Internet Storm Center Tracks Hack Attacks

An Anonymous Coward writes: "It looks like Incidents.org has a new offspring, the Internet Storm Center. The internet storm center uses data from DShield.org to track hack attacks all over the world. Some of the interesting trivia: While usually, China has a bad reputation for the volume of attack coming from it, the US outpaces China by a lot. Actually, China only comes in at #6. So much for the great security boost the US gets from using genuine Microsoft software."

incorrect

[i+like+your+eyes]

Actually, China only comes in at #6.
US 222907
DE 68478
TH 65644
EU 65612
GB 53130
KR 42523
CN 42291

As far as I can tell, it's coming it at number 7.

Re:incorrect

[rosewood]

when I made my /upload dir world readable/writeable - I had all kinds of german warez and porn in it!

Re:It's missing something.

[mr_exit]

slashdot has a built in list of sites currently being slashdotted..... its called the /. front page

Question

[SETY]

I didn't look too hard at the site, but it seems to me that they are going by a reverse DNS of the hackers domain name. Many countries use .com and .net ,etc. So I hope this isn't all counted as the US. If so... well no shit the US has higher numbers.

It is possible that they are smarter than that, advertisers have it figured out.

Moderated Lead-Message Posting: -1: Flamebait

[ScottKin]

Since when is the ammount of hacking attacks / attempts directly equivalent to the number of Windows boxen?

As I can remember, this is *not* the first time that a lead topic posting could be considered as "Flamebait" - but obviously, the /. topic-nazi's look the other way when it's virtually an ad hominem attack against Windows.

Re:Moderated Lead-Message Posting: -1: Flamebait

[bourne]

Since when is the ammount of hacking attacks / attempts directly equivalent to the number of Windows boxen?

Well, we could argue about that, but we don't have to because you are misreading the lead topic.

The Microsoft comment in the lead topic is relevant to Microsoft's claims that pirated versions of Windows are a security risk because you can't trust the pirates not to backdoor it. Since China has an extremely active software pirating industry, if Microsoft's claim was true then China would be a higher source of hack attempts.

The weren't saying Windows leads to hacking attempts. They were saying that data fails to support Microsofts assertion that piracy is a security problem, not just a Microsoft sales problem.

Survey: We Only See the Tip of the Iceberg

[ltsmash]

The Computer Security Institute announced in its Computer Crime and Security Survey that 90% of respondents had security breaches in the last year. ONLY 34% reported ANY of the breaches to law enforcement for fear of bad publicity.

Bottom line: We barely see the tip of the iceberg when it comes to computer security breaches.

How about the "front page" flag not set?

[os2fan]

Third possibility is that it went to a back list and the later upped. It never was at the top of the front page. It came in at #3.

Maybe the editors did not set the "front page" flag.

There is no surprise

[Taco+Cowboy]

In a way, there is no surprise in the report.

While the urban legend of "China is the #1 devil" has been circulating in the Net, we all know where most of the hackers - especially those who wear black hats - live.

This is not to say that there is no "Chinese devils", of course, there are. But in terms of skill, numbers and resources, the Chinese can't even come close to those from the States.

But individually, if you really want to know who has the most experience - Those from Russia (or the block formerly known as USSR) are the most experienced.

I've personal experience with Russian hackers. I'm a sysadmin, and I pride myself on making my Linux machines secured, but no matter how "secure" I made my machine, those Ruskies always find ways to hack into them.

Oh, I've traced hacking attempts too, there're a lot from China, the States, Israel, Europe, Africa, Asia and Russia, it's almost always the Ruskies who got through the layers and layers of "security features" I've set.

Even "honeypot" can't stop the Ruskies.

The one thing I've learnt from these experience is that I ain't gonna do funny things to the Ruskies. I only have my respect for them, even when they are blackhatters.

Re:There is no surprise

[anonymous+cupboard]

I know some Russian sysadmins, they swear by airgaps. The only route between the internal and external networks was a V.24 line with a custom protocol and dedicated apps (i.e., no general networking layer). Some are considering carefully about DMZ's and firewalls, but they will not rely on commercial stuff because they don't trust it. That is, they will use a mixture of OpenBSD and other operating systems (i.e, no single point of compromise) to provide the protection.

Microsoft blah blah blah

[JimPooley]

Strangely, most of the attacks on our systems come from insecure and compromised Linux boxes.

misleading details

This is a cool project, but its good to keep in mind what the numbers actually mean. Not everything that gets reported to them is an actual attack, in fact I'd guess that at least a third if not more of the reported incidents aren't.

For example, digging through the site I found 2 IPs that I'm responsible for on the list of sources for these. One is our primary DNS server, the other our mail server. The report about the DNS server is probably due to a stateful firewall that blocked some of the return packets from a lookup. The report about the mail server is probably due to its trying to do an auth lookup for incoming mail. Neither one is an attack, but either one could have been an attack for all that the receiving end can tell.

And in case anyone is curious, yes I did just spend 30 minutes double checking those machines after reading this. Me, paranoid?

EU does not exist

[MS]

EU does not exist, neither as a TLD, nor a a country. Notice: Germany (DE) and Great Britain (GB is part of UK, which is the real TLD) are part of the EU, but show up separately. So China *is* number 6!

I wonder, how this list was calculated. Anyone?

Script to block top 10 attacker ips...

[Adrian+Voinea]

Here's a script I've just whipped up to block the top10 attacker ips from http://feeds.dshield.org/block.txt
It uses wget and cut and it's made for kernel 2.4(w/iptables):

wget http://feeds.dshield.org/top10-2.txt && cat top10-2.txt| cut -f1 >ips && for i in `cat ips`;do iptables -A INPUT -s $i -j DROP;iptables -A FORWARD -s $i -j DROP;done

Hope it's useful to anyone...

Re:Script to block top 10 attacker ips...

[Barbarian]

Just wait until some hacker hacks dshield.org and puts 127.0.0.1 in the list

by geography?

[kevin+lyda]

that's nice and all, but it would also be nice to see them by os or by isp.

kevin

False positives

[Tony-A]

There are no silver bullets. If you squeeze out the noise, you squeeze out the signal.
Even if all the submitters have the best of intentions, many have neither the skills nor the willingness to eliminate false positives.
The data is dirty but far from useless. If there is a problem, there is a high chance of it showing up somehow. The thing is to not get panicked if something shows up.
If it shows a problem, it may be something like a virus that looks like it came from you, when it really came from someone who had your address. If you see a lot of them, then probably better investigate. The main value is that if there is a problem, this dirty data has a high chance of having some useful information.

Wanton Windows Bashing: Is it Necessary?

[sean23007]

So much for the great security boost the US gets from using genuine Microsoft software.

How can the same website ( /. ) repeatedly berate Microsoft for having a marketshare that is so much lower than that of Unix (on the all-important server market), yet at the same time blame any problem with internet security on the suddenly vast prevalence of Windows? Both cannot possibly be true. Pick a line and stick with it, guys.