suggest monitoring AND pulling the plug when the connection is not needed.  As always, your mileage may vary.

Update: 8/26/2010 – a previously classified 2008 incident which reportedly led to the US establishing a Cyber Command.

The writesrv daemon allows users to send messages to users on a remote system and receive responses from users on a remote system with the write command.

Topics: News/Events, Problem Solving, System and Network Security, Unix-Linux-Os, Web Problem Solving, Web Technologies | Comments Off on Bot Battles – defense on ‘the edge’

Comments are closed.

YOUR GeoIP Data | Ip:
Continent: NA | Country Code: US | Country Name: United States
Region: | State/Region Name: | City:
(US only) Area Code: 0 | Postal code/Zip:
Latitude: 38.000000 | Longitude: -97.000000
Note - if using a mobile device your physical location may NOT be accurate...

Georgia-USA.Com - Web Hosting for Business