Internet Storm Center Tracks Hack Attacks

An Anonymous Coward writes: "It looks like Incidents.org has a new offspring, the Internet Storm Center. The internet storm center uses data from DShield.org to track hack attacks all over the world. Some of the interesting trivia: While usually, China has a bad reputation for the volume of attack coming from it, the US outpaces China by a lot. Actually, China only comes in at #6. So much for the great security boost the US gets from using genuine Microsoft software."

Is this thing on?

[iamnotcreative]

Wow, two stories after this and not a single post to this topic (as I post this anyway). Is it people really aren't interested, or is something wrong?

Re:Is this thing on?

[iamnotcreative]

I knew that would happen! Seriously, this is some interesting stuff. I love this little tidbit too...

Widespread port 80 scans are still dominating all other activity. These scans appear to be caused by remaining Nimda/Code Red activity.

These damn things are still running around generating that much traffic?

Re:Is this thing on?

I was wondering the same thing. How odd.

Re:Is this thing on?

[compwiz3688]

Hell yeah... I thought the CodeRed was supposed to go to sleep after September 2001, but I'm still getting these attacks.

Re:Is this thing on?

[root@gw cron.hourly]# cat /var/log/messages | grep DPT=80 | wc -l
2301
[root@gw cron.hourly]# cat /var/log/messages.1 | grep DPT=80 | wc -l
2945
[root@gw cron.hourly]# cat /var/log/messages.2 | grep DPT=80 | wc -l
2024
[root@gw cron.hourly]# cat /var/log/messages.3 | grep DPT=80 | wc -l
3833
[root@gw cron.hourly]# cat /var/log/messages.4 | grep DPT=80 | wc -l
6218

Looks almost like 17,000 probes this month alone. Note: this is the number of syn packets captured, NOT the numbre of unique IP addresses.

Interent Weather Report

[CmdrTaco+(editor)]

This reminds me of the Internet Weather Report, which I've only found to be useful when genius contruction crews disrupt a backbone with a backhoe.

I think the most useful aspect with for this could be a combination of the hack attack report and the internet weather report to see whether a server is simply suffering from technical issues or is being DOS'ed.

Nimda/Code Red generated traffic !!

[BakaMark]

Yep, both Nimda and Code Red are still out there banging away at peoples doors trying to get in.

It looks as if the owners of the computers in question have not noticed that there systems are still compromised. Or if they have noticed, they are in no real position to do anything about. I consider the former to the the most likely situation.

It's missing something.

[Guido69]

No category to track the /. effect.

Re:It's missing something.

[mr_exit]

slashdot has a built in list of sites currently being slashdotted..... its called the /. front page

incorrect

[i+like+your+eyes]

Actually, China only comes in at #6.
US 222907
DE 68478
TH 65644
EU 65612
GB 53130
KR 42523
CN 42291

As far as I can tell, it's coming it at number 7.

Re:incorrect

[ChenLing]

Don't you know that we programmers start counting at number 0? :)
Either that or China just conquered South Korea and claimed their country code. ;)
On a different note, I'm surprised that Thailand beat China.
I wonder how accurate this is. They seem to be just doing a reverse lookup on IPs, many of which are probably faked.

Re:incorrect

KR 42523
CN 42291

Seeing as how the difference between Korea's and China's listings in your citation is less than 300 incidents, I'd wager that when the story was submitted, China was at #6.

The only thing that surprises me is that Romania isn't in the top 5. I'm sitting on a cable modem and I've been running Snort for the hell of it for about 6 months. I get more hack/crack/exploit attempts from Romanian hosts (.ro) than from any other TLD, including all the probes from .com, .net, and .org combined. Romania appears to be a hotbed of crackers, and in some cases I've traced intrusion attempts directly to Romanian ISPs. Not their customers, but the ISPs themselves, e.g. the www host for certain .ro providers.

Germany's placement doesn't surprise me at all, though. If I had a dollar for every t-online.de user who tried to crack my FTP, I'd be richer than Bill Gates. I'm not sure what it is about Germans and FTP probes, but that's all they try to access on my box, and they try it more than anyone else. If I could host beer.ftp.my.in-addr.arpa I surely would, but I can't. Sorry, Germany!

Re:incorrect

[fryan33]

Not if you start counting from zero.

Re:incorrect

[rosewood]

when I made my /upload dir world readable/writeable - I had all kinds of german warez and porn in it!

Re:incorrect

[fw3]

First, how is the storm center new?! the site's been up for more than a year.

According to this survey ofglobal and asian internet-connected systems the US/Can have 181M systems online vs 33M in china.

do the math: Current stats from the ISS say the ratio of systems is about the same as the reatio of attack traffic.

Attack traffic: CN=42291 / US 222907 = .1897

Connected sys's: cn=33M / us=181M = .1823

From following incidents.org and my own experience I'd say that .cn has a rep more becuase when you deal with an attack from asia in general the problems of contacting the admins to notify / etc are much more difficult.

My own experiences have been mixed, Contacting site owners in asia has been more spotty than for US/EC sites, and in the event of something serious its a lot more expensive to pick up the 'phone and call china to discuss a problem.

arin.net, ripe.net, apnic.net all work well for tracking down system owners, but the contact problems across continents remain.

Question

[SETY]

I didn't look too hard at the site, but it seems to me that they are going by a reverse DNS of the hackers domain name. Many countries use .com and .net ,etc. So I hope this isn't all counted as the US. If so... well no shit the US has higher numbers.

It is possible that they are smarter than that, advertisers have it figured out.

Re:Question

[mabinogi]

They're probably using the network address to figure it out, usualy this will narrow it down to country, except in the rare occurence where a multi-national company has an entire Class A to themselves

Re:Question

[UnderAttack]

the geographic data comes from whois lookups. reverse dns doesn't work well as you point out (.net, .com, .org are used all over the world).

Re:Question

[Nykkel]

If they're counting all the people who forge their attempts to come from microsoft.com, I imagine that accounts for a lot of the US total. :-)

Moderated Lead-Message Posting: -1: Flamebait

[ScottKin]

Since when is the ammount of hacking attacks / attempts directly equivalent to the number of Windows boxen?

As I can remember, this is *not* the first time that a lead topic posting could be considered as "Flamebait" - but obviously, the /. topic-nazi's look the other way when it's virtually an ad hominem attack against Windows.

Re:Moderated Lead-Message Posting: -1: Flamebait

[pmz]

The huge growth of the Internet coincided with a huge increase in Windows computers on the Internet.

Now, which OS is the favorite for automated distributed denial of service attacks on the Internet? Which OS is responsible for nearly all viruses and worms on the Internet?

Truth is, Windows was never ready to be connected to a public network. The public proved this. So, there absolutely is a correlation between the number of Windows computers and the amount of cracking on the Internet.

What about other operating systems? Well, UNIX, for example, has already had its public Internet shake-down. A good example would be the story in "Cuckoo's Egg" by Clifford Stoll. As a result, UNIX is the subject of a relatively small amount of current cracking activities.

Re:Moderated Lead-Message Posting: -1: Flamebait

[bourne]

Since when is the ammount of hacking attacks / attempts directly equivalent to the number of Windows boxen?

Well, we could argue about that, but we don't have to because you are misreading the lead topic.

The Microsoft comment in the lead topic is relevant to Microsoft's claims that pirated versions of Windows are a security risk because you can't trust the pirates not to backdoor it. Since China has an extremely active software pirating industry, if Microsoft's claim was true then China would be a higher source of hack attempts.

The weren't saying Windows leads to hacking attempts. They were saying that data fails to support Microsofts assertion that piracy is a security problem, not just a Microsoft sales problem.

Re:Moderated Lead-Message Posting: -1: Flamebait

[Jungle+guy]

Excerpt from the Internet Storm Center (isc.incidents.org):

... no current alert ...
Widespread port 80 scans are still dominating all other activity. These scans appear to be caused by remaining Nimda/Code Red activity.(...)

In this particular case, most probes come from windows-only worms. The lead topics in Slashdot HAVE bias in Windows-related matters, but this time they are right.

Survey: We Only See the Tip of the Iceberg

[ltsmash]

The Computer Security Institute announced in its Computer Crime and Security Survey that 90% of respondents had security breaches in the last year. ONLY 34% reported ANY of the breaches to law enforcement for fear of bad publicity.

Bottom line: We barely see the tip of the iceberg when it comes to computer security breaches.

well of course the us is in front...

the us is the largest user of the internet. duh.

I wonder if..

[Nonillion]

this number has anything to do with all the automated nimba attacks comming from all thoes infected windows boxes.

Prolly sampling artifact

[RevCheswollen]

Site doesn't work in my zilla 0.9 installation, time to go to 1.01 on this machine.

But, I'm guessing there are a lot more machines reporting from the US of A, and I wonder how many of them are getting feeds with chinese hosts blocked out.

I'm having a Hank Senior moment.

How about the "front page" flag not set?

[os2fan]

Third possibility is that it went to a back list and the later upped. It never was at the top of the front page. It came in at #3.

Maybe the editors did not set the "front page" flag.

Nimda

I would say that the majority of the hack attacks are due to the Nimda and similar worms (mostly found on windows boxen). And i would assume that there are more windows machines in the US than htere are in china thus resulting in more hack attacks from the US.
Also another place kinda like internetweaterreport.com is www.internettrafficreport.com

Slashdot poster

So much for the great security boost the US gets from using genuine Microsoft software.

So much for the great information transfer anti-MS zealots get from reading text and making logical deductions...

There is no surprise

[Taco+Cowboy]

In a way, there is no surprise in the report.

While the urban legend of "China is the #1 devil" has been circulating in the Net, we all know where most of the hackers - especially those who wear black hats - live.

This is not to say that there is no "Chinese devils", of course, there are. But in terms of skill, numbers and resources, the Chinese can't even come close to those from the States.

But individually, if you really want to know who has the most experience - Those from Russia (or the block formerly known as USSR) are the most experienced.

I've personal experience with Russian hackers. I'm a sysadmin, and I pride myself on making my Linux machines secured, but no matter how "secure" I made my machine, those Ruskies always find ways to hack into them.

Oh, I've traced hacking attempts too, there're a lot from China, the States, Israel, Europe, Africa, Asia and Russia, it's almost always the Ruskies who got through the layers and layers of "security features" I've set.

Even "honeypot" can't stop the Ruskies.

The one thing I've learnt from these experience is that I ain't gonna do funny things to the Ruskies. I only have my respect for them, even when they are blackhatters.

Re:There is no surprise

[anonymous+cupboard]

I know some Russian sysadmins, they swear by airgaps. The only route between the internal and external networks was a V.24 line with a custom protocol and dedicated apps (i.e., no general networking layer). Some are considering carefully about DMZ's and firewalls, but they will not rely on commercial stuff because they don't trust it. That is, they will use a mixture of OpenBSD and other operating systems (i.e, no single point of compromise) to provide the protection.

Microsoft blah blah blah

[JimPooley]

Strangely, most of the attacks on our systems come from insecure and compromised Linux boxes.

Re:Microsoft blah blah blah

[Nonillion]

For the past several months all the hack attempts I receive come form nimba compromised windows boxes. I have yet to have one comming from a linux box let alone a unix box. I have no reson to doubt your claim but I'm just stating the facts..

Re:Microsoft blah blah blah

[erc]

I guess you don't monitor Code Red and Nimda attacks, then. According to ISC, they're #1, and they can only come from Windows boxes.

misleading details

This is a cool project, but its good to keep in mind what the numbers actually mean. Not everything that gets reported to them is an actual attack, in fact I'd guess that at least a third if not more of the reported incidents aren't.

For example, digging through the site I found 2 IPs that I'm responsible for on the list of sources for these. One is our primary DNS server, the other our mail server. The report about the DNS server is probably due to a stateful firewall that blocked some of the return packets from a lookup. The report about the mail server is probably due to its trying to do an auth lookup for incoming mail. Neither one is an attack, but either one could have been an attack for all that the receiving end can tell.

And in case anyone is curious, yes I did just spend 30 minutes double checking those machines after reading this. Me, paranoid?

Re:misleading details

[bamm]

From the dshield homepage:

DShield currently employs as little filtering of incoming reports as possible. Most reports are sent anonymously. We do not know if these logs are truthful, or if the firewall configuration was correct. DShield.org will attempt to protect the identity of the submitter. If you have a question regarding a specific target or source IP, please send an e-mail to info@dshield.org.

Let us assume all the submitters of the data used to create these statistics have the best of intentions and are inserting "real" data. I doubt many of these submitters actually take the time and do enough analysis to ensure "false positives" aren't being imported into the database. For instance, I would bet data collected from snort is one of the most common types of logs submitted. I have used snort enough to know that its portscan preprocessor produces a lot of "false positives". In the end you have a bunch of statistics derived from "dirty" data that are barely worth the bandwidth required to view them.

Bammkkkk

Weather Prediction

[SporkLand]

Will we be able to predict storms soon?

EU does not exist

[MS]

EU does not exist, neither as a TLD, nor a a country. Notice: Germany (DE) and Great Britain (GB is part of UK, which is the real TLD) are part of the EU, but show up separately. So China *is* number 6!

I wonder, how this list was calculated. Anyone?

Re:EU does not exist

[UnderAttack]

comes from 'whois', not TLD's. Some networks that own locations in multiple countries are registered as 'EU'.

Script to block top 10 attacker ips...

[Adrian+Voinea]

Here's a script I've just whipped up to block the top10 attacker ips from http://feeds.dshield.org/block.txt
It uses wget and cut and it's made for kernel 2.4(w/iptables):

wget http://feeds.dshield.org/top10-2.txt && cat top10-2.txt| cut -f1 >ips && for i in `cat ips`;do iptables -A INPUT -s $i -j DROP;iptables -A FORWARD -s $i -j DROP;done

Hope it's useful to anyone...

Re:Script to block top 10 attacker ips...

[Barbarian]

Just wait until some hacker hacks dshield.org and puts 127.0.0.1 in the list

Re:Script to block top 10 attacker ips...

[erc]

You forgot to "rm ips" when you're done - in fact, it should probably be "/tmp/$$" or something similar, instead of "ips".

Re:Script to block top 10 attacker ips...

[UnderAttack]

There is an 'official' script and a pgp signed
'block list':

http://www.dshield.org/block_list_info.html

by geography?

[kevin+lyda]

that's nice and all, but it would also be nice to see them by os or by isp.

kevin

Not news.

The ISC has been around since March 2001 at least.

Crack attack

We talking about crackers not hackers.

re: sig

If man is not to eat each other then why is man made out of meat?

No flame intention, just an observation

False positives

[Tony-A]

There are no silver bullets. If you squeeze out the noise, you squeeze out the signal.
Even if all the submitters have the best of intentions, many have neither the skills nor the willingness to eliminate false positives.
The data is dirty but far from useless. If there is a problem, there is a high chance of it showing up somehow. The thing is to not get panicked if something shows up.
If it shows a problem, it may be something like a virus that looks like it came from you, when it really came from someone who had your address. If you see a lot of them, then probably better investigate. The main value is that if there is a problem, this dirty data has a high chance of having some useful information.

Wanton Windows Bashing: Is it Necessary?

[sean23007]

So much for the great security boost the US gets from using genuine Microsoft software.

How can the same website ( /. ) repeatedly berate Microsoft for having a marketshare that is so much lower than that of Unix (on the all-important server market), yet at the same time blame any problem with internet security on the suddenly vast prevalence of Windows? Both cannot possibly be true. Pick a line and stick with it, guys.