Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stats from a Network Surveillance System

Posted by michael on from the master-blaster dept.

LogError writes "Sombria ("shadowy" in Portuguese) is a honeypot system set up in Tokyo, Japan, that is intended for network surveillance and research and not for production purposes. This paper provides some statistics and an overview of the most prominent attacks from May through July 2003."

4 of 12 comments (clear)

  1. summary of some of the more interesting parts... by ubiquitin · · Score: 4, Interesting

    After all this time, Code Red still beats out slapper and nimda. 131 intrusions total. Most breaking activity occurring on Saturday. Sure wish there was more economic incentive for Poland, Romania, and Brazil not to crack systems, but to help build out and defend networks instead. Sysadmins keep a close eye on your samba intalls and stay aware and/or current with apache/openssl.

    --
    http://tinyurl.com/4ny52
  2. And the conclusion. by SmallFurryCreature · · Score: 5, Interesting
    Just because you use linux/unix/mac you are not safe. As shown two of the worms were aimed at the apache this "webserver" used. Also plenty of tools seem to be available just for linux.

    But there is hope. A always keep your system upgraded. The vulnarabilities exploited are all well known. No "new" attacks were found by this honey pot. So if this system had been patched it would have had 0 intrusions. (Or I am readigng it wrong)

    Also don't install stuff you don't need. Openssl support for apache may be very usefull as is samba. But for most sites this is not needed. Had these two optionals not been installed then again there would have been 0 intrusions.

    Stay uptodate and limit the machine to the software needed and nothing more. Oh well off to post this to my boss who keeps insisting on FTP access because it is so much easier then SCP.

    --

    MMO Quests are like orgasms:

    You may solo them, I prefer them in a group.

  3. What's with Thursdays? by fizbin · · Score: 4, Interesting

    Look at the graph that shows attacks per day of week. (page 7 on the PDF) Notice the distinct drop on Thursdays. It's almost enough to make me think "data collection error", but the numbers from Wednesday and Friday seem to correlate.

    From this and from biased speculation based on no facts at all, I'm going to conclude that the contributions to numbers of attacks are being made mostly by US-based script kiddies who can't stay up doing stuff on a school night. (Consider the time zone difference between the US and Japan - actually, now that I look at it, the 7-8AM time spike is right for the trouble source to be European. Hrm...)

  4. Interesting correlations by chochos · · Score: 3, Interesting

    I find it interesting that in spite of the RPC exploits known in windows, there weren't that many attempts to enter Sombria through RPC... Samba was the most common, while port 135 doesn't even figure in the port outbound connection attempts. Or perhaps they left it out because all outbound connection attempts to port 135 were considered to be done by worms?
    Could this mean an attacker could disguise itself as a worm with this technique?

    But then again, it seems that almost every attack was performed by a script kiddie.

    --
    Go hug some trees.