Slashdot Mirror

← Back to Stories (view on slashdot.org)

Honeynet Project: Blackhat Attack Stats

Posted by ryuzaki0 on from the shivers-down-your-spine dept.

edsonw writes "The Honeynet Project published an interesting paper about their work. They say: "We are psyched to announce our newest paper , Know Your Enemy: Statistics. Based on eleven months of data, we analyze the past and attempt to predict the future (...) We demonstrate just how aggressive the blackhat community is.""

7 of 143 comments (clear)

  1. Re:Distros by ethereal · · Score: 5

    Some ideas:

    • Get on the security mailing list for your distribution, and religiously update. Some distros are better than others at keeping you informed; Debian seems to do pretty well. I don't know about RedHat.
    • You can mount /usr and /usr/local read-only to avoid some simple automated attacks, but you have to first move the /share directories off of those onto your /var partition. I tried this strategy for a while but ultimately gave it up as too cumbersome to use in the long run. I'd be interested in seeing a distribution adopt that approach in general, though.

    The 15-minute compromise was a little scary - at that rate, you don't have time to download RH 6.2 updates and apply them before your box is 0wn3d. Maybe start off with a more up-to-date distro so as to decrease the risk of attack during the install process? Or, you could download all the security updates onto an existing machine, then take down your external connection, install from the RH 6.2 CD, copy over and apply security updates, and only then bring up the link to the outside world.

    Remember: it's a "Microsoft virus", not an "email virus",

    --

    Your right to not believe: Americans United for Separation of Church and

  2. Re:Are Black Hats incredibly nice? by Restil · · Score: 5

    What makes you think that they're not USING your system? Certainly, they might not be formatting your HD or erasing your files, but consider the fact that if they have root access to your machine and you don't know about it, then its a perfect location to work from while they scan and exploit other systems.

    While they have access to your systems, they can also sniff out passwords and gain access to other systems on your network, they can eavesdrop or log outgoing traffic and listen for something interesting, all of which they can do without ever making themselves known to the victim.

    The attacker may never do anything "malicious" to a system that he comprimises, but I can tell you for sure, no part of his activities can be attributed to "good will".

    -Restil

    --
    Play with my webcams and lights here
  3. Re:Nice work - anyone like to automate it?? by Pinball+Wizard · · Score: 5
    The problem with secure Linuces is they are pretty boring for most people. With Red Hat, you get so many bells and whistles with the basic install. In case you haven't noticed, features sell software, not security.

    In fact, the best, most secure OS's have hardly any features at all other than basic command line programs. To create a secure system, you should start with a stripped down OS and only turn on the services and run programs that you need. That way, you know your system and everything that is running on it.

    Start out with the basic Debian system(~15MB), and add the software you want. You'll have to understand any services you run(HTTP, FTP, SSH, etc) and you'll have to install and enable those services yourself.

    Even better, go with OpenBSD. There hasn't been an OpenBSD box(default install anyway) that has been rooted in the last 4 years. With this report that shows how boxes are routinely scanned in the first 72 hours they are on the net, the OpenBSD statistic looks very impressive.

    As long as bells and whistles sell software, we will always have security problems. I don't see the emphasis on features going away anytime soon either. Thus, security professionals will always be in demand and stories about crackers and virus authors will continue to be commonplace.

    --

    No, Thursday's out. How about never - is never good for you?

  4. Answer for the little guys: firewall. by aussersterne · · Score: 5

    I'm a fairly proficient Unix/Linux admin, and I was fighting script kiddies left and right on my home machine for several years (I got rooted twice over three years). I was running my main Linux box with masquerading and filtering for a couple of other PCs and my laptop, at first on ISDN and then on cable. The only reason I didn't install a dedicated firewall at home all that time was because it felt cumbersome, like it would take up extra space and electricity and just be overkill for the small "home" network sitting behind it.

    But finally I just got tired of being scanned all the time and seeing people always trying things, so (not wanting to shell out $$$ for a commercial firewall/router), I got some spare parts: a 486DX4/100 board, 16MB ram, a floppy, and two 3Com 3c509 cards. Basically, spare parts.

    I bolted the parts all into a cardboard box (it works, just find a stiff box, poke holes in it with a screw driver, and use washers with your screws). Then, I put Freesco (which is Linux-based) on a floppy disk and put the box between my local network and the outside world.

    It's been running for a year now and I haven't even thought about it since. Not a single outsider has even come close to touching my PCs -- the Freesco 486-cardboard-box firewall/router has worked very well and I have yet to have to manually reboot it.

    --
    STOP . AMERICA . NOW
  5. Fascinating paper - blackhat determination is... by hillct · · Score: 5
    I'm not all that suprised at the agressiveless of blackhats. There are some extremely frightening statistics though:
    we estimate the life expectancy of a default installation of Red Hat 6.2 server to be less then 72 hours. The last time we attempted to confirm this, the system was compromised in less than eight hours. The fastest time ever for a system to be compromised was 15 minutes. This means the system was scanned, probed, and exploited within 15 minutes of connecting to the Internet.
    I've been doing home network consulting in an unofficial capacity, for my co-workers at a major telecom equipment company - where you'd epect the engineering staff to be extremely technically knowlegable - and I've been frightened to find the number of home users - even technical people - who don't realize the need for proper security. It indicates a great failure of user education in the internet comunity. I hope this paper serves as a wakeup call to users, but it must be covered in mainstream media outlets for that to happen

    --CTH
    --

    --Got Lists? | Top 95 Star Wars Line
  6. The real enemy by Rick+the+Red · · Score: 5
    Know Your Enemy: Statistics

    I don't need a Honeynet Project whitepaper to tell me that Statistics is my enemy. I learned that in school years ago!

    --
    If all this should have a reason, we would be the last to know.
  7. Re:Are Black Hats incredibly nice? by Tloluvin · · Score: 5

    They _do_ use your system.

    In _exactly_ the way Restil speculates.

    I do security work at a large, stable not.dot.com. I'm the guy who goes through the IDS and firewall logs. Every single working day. Every day, I see anywhere from two to a dozen probes. _Every_ _friggin_ _day_! Blackhats just scan and scan and scan. Looking for the chump who left his network services turned on after a default install (Redhat version). Or the chump who didn't turn off file sharing (NT version). The ones whose handiwork falls under my eyes generally know very little about the systems and networks they target. They really don't need to. They make up for it in volume and persistence. See a new netblock? Scan it on port 111! You might get lucky! Some box you check out may have that port open! If so, try a nice rpc.statd exploit! The facts that _this_ netblock consists entirely of boxes with that service turned _off_, and that the firewall is configured to drop packets sent to port 111 on the floor anyway, is not a problem. The Internet is just _full_ of populated netblocks! Two seconds later, your script just checks out the next one on the list. While _you_ chat on IRC with your fellow lowlives. :-)

    Once a vulnerable box is found, exploitation is swift. 0wned.

    And then? Well, you probably have no _idea_ of the number of host sweeps like the above mentioned, that I have seen the firewall log records of, where the source and destination ports are identical and privileged (i.e., below 1024). That almost always means that the IP this traffic came from has, itself, been compromised. The poor bastard who is the owner-of-record has no clue what purposes the iron he payed good money for is being used for. None.

    The first time I ever spotted a host sweep in a log, I made a point of finding out as much as possible about the IP of origin. I scanned it, I checked out whether I could connect to ports 21, 23, and 25 (ftp, telnet and mail .. I could), etc. I didn't try to gain _access_. That _is_ hacking, which I despise. But I _did_ try to gain _information_. It was so fucking sad, the picture I finally assembled. The attack came from a RedHat 6.0 box run out of a little one-lung web hosting company in Anaheim. The place was so small that the Administrative, Technical, and Billing contacts I saw in the whois output were all the same guy! No firewall that I could find. The DNS records just _sitting_ _there_, all the routers with router-type names, and functionality blurted out in HINFO records, for Christ's sake! The RedHat itself box was just completely wide open. The connect to port 23 just gave the OS major and minor revisions away. Ditto port 25. And port 21 just about made me fucking cry. It was .. you guessed it .. wuftpd. The banner gave up the branding and version .. which was vulnerable as hell to remote root compromise. How long do you think the blackhat that rooted this box took to get in? 10, maybe 15 minutes, from first discovery? Less?

    That's the picture which has formed in my mind. A world just _full_ of boxes put together by very busy well-meaning, trusting people who just don't _understand_ just how _fast_ they will be rooted if they don't spend some serious quality time to think about how they are going to secure what they build.

    Its the Wild West out there folks. Really.

    BTW, much as I love Linux, OpenBSD-based firewalls just _ROCK_! Ipfilter is _so_ much better than even iptables that there is absolutely no comparison. My firewall resides on an old Pentium-90 shitbox that I bought for $50. It's fast enough for my dialup line. If you have a 24/7 broadband connection, consider an IDS. If snort is good enough for Stephen Northcutt ("Mr. IDS" to peons like me and most of the folks reading this :-), then its bloody well good enough for others. And the price is right. :-) If you are looking for an Industrial Strength IDS for the enterprise, I have only one word of advice: stay the HELL away from RealSecure. _Really_.

    "Let's stay safe out there."

    BTW, Hemos: thanks a million for the link. I printed out the whole article (5 pages) and tacked it to the outside of my cube. I also sent the link to my boss, my bosses boss, and the lady who is in charge of security awareness in my outfit. Yes, that means that the dozen or so folks I work with now know my Secret Identity. :P