Slashdot Mirror
Honeynet Project: Blackhat Attack Stats
edsonw writes "The Honeynet Project published an interesting paper about their work. They say: "We are psyched to announce our newest paper
, Know Your Enemy: Statistics. Based on eleven months of data, we analyze the past and attempt to predict the future (...)
We demonstrate just how aggressive the blackhat community is.""
The fastest time ever for a system to be compromised was 15 minutes.
/. stories are compromised within 21 seconds of being posted.
So what? Nearly all
Result: 0 breakins for a huge number of attempts. NetBIOS, rpc, dns, and a LOT of ftp attempts.
Not surprisingly I'm AC'ing this post to preserve a) bandwidth b) sanity and c) track record.
I'm VERY grateful to Theo DeRaadt and his crew and the contributors for doing such an amazingly good job. More power to them.
Some ideas:
The 15-minute compromise was a little scary - at that rate, you don't have time to download RH 6.2 updates and apply them before your box is 0wn3d. Maybe start off with a more up-to-date distro so as to decrease the risk of attack during the install process? Or, you could download all the security updates onto an existing machine, then take down your external connection, install from the RH 6.2 CD, copy over and apply security updates, and only then bring up the link to the outside world.
Remember: it's a "Microsoft virus", not an "email virus",
Your right to not believe: Americans United for Separation of Church and
A simple analysis I would like to see would be to correlate the probes and attacks over the time of the week when they occurred, with granularity measured to the hour, possibly with a 3-hour moving averages. This is likely to provide significant results.
I once analysed the spam I received over the course of a month, and even this very limited data set revealed clearly that more spam is sent on weekends, with Sunday recording twice as much spam as Thursday. Probes and attacks are likely to follow a similar statistical pattern, in part because spammers and blackhats are an overlapping community.
--
The only thing necessary for the triumph of evil is for good men to do nothing. - Edmund Burke
Yes, I bought a bumper sticker at Defcon that reads "My other computer is your linux box."
What makes you think that they're not USING your system? Certainly, they might not be formatting your HD or erasing your files, but consider the fact that if they have root access to your machine and you don't know about it, then its a perfect location to work from while they scan and exploit other systems.
While they have access to your systems, they can also sniff out passwords and gain access to other systems on your network, they can eavesdrop or log outgoing traffic and listen for something interesting, all of which they can do without ever making themselves known to the victim.
The attacker may never do anything "malicious" to a system that he comprimises, but I can tell you for sure, no part of his activities can be attributed to "good will".
-Restil
Play with my webcams and lights here
o There doesn't really exist a distro in the Linux realm that has a high focus on security. There are things like Bastille Linux which is a good overall Q&A tool that will really help you, but I eventually ended up learning ipchains from the command line.
o Snort appears to be the defacto Intrusion Detector right now. There are a couple of different snort rulesets that you can use out there. You won't have much luck interpreting them unless you find a TCP/IP book to read them.
o No. I don't know of an easy way. I think it's pretty hard.
o What's the point?
The point was that the HoneyNet leaves holes in their firewalls and their boxes. They turn on sharing in the Win98 box so they can monitor and detect the traffic and the new techniques. A default RedHat 6.2 box not firewalled is pointless. A RedHat 6.2 box with the latest security updates and with a firewall or with some nifty IPchains rules is still pretty good.
The point is that if you use 6.2, you need to lock it down before you go letting it serve your email, or your webpage, or your dns domain. Heck, and it's not just 6.2. Both 7.0 and 7.1 do have security flaws in them.
A better project would be one that had a lot of machines from various volunteers all over the internet set up and collecting statistics. That way, no one could tell just by looking at the IP address whether a machine was part of the project or not. A more random sampling like that would give a much more accurate picture of how often the average machine-on-net can expect to be attacked.
Free Hans!
To summarize: Yes, but you can't launch outgoing attacks from any of the honeynet machines (they're careful that way).
-Renard
Set the machine up behind NAT. Or, install it and turn off all of the services (use lsof -i to check) and then download the patches.
Vintage computer games and RPG books available. Email me if you're interested.
I would like to see a corelation study of this information against postings to BugTraq. Information can be a two edge sword.
In fact, the best, most secure OS's have hardly any features at all other than basic command line programs. To create a secure system, you should start with a stripped down OS and only turn on the services and run programs that you need. That way, you know your system and everything that is running on it.
Start out with the basic Debian system(~15MB), and add the software you want. You'll have to understand any services you run(HTTP, FTP, SSH, etc) and you'll have to install and enable those services yourself.
Even better, go with OpenBSD. There hasn't been an OpenBSD box(default install anyway) that has been rooted in the last 4 years. With this report that shows how boxes are routinely scanned in the first 72 hours they are on the net, the OpenBSD statistic looks very impressive.
As long as bells and whistles sell software, we will always have security problems. I don't see the emphasis on features going away anytime soon either. Thus, security professionals will always be in demand and stories about crackers and virus authors will continue to be commonplace.
No, Thursday's out. How about never - is never good for you?
Of course, it is not Linux, but there is always OpenBSD. OpenBSD supports binary emulation of most programs from SVR4 (Solaris), FreeBSD, Linux, BSD/OS, SunOS and HP-UX.
That said, I tend to advocate being exposed to as many distros and variants as possible. Load em up on a spare box, blow them up, etc.
Educational, if nothing else.
"It is a greater offense to steal men's labor, than their clothes"
If it's anything like what happens where I work (we're a manufacturing company in a non-tech related company), even the machines without DNS entries get scanned regularly. Most of the time, it looks like they're just scanning a single port on a range IP addresses in order (our firewall has a pair of sequential addresses assigned to it, so both attempts show up right next to each other in the log file). My guess is that they aren't even bothering with DNS -- they're just scanning anything and everything that might have a security hole in it.
I'm a fairly proficient Unix/Linux admin, and I was fighting script kiddies left and right on my home machine for several years (I got rooted twice over three years). I was running my main Linux box with masquerading and filtering for a couple of other PCs and my laptop, at first on ISDN and then on cable. The only reason I didn't install a dedicated firewall at home all that time was because it felt cumbersome, like it would take up extra space and electricity and just be overkill for the small "home" network sitting behind it.
But finally I just got tired of being scanned all the time and seeing people always trying things, so (not wanting to shell out $$$ for a commercial firewall/router), I got some spare parts: a 486DX4/100 board, 16MB ram, a floppy, and two 3Com 3c509 cards. Basically, spare parts.
I bolted the parts all into a cardboard box (it works, just find a stiff box, poke holes in it with a screw driver, and use washers with your screws). Then, I put Freesco (which is Linux-based) on a floppy disk and put the box between my local network and the outside world.
It's been running for a year now and I haven't even thought about it since. Not a single outsider has even come close to touching my PCs -- the Freesco 486-cardboard-box firewall/router has worked very well and I have yet to have to manually reboot it.
STOP . AMERICA . NOW
...just how often attempts are made on systems. My webserver runs RedHat 6.2 and ipchains, and so does my home firewall (cable modem). I constantly see NetBIOS attempts, which of course have no effect. My home system has a dynamic IP, but I get about the same number of attempts on both setups (about 30 attempts per day), all unique source IPs, most resolving to DSL and cable providers.
A friend using dialup receives about 20 attempts per day, also Linux/ipchains, and of course also dynamic IP. This is most likely random scans for vulnerable Windoze boxen...
I have to wonder, with 20 to 30 attempts per day on my own systems, how many Windoze boxen are comprimized each day, with the owner probably knowing nothing about it? I suspect the attackers would install a trojan of some sort for later use...
I also log other attempts, but it seems the NetBIOS ones are the most common. They all follow the same pattern, with three attempts. The second attempt is 2 seconds after the first, and the third 1 second later (mind you, ipchains is set to DENY, so the attacker apparently has a very short timeout set). The pattern suggests either the same hacker tool in use, or (more likely IMO) perhaps a worm seeking more systems to infect...
I just find this disturbing; more and more home users run Windoze with cable/xDSL and are staying connected all the time, with no firewalling. Some run home networks and thus have NetBIOS enabled over TCP/IP...
I'm not sure what my point is, other than to corroborate with the article. Security by obscurity especially doesn't apply in this case (I have a dynamic IP thus it's not likely I'll be attacked - which is no longer the case). Not to mention the false sense of security some Linux users have (eg, those who install RedHat 6.2 and keep all defaults, with FTP/telnet open, etc). I've seen many a stock RH box comprimised in less than a week.
- Jman
NGWave - Fast Sound Editor for Windows
--CTH
--Got Lists? | Top 95 Star Wars Line
Really there isn't, I always keep a good old ax right next to the cat5 going to the router, and if theres ever hacking going on, BAM chop dat sucka into peices and the bitch never knows what happened
I don't need a Honeynet Project whitepaper to tell me that Statistics is my enemy. I learned that in school years ago!
If all this should have a reason, we would be the last to know.
A cardbox box? What extravaganza! In my day we were lucky to find a grocery bag to throw the parts in.
A grocery bag? What luxury! When I was a kid, we were lucky if we had a nail to bolt the motherboard to the wall.
Nail and board? When I was a kid, we had to make our own transistors, write an assembler, nick a car battery, and if we were lucky, we'd find a piece of string to hold the bits together.
-- Another senseless waste of fine bytes.
Anthony Staines
-- Anthony Staines
"The fastest time ever for a system to be compromised was 15 minutes. This means the system was scanned, probed, and exploited within 15 minutes of connecting to the Internet."
Wow. If that's true, this is just crazy.
My question is, when are distros going to start shipping with all services turned off by default? I can't imagine that any newbie is going to want to have finger, ftp, sendmail, etc running on their box. And for power users (like me), the very first thing I always do is go and turn off every single service.
While informative, the paper was a little above the level of reading for those of us who are uhhh "budding" security experts. I've found this problem when trying to install an intrusion detection system on my RH6.2 486 box.
Anyone have suggestions for references an easy-to-install intrusion detection system? Maybe with a GUI?
Are there any distros with security tools installed by default?
Anyone know of an easy way to image a system setup I like, boot it off a CDROM then mount in disks for data?
Besides, if these boxen were compromised in hours, what's the point?
They _do_ use your system.
:-)
.. I could), etc. I didn't try to gain _access_. That _is_ hacking, which I despise. But I _did_ try to gain _information_. It was so fucking sad, the picture I finally assembled. The attack came from a RedHat 6.0 box run out of a little one-lung web hosting company in Anaheim. The place was so small that the Administrative, Technical, and Billing contacts I saw in the whois output were all the same guy! No firewall that I could find. The DNS records just _sitting_ _there_, all the routers with router-type names, and functionality blurted out in HINFO records, for Christ's sake! The RedHat itself box was just completely wide open. The connect to port 23 just gave the OS major and minor revisions away. Ditto port 25. And port 21 just about made me fucking cry. It was .. you guessed it .. wuftpd. The banner gave up the branding and version .. which was vulnerable as hell to remote root compromise. How long do you think the blackhat that rooted this box took to get in? 10, maybe 15 minutes, from first discovery? Less?
:-), then its bloody well good enough for others. And the price is right. :-) If you are looking for an Industrial Strength IDS for the enterprise, I have only one word of advice: stay the HELL away from RealSecure. _Really_.
:P
In _exactly_ the way Restil speculates.
I do security work at a large, stable not.dot.com. I'm the guy who goes through the IDS and firewall logs. Every single working day. Every day, I see anywhere from two to a dozen probes. _Every_ _friggin_ _day_! Blackhats just scan and scan and scan. Looking for the chump who left his network services turned on after a default install (Redhat version). Or the chump who didn't turn off file sharing (NT version). The ones whose handiwork falls under my eyes generally know very little about the systems and networks they target. They really don't need to. They make up for it in volume and persistence. See a new netblock? Scan it on port 111! You might get lucky! Some box you check out may have that port open! If so, try a nice rpc.statd exploit! The facts that _this_ netblock consists entirely of boxes with that service turned _off_, and that the firewall is configured to drop packets sent to port 111 on the floor anyway, is not a problem. The Internet is just _full_ of populated netblocks! Two seconds later, your script just checks out the next one on the list. While _you_ chat on IRC with your fellow lowlives.
Once a vulnerable box is found, exploitation is swift. 0wned.
And then? Well, you probably have no _idea_ of the number of host sweeps like the above mentioned, that I have seen the firewall log records of, where the source and destination ports are identical and privileged (i.e., below 1024). That almost always means that the IP this traffic came from has, itself, been compromised. The poor bastard who is the owner-of-record has no clue what purposes the iron he payed good money for is being used for. None.
The first time I ever spotted a host sweep in a log, I made a point of finding out as much as possible about the IP of origin. I scanned it, I checked out whether I could connect to ports 21, 23, and 25 (ftp, telnet and mail
That's the picture which has formed in my mind. A world just _full_ of boxes put together by very busy well-meaning, trusting people who just don't _understand_ just how _fast_ they will be rooted if they don't spend some serious quality time to think about how they are going to secure what they build.
Its the Wild West out there folks. Really.
BTW, much as I love Linux, OpenBSD-based firewalls just _ROCK_! Ipfilter is _so_ much better than even iptables that there is absolutely no comparison. My firewall resides on an old Pentium-90 shitbox that I bought for $50. It's fast enough for my dialup line. If you have a 24/7 broadband connection, consider an IDS. If snort is good enough for Stephen Northcutt ("Mr. IDS" to peons like me and most of the folks reading this
"Let's stay safe out there."
BTW, Hemos: thanks a million for the link. I printed out the whole article (5 pages) and tacked it to the outside of my cube. I also sent the link to my boss, my bosses boss, and the lady who is in charge of security awareness in my outfit. Yes, that means that the dozen or so folks I work with now know my Secret Identity.