Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security

Stats from a Network Surveillance System 12

LogError writes "Sombria ("shadowy" in Portuguese) is a honeypot system set up in Tokyo, Japan, that is intended for network surveillance and research and not for production purposes. This paper provides some statistics and an overview of the most prominent attacks from May through July 2003."
This discussion has been archived. No new comments can be posted.

Stats from a Network Surveillance System

Comments Filter:
  • I thought it was kind of rude to waltz into somebody else's system and take it over. Oh, and also illegal with penalties that are frightening in many countries.

    Isn't anybody prosecuting, or at a minimum letting folks know when they've backtraced through all the compromised hosts they're hopping through that they're on to them?

    Also interesting to note the number of hackers in Poland (well, it says you can't tell the nationality, so Polish machines I guess.)

  • by ubiquitin ( 28396 ) * on Friday September 12, 2003 @10:03AM (#6942593) Homepage Journal
    After all this time, Code Red still beats out slapper and nimda. 131 intrusions total. Most breaking activity occurring on Saturday. Sure wish there was more economic incentive for Poland, Romania, and Brazil not to crack systems, but to help build out and defend networks instead. Sysadmins keep a close eye on your samba intalls and stay aware and/or current with apache/openssl.
    • by 4of12 ( 97621 ) on Friday September 12, 2003 @10:19AM (#6942736) Homepage Journal

      Sure wish there was more economic incentive for Poland, Romania, and Brazil not to crack systems, but to help build out and defend networks instead.

      The problem is that putting up a compromisable host on the Internet is relatively easy and the costs of the compromised system are not born entirely by the owner of the system, but are shared by everyone else on the network that might become victim of a DDoS, congestion, spam, etc.

      I really only see a couple of ways of dealing with this.

      One, have a central authority scan for vulnerabilities and have the authority to fine and /or shutdown net access for systems that endanger network health.

      Two, institute distributed white hat scans that either shutdown the host, install patches forcible after some time.

      It makes sense to require anyone using a common resource like the Internet to agree to responsible behavior and accept punishment for irresponsible behavior, such as running vulnerable systems. Just like food service workers that get tested for communicable diseases or drivers that require licenses, the commons of the Internet should also be protected.

      • by WTFmonkey ( 652603 ) on Friday September 12, 2003 @11:10AM (#6943312)
        Yowza. Doesn't that last paragraph sorta defeat the purpose of the internet? I kind of see it like a computing Darwinism (not that this is ideal, but this is how it looks to me). That is, if you want to put your content on the internet, you should either a) know how to secure it, b) pay someone (i.e., a reputable hosting company) who knows how, or c) be prepared to get shafted.

        There's also the age old question of logistics. How do you require anything of anybody living in a foriegn country whose government couldn't care less about some faceless citizen sending out viruses faster than a two-dollar hooker, or who leaves his smtp server open? We'll need a "world government" before we can approach that one. And that might be a long time coming. The kind of control you're talking about seems to be way too centralized to me (yes, I know that's your point).

        Of course there's always vigilante action. Who's with me in forming a coalition of superheros who travel the globe, righting wrongs and avenging bad computing practices? ARRR!

        • Darwinism isn't quite appropriate here, as you are not the only one to get shafted when a system is compromised. Now if the other people affected could punish you in some way, it would be, which gets back to the original post.

          As for logistics, considering that the majority of internet sites are located in a handful of countries and the backbones are (mostly) a handful of companies/institutions, it would not be difficult to put pressure on countries which failed to comply.

          The Internet is just another pub
  • And the conclusion. (Score:5, Interesting)

    by SmallFurryCreature ( 593017 ) on Friday September 12, 2003 @10:07AM (#6942635) Journal
    Just because you use linux/unix/mac you are not safe. As shown two of the worms were aimed at the apache this "webserver" used. Also plenty of tools seem to be available just for linux.

    But there is hope. A always keep your system upgraded. The vulnarabilities exploited are all well known. No "new" attacks were found by this honey pot. So if this system had been patched it would have had 0 intrusions. (Or I am readigng it wrong)

    Also don't install stuff you don't need. Openssl support for apache may be very usefull as is samba. But for most sites this is not needed. Had these two optionals not been installed then again there would have been 0 intrusions.

    Stay uptodate and limit the machine to the software needed and nothing more. Oh well off to post this to my boss who keeps insisting on FTP access because it is so much easier then SCP.

    • by stevey ( 64018 )
      Oh well off to post this to my boss who keeps insisting on FTP access because it is so much easier then SCP.

      For Windows there is the excellent WinSCP [sourceforge.net] which is a GUI wrapper around SCP.

      For Unix you can use the zssh program, or an FTP like wrapper for SCP whos name I've forgotten..

  • In just a few months they had 4 or so damaging (or weaponizing - using their system to DOS others) attacks, and countless accesses to use it as a stepping stone.

    One of the many reasons I let others do my web and email hosting...

    -Adam
  • by fizbin ( 2046 ) <martin@snoFORTRA ... g minus language> on Friday September 12, 2003 @12:26PM (#6944160) Homepage
    Look at the graph that shows attacks per day of week. (page 7 on the PDF) Notice the distinct drop on Thursdays. It's almost enough to make me think "data collection error", but the numbers from Wednesday and Friday seem to correlate.

    From this and from biased speculation based on no facts at all, I'm going to conclude that the contributions to numbers of attacks are being made mostly by US-based script kiddies who can't stay up doing stuff on a school night. (Consider the time zone difference between the US and Japan - actually, now that I look at it, the 7-8AM time spike is right for the trouble source to be European. Hrm...)
  • by chochos ( 700687 ) on Friday September 12, 2003 @03:04PM (#6946494) Homepage Journal
    I find it interesting that in spite of the RPC exploits known in windows, there weren't that many attempts to enter Sombria through RPC... Samba was the most common, while port 135 doesn't even figure in the port outbound connection attempts. Or perhaps they left it out because all outbound connection attempts to port 135 were considered to be done by worms?
    Could this mean an attacker could disguise itself as a worm with this technique?

    But then again, it seems that almost every attack was performed by a script kiddie.

"The whole problem with the world is that fools and fanatics are always so certain of themselves, but wiser people so full of doubts." -- Bertrand Russell

Working...