Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
The Internet

Internet Storm Center Tracks Hack Attacks 55

An Anonymous Coward writes: "It looks like Incidents.org has a new offspring, the Internet Storm Center. The internet storm center uses data from DShield.org to track hack attacks all over the world. Some of the interesting trivia: While usually, China has a bad reputation for the volume of attack coming from it, the US outpaces China by a lot. Actually, China only comes in at #6. So much for the great security boost the US gets from using genuine Microsoft software."
This discussion has been archived. No new comments can be posted.

Internet Storm Center Tracks Hack Attacks

Comments Filter:
  • This reminds me of the Internet Weather Report [internetweather.com], which I've only found to be useful when genius contruction crews disrupt a backbone with a backhoe.

    I think the most useful aspect with for this could be a combination of the hack attack report and the internet weather report to see whether a server is simply suffering from technical issues or is being DOS'ed.

  • No category to track the /. effect.
  • incorrect (Score:2, Informative)

    Actually, China only comes in at #6.
    US 222907
    DE 68478
    TH 65644
    EU 65612
    GB 53130
    KR 42523
    CN 42291

    As far as I can tell, it's coming it at number 7.
    • Don't you know that we programmers start counting at number 0? :)
      Either that or China just conquered South Korea and claimed their country code. ;)
      On a different note, I'm surprised that Thailand beat China.
      I wonder how accurate this is. They seem to be just doing a reverse lookup on IPs, many of which are probably faked.
    • Re:incorrect (Score:1, Informative)

      by Anonymous Coward
      KR 42523

      CN 42291
      Seeing as how the difference between Korea's and China's listings in your citation is less than 300 incidents, I'd wager that when the story was submitted, China was at #6.

      The only thing that surprises me is that Romania isn't in the top 5. I'm sitting on a cable modem and I've been running Snort for the hell of it for about 6 months. I get more hack/crack/exploit attempts from Romanian hosts (.ro) than from any other TLD, including all the probes from .com, .net, and .org combined. Romania appears to be a hotbed of crackers, and in some cases I've traced intrusion attempts directly to Romanian ISPs. Not their customers, but the ISPs themselves, e.g. the www host for certain .ro providers.

      Germany's placement doesn't surprise me at all, though. If I had a dollar for every t-online.de user who tried to crack my FTP, I'd be richer than Bill Gates. I'm not sure what it is about Germans and FTP probes, but that's all they try to access on my box, and they try it more than anyone else. If I could host beer.ftp.my.in-addr.arpa I surely would, but I can't. Sorry, Germany!
    • Not if you start counting from zero.
    • EU does not exist, neither as a TLD, nor a a country. Notice: Germany (DE) and Great Britain (GB is part of UK, which is the real TLD) are part of the EU, but show up separately. So China *is* number 6!

      I wonder, how this list was calculated. Anyone?

    • First, how is the storm center new?! the site's been up for more than a year.

      According to this survey ofglobal [www.nua.ie] and asian [www.nua.ie] internet-connected systems the US/Can have 181M systems online vs 33M in china.

      do the math: Current stats from the ISS say the ratio of systems is about the same as the reatio of attack traffic.

      Attack traffic: CN=42291 / US 222907 = .1897

      Connected sys's: cn=33M / us=181M = .1823

      From following incidents.org [incidents.org] and my own experience I'd say that .cn has a rep more becuase when you deal with an attack from asia in general the problems of contacting the admins to notify / etc are much more difficult.

      My own experiences have been mixed, Contacting site owners in asia has been more spotty than for US/EC sites, and in the event of something serious its a lot more expensive to pick up the 'phone and call china to discuss a problem.

      arin.net, ripe.net, apnic.net all work well for tracking down system owners, but the contact problems across continents remain.

  • I didn't look too hard at the site, but it seems to me that they are going by a reverse DNS of the hackers domain name. Many countries use .com and .net ,etc. So I hope this isn't all counted as the US. If so... well no shit the US has higher numbers.


    It is possible that they are smarter than that, advertisers have it figured out.

    • They're probably using the network address to figure it out, usualy this will narrow it down to country, except in the rare occurence where a multi-national company has an entire Class A to themselves
    • the geographic data comes from whois lookups. reverse dns doesn't work well as you point out (.net, .com, .org are used all over the world).
    • If they're counting all the people who forge their attempts to come from microsoft.com, I imagine that accounts for a lot of the US total. :-)
  • by ScottKin ( 34718 ) on Thursday May 09, 2002 @11:50PM (#3494734) Homepage Journal
    Since when is the ammount of hacking attacks / attempts directly equivalent to the number of Windows boxen?

    As I can remember, this is *not* the first time that a lead topic posting could be considered as "Flamebait" - but obviously, the /. topic-nazi's look the other way when it's virtually an ad hominem attack against Windows.
    • The huge growth of the Internet coincided with a huge increase in Windows computers on the Internet.

      Now, which OS is the favorite for automated distributed denial of service attacks on the Internet? Which OS is responsible for nearly all viruses and worms on the Internet?

      Truth is, Windows was never ready to be connected to a public network. The public proved this. So, there absolutely is a correlation between the number of Windows computers and the amount of cracking on the Internet.

      What about other operating systems? Well, UNIX, for example, has already had its public Internet shake-down. A good example would be the story in "Cuckoo's Egg" by Clifford Stoll. As a result, UNIX is the subject of a relatively small amount of current cracking activities.
    • Since when is the ammount of hacking attacks / attempts directly equivalent to the number of Windows boxen?

      Well, we could argue about that, but we don't have to because you are misreading the lead topic.

      The Microsoft comment in the lead topic is relevant to Microsoft's claims that pirated versions of Windows are a security risk because you can't trust the pirates not to backdoor it. Since China has an extremely active software pirating industry, if Microsoft's claim was true then China would be a higher source of hack attempts.

      The weren't saying Windows leads to hacking attempts. They were saying that data fails to support Microsofts assertion that piracy is a security problem, not just a Microsoft sales problem.

    • Excerpt from the Internet Storm Center (isc.incidents.org):

      ... no current alert ...
      Widespread port 80 scans are still dominating all other activity. These scans appear to be caused by remaining Nimda/Code Red activity.(...)

      In this particular case, most probes come from windows-only worms. The lead topics in Slashdot HAVE bias in Windows-related matters, but this time they are right.

  • by ltsmash ( 569641 ) on Friday May 10, 2002 @12:09AM (#3494791)

    The Computer Security Institute [gocsi.com] announced in its Computer Crime and Security Survey [gocsi.com] that 90% of respondents had security breaches in the last year. ONLY 34% reported ANY of the breaches to law enforcement for fear of bad publicity.

    Bottom line: We barely see the tip of the iceberg when it comes to computer security breaches.
  • Strangely, most of the attacks on our systems come from insecure and compromised Linux boxes.
  • misleading details (Score:3, Interesting)

    by Anonymous Coward on Friday May 10, 2002 @02:23AM (#3495167)
    This is a cool project, but its good to keep in mind what the numbers actually mean. Not everything that gets reported to them is an actual attack, in fact I'd guess that at least a third if not more of the reported incidents aren't.

    For example, digging through the site I found 2 IPs that I'm responsible for on the list of sources for these. One is our primary DNS server, the other our mail server. The report about the DNS server is probably due to a stateful firewall that blocked some of the return packets from a lookup. The report about the mail server is probably due to its trying to do an auth lookup for incoming mail. Neither one is an attack, but either one could have been an attack for all that the receiving end can tell.

    And in case anyone is curious, yes I did just spend 30 minutes double checking those machines after reading this. Me, paranoid?

    • From the dshield [dshield.org] homepage:
      DShield currently employs as little filtering of incoming reports as possible. Most reports are sent anonymously. We do not know if these logs are truthful, or if the firewall configuration was correct. DShield.org will attempt to protect the identity of the submitter. If you have a question regarding a specific target or source IP, please send an e-mail to info@dshield.org.


      Let us assume all the submitters of the data used to create these statistics have the best of intentions and are inserting "real" data. I doubt many of these submitters actually take the time and do enough analysis to ensure "false positives" aren't being imported into the database. For instance, I would bet data collected from snort [snort.org] is one of the most common types of logs submitted. I have used snort enough to know that its portscan preprocessor produces a lot of "false positives". In the end you have a bunch of statistics derived from "dirty" data that are barely worth the bandwidth required to view them.

      Bammkkkk
      • There are no silver bullets. If you squeeze out the noise, you squeeze out the signal.
        Even if all the submitters have the best of intentions, many have neither the skills nor the willingness to eliminate false positives.
        The data is dirty but far from useless. If there is a problem, there is a high chance of it showing up somehow. The thing is to not get panicked if something shows up.
        If it shows a problem, it may be something like a virus that looks like it came from you, when it really came from someone who had your address. If you see a lot of them, then probably better investigate. The main value is that if there is a problem, this dirty data has a high chance of having some useful information.
  • Will we be able to predict storms soon?
  • Here's a script I've just whipped up to block the top10 attacker ips from http://feeds.dshield.org/block.txt
    It uses wget and cut and it's made for kernel 2.4(w/iptables):

    wget http://feeds.dshield.org/top10-2.txt && cat top10-2.txt| cut -f1 >ips && for i in `cat ips`;do iptables -A INPUT -s $i -j DROP;iptables -A FORWARD -s $i -j DROP;done

    Hope it's useful to anyone...
  • that's nice and all, but it would also be nice to see them by os or by isp.

    kevin
  • So much for the great security boost the US gets from using genuine Microsoft software.

    How can the same website ( /. ) repeatedly berate Microsoft for having a marketshare that is so much lower than that of Unix (on the all-important server market), yet at the same time blame any problem with internet security on the suddenly vast prevalence of Windows? Both cannot possibly be true. Pick a line and stick with it, guys.

Computer programmers do it byte by byte.

Working...