Detecting kernel intrusion attacks through network monitoring

Learn how to detect kernel intrusion attacks by monitoring your network closely and thoroughly.

Nick Lewis

For the last month or so I have been experiencing regular kernel intrusion attacks, apparently emanating from numerous different IPs worldwide. I am getting the information from my router firewall security log. Within these attacks, I also get the occasional scanner and land attack. After investigating, my ISP has suggested I refer the matter to the police e-crime unit, which I have done. However, I don't think they will do much.

My ISP did move me from a dynamic IP to a fixed IP, but the attacks continued. I have run exhaustive antivirus and antispyware checks on my LAN comps, which are all clean. I run ESET on the PCs and have a local server, although the server was not online when I changed IP address. How can this happen, and do you have any suggestions?

Other than entries in your router firewall logs, why do you think there is an issue? What issues have you identified on your systems from these attacks? It sounds like most of these entries in your logs have just been notifications of blocked attacks. The reason you haven't gotten any response from the police e-crime unit is probably because you can't show any harm, loss or actual intrusion. The usage of a dynamic or static IP will not stop these types of kernel intrusion attacks if they are not targeting you or your IP address.

The attacks are most likely targeting a large number of IPs or networks so changing your IP will not stop the scans because the attackers will eventually scan your new IP.

If you still think that your systems are under targeted attacks or have other evidence of a kernel intrusion attack, your next step should be examining the network traffic in more depth. You may want to scan your systems with different antimalware software than you are currently using or perform the scans in safe mode, Monitoring for unexpected network traffic can help determine if systems have some type of malware that is stopping the antimalware software from working.

Make sure you have the appropriate authorization to monitor your network. There are a number of open source tools that can be used for network monitoring by simply running a bootable live CD off an unused computer. You may want to monitor your network for a couple days to get a good sample of traffic to analyze, but the more traffic you capture, the more effort it will be to analyze the data. Look for traffic originating from one of your computers when it's not in use. You will most likely see some traffic to Microsoft, your antimalware vendor for updates or new antimalware definitions, or other similar legitimate background operations. You may want to start with a short time period to get a sense of the network traffic on your network and then expand from there. You will need to mirror or get a copy of the traffic to the computer doing the monitoring so you can analyze the traffic and determine if anything suspicious is traversing your network.

This was last published in May 2010

Detecting kernel intrusion attacks through network monitoring

Learn how to detect kernel intrusion attacks by monitoring your network closely and thoroughly.

Dig Deeper on Real-time network monitoring and forensics

VoIP migration requires telephony network planning, security scrutiny

How can organizations address VoIP security threats?

The top 7 enterprise IoT risks to consider

The importance of securing endpoints with antimalware protection

Related Q&A from Nick Lewis

What are the benefits and challenges of cloud penetration testing?

What are the best criteria to use to evaluate cloud service providers?

What is the best way to write a cloud security policy?

Start the conversation

0 comments

Please create a username to comment.

SearchCloudSecurity

Prevent cloud account hijacking with 3 key strategies

Security for SaaS applications starts with collaboration

An inside look at the CCSP cloud security cert

SearchNetworking

How to secure remote access for WFH employees

What's involved in VPN maintenance and management?

The pros and cons of 5G networks

SearchCIO

Enterprise architect job still requires IT in critical role

Holy Grail still elusive in enterprise architecture strategy

Ensuring your cybersecurity teams are helping the business

SearchEnterpriseDesktop

Evaluate if Chromebooks are secure enough for business use

Set up Windows Remote Desktop on a Mac device

Microsoft Endpoint Manager gets better Mac, iPad management

SearchCloudComputing

Microsoft's Azure Arc reaches GA milestone

Top 6 complexity challenges of operating a cloud at scale

When -- and when not -- to use cloud native security tools

ComputerWeekly.com

‘Not unjust’ to extradite WilkiLeaks founder Julian Assange, court hears

Digital safeguarding of physical workspaces can help employees return to 'normal'

UK government sets up task force to address comms tech ‘market failure’