Web Site Attacks Are On The Rise

Nicholas Roussos writes "According to recent numbers from 2004, website attacks are on the rise, and many of them are being performed by mischevious school kids. Some of their favorite targets include U.S. government and military websites."

I don't think that this is new though.

[lecithin]

According to recent numbers from 2004,
According to recent numbers from 2003,
According to recent numbers from 2002,
According to recent numbers from 2001,
According to recent numbers from 2000, ...
Website attacks are on the rise.

I bet we see this in 2005 as well.

What would really be news if we saw website attacks decline.

Re:I don't think that this is new though.

[ackthpt]

Website attacks are on the rise.
I bet we see this in 2005 as well.
What would really be news if we saw website attacks decline.

There will be a decline ... cut-backs and all, we had to lay off a lot of script kiddies and the rest is being outsourced to East Velcro.

Careful!

[BWJones]

I have certainly seen the number of attacks rising on our academic computing resources as well as my blog. Tracking IPs leads to lots of cable modems from Comcast and such which could be zombies, but given the lack of sophistication from those IPs, I have to wonder. Most of the attacks from these cable modem IPs are scripts directed at Windows vulnerabilities and buffer overflow attacks, but a few coming from Taiwan and Korea as well as some in the Balkans are fairly sophisticated that sometimes appear to come via compromised computers from other universities for example. Depending upon how sophisticated they are, I have reported some of them to Federal authorities who have the resources to subpoena logs and go after folks intruding into Federal resources. Interestingly others have also recently reported intrusions followed by blackmail which are likely not the domain of script kiddies. Certainly, comedy aside, one wonders if many of these kids have any idea of what they could actually be dealing with. Back in 1982 (we were 12), all that happened to us after hacking into government computers was my friend Lance getting his Apple ][+ confiscated followed by a job offer 9 years later from the same folks who confiscated his computer back in 1982. Now however, hacking into even an educational system could net you serious Federal penalties depending upon the system one hacks into. One admin friend of mine at a certain government lab is absolutely militant about this stuff. It has become her all consuming hobby to track these folks down and allocate whatever government resources she can muster to prosecute intruders into her systems. Woe be unto those that intrude into one of Melissa's systems.

Re:Careful!

[nizo]

What is her site domain? Maybe I could point some of the zombies and such who keep poking around my domains with a redirect to her website so SHE can go track them down.....

Re:Careful!

[Mignon]

It has become her all consuming hobby to track these folks down and allocate whatever government resources she can muster to prosecute intruders into her systems. Woe be unto those that intrude into one of Melissa's systems.

She sounds like a chick I'd like to meet! Bet I'd impress her by writing a virus and naming it after her.

Re:Careful!

[BWJones]

I've got dibbs on her computational forensics skills first. Besides, she would likely not be happy to suddenly get a bunch of Slashers pinging her systems. Come to think of it, posting her IP domains might result in folks with sunglasses darkening my door. No way dude. :-)

Re:Careful!

[Feztaa]

I absolutely disagree. ISPs should be given "common carrier" status and should not at all be held responsible for anything that goes over their pipes. If you hold them responsible for hackers on their network, then they've got to start policing p2p, and then they give out the names of infringing customers, and then it's all over.

Now, of course, a competent sysadmin would recognize a zombie PC on his network and would take steps to correct that, but under no circumstances should ISPs be held legally liable for that kind of stuff.

Re:Careful!

[warpSpeed]

I swear I've posted this like 5 times this week, but ISPs should be held liable for malicious traffic comming from their networks if they don't do anything about it. It's getting ri-freakin-diculous people!

Speaking as the owner of a very small ISP, this is very nearly imposible. How do you define "don't do anything about it"? Which ISP are you going hold liable? The one that sells bandwidth to the offending PC (IP address)? Or the upstream ISPs. What if the middle ISP is multi-homed? Perhaps some guy just left his WiFi open, and a neighbors infected laptop has latched on to it (I've seen this happen). Would the Open WiFi guy be the ISP in this scenario?

It is not just getting "ri-freakin-diculous", it has been pretty bad for quite a while now. With better and cheaper bandwidth becoming more and more readly avaiable the problem will continue to get worse. However the ISPs here are common carriers, they cannot (and I do not want then to) track ever IP packet that travels over their network.

Perhaps you could whip on the OS makers where the majority of these problems originate from?

Worst of all...

[nacturation]

... they're attacking slashdot too and posting dupes!

Oblig.

[erktrek]

.. and I would have gotten away with it too if it wasn't for you meddling kids!!!!

No surprises there, then

[davidmcw]

We have an, unpublicised tech support website for our company use only. On looking at the weblogs, it looks like 80-90% of all traffic is attempted hacks. We even went as far as contacting the ISP of one particularly keen individual, they, of course, weren't in the slightest bit interested.

Re:No surprises there, then

[Tassach]

On looking at the weblogs, it looks like 80-90% of all traffic is attempted hacks

If your traffic pattern is like mine, 99% of these "hack" attempts are really IIS worms trying to propegate. It's sad to say that after nearly 4 years NIMDA, Code Red/Blue, and their spawn are still a daily annoyance. As long as you don't have an unpatched IIS instance open to the world, these attacks are no threat.

The worms were polluting my weblogs so badly that I had to set up conditional logging in Apache to send them to a seperate log:

SetEnvIf Request_URI "^/c/winnt" ATTACK
SetEnvIf Request_URI "^/c/winnt" NO_LOGACCESS
# etc
CustomLog logs/attack_log common env=ATTACK
CustomLog logs/access_log common env=!NO_LOGACCESS

<Location />
Order Allow,Deny
Allow from all
Deny from env=ATTACK
ErrorDocument 403 "Worm Attack - Access Denied"
</Location>

choice quote by Reuters

"For the average person it sounds complicated but if you know what you are doing it's really quite easy," he said.

Couldn't that statement be applied to any subject?

Which PR firm generated this story?

[justanyone]

Some would say that most news outside of the main NYT and others is generated by PR firms providiing "information" to reporters in the hopes of getting an article published. I would argue that the interesting thing about this "article" is not that the non-news it contains:

* website attacks are most commonly peformed by schoolboys
* attacks are on the rise
* attacks are commonly politically motivated

This "news" isn't new. Thus, who asked for the article or provided the info in it? Symantec, pushing antivirus software? Cisco, trying to induce worry about security in general and sell their more 'secure' routers? IBM, EDS, Siemens, or someone else, selling E-Commerce security software?

Being a critical reader is not just asking, "is this story true". Nowadays, it's asking, "Why was this story published?"

-- Kevin

"Web Site Attacks Are On The Rise"

"Web Site Attacks Are On The Rise"

Tsssss... What is the world coming to when people get attacked by web sites. I still remember when we could co to sleep and leave the computer unlocked.

Top 5 attackers

[Virtual+Karma]

Here is a list of top 5 attackers of Indian websites:

AIC - 166 defacements - 21.28%
GForce Pakistan - 116 defacements - 14.87%
Silver Lords - 101 defacements - 12.95%
WFD - 59 defacements - 7.56%
ISOTK - 17 defacements - 2.18%

There's not more attacks...

[c0ldfusi0n]

There's just more targets.

Worth Noting -- it's not just Windows servers!

[SlashChick]

As the owner of a web hosting company for several years now (and one that stays away from Windows as much as possible), we've noticed a dramatic spike in attempted attacks on our servers in the past 12 months. If you put an unprotected /tmp directory (i.e. one that allows executable files) in a server that's connected directly to the Internet, you're asking for trouble. We've seen these boxes sending out spam or DOS'ing other servers (mostly targeting IRC servers) in a matter of hours from when we put them online. The hackers find some exploit like an old version of phpBB, insecure PHP code, etc. It's really not that hard; if you have several sites on a server, chances are that one of them has something vulnerable in a web-accessible directory. It's gotten so bad that we've devoted part of our standard CentOS install to locking down the /tmp directory so no files can be executed (and explaining this change to our customers.)

Worse yet, the hacks have now turned to running perl or php from the command line on things in /tmp to get around the noexec mount option. The hack works like this:

1) Find exploitable site. (Again, with the number of insecurities in commonly-used programs like phpBB, or god forbid, the *Nuke series, this isn't hard.)
2) Upload perl script to /tmp.
3) Run "perl [script name]" repeatedly to accomplish your goal.

We've again locked down our servers to prevent this, but unfortunately, we can't make this part of our default install because our customers like to run perl and php from /tmp! (Argh.) So we simply educate them and tell them how to lock the servers down themselves, and why putting any scripts in /tmp is a Bad Idea.

It's not just us, either... go to any forum where webmasters or hosting company owners congregate and you'll see this is one of the most common problems out there. Linux is no longer more secure as a web server... not when you factor in most of the PHP programs out there that people love, at least.

Re:Schoolboys?

[PaxTech]

Whether they like being called schoolboys or not, it's what they are. Just because they have a political opinion that equates to "OMG W4R 15 B4D n0 Bl00d 4 01L LOL WTF" doesn't make me think of them as mature.

Script Kiddies

[digitaldc]

How did they come to the conclusion that many of these attacks are by kids? Just that the hacks spike when school is out? The article really didn't go into much detail.
Nowadays, if you don't protect your website from being hacked, you might as well expect it to be hacked. Maybe they should try hacking Argus systems Pitbull LX and win(?) money.

Slashdot is constantly being attacked

By empty-headed schoolkids bent on mischief. These attacks are called "comments".

Websites run by inexperienced people...

[EnronHaliburton2004]

Over the last couple years, I've noticed a large number of web projects being run & maintained by people who don't understand computer security or system administration [1].

Concepts like 'rotate the log files or your disk will fill up & crash the site' or "Don't use FTP-- the passwords are sent over the Public Internet in cleartext" are beyond many of these website maintainers. Even many programmers who are great at project design, Object Oriented development, layout, etc. still miss these major issues.

It's no suprise that website attacks are on the rise-- the projects are being run by people who know enough to be dangerous, but don't know enough to run the project well.

[1] or good design, or simplified design, but that's another topic :)

Hah! Smart enough?

[TerminaMorte]

"A lot of 15- and 16-year-old guys are smart enough to have strong political opinions,"

Agreed, VERY strong political opinions!... just usually not their own.

"Well, my teacher says Kerry is great because he likes *insert rapper here*", or "OMFG, EATING ANIMALS IS MEAN".

Most of their political opinions don't mean a thing. Not to say all kids are like this, of course.

From the article:

[asoko]

"A lot of 15- and 16-year-old guys are smart enough to have strong political opinions," Roberto Preatoni, Zone-H founder, told Reuters on Monday.

Since when did intelligence become a prerequisite for having strong political opinions?

This is why...

[The+Pim]

web sites should be caged or leashed at all times, and large, aggressive breeds of web site should require a license. Also, teach your children never to tease web sites.

Re:Schoolboys?

[ScentCone]

I think that comment is a little misleading...How many 15-16yr olds do you know with a policatal opinion like being called schoolboys?

I don't know... I'd say that's a perfectly appropriate label for someone with such a weak philosophy that only through defacing someone else's words or information do they think they're communicating in a useful way. 15-16 year-olds are essentially twits, no matter what their fashionable political orientation. But it's clear that if cracking sites fits comfortably within the political system they do support, we don't really have to worry about hurting their poor, tender little feelings, do we? Boys, pre-pubescents, developmentally stunted... call them what you will, why should anyone care what they like (thus showing them any respect whatsoever) when their purpose, as deliberately shown through their actions, is to make a mockery of respect for anyone else? "Political opinion" indeed. I think "child's tantrum" is more like it, and that's not how you get someone to listen to your nascent ideology. Yup, schoolboys.