What types of attacks do you get? Please post.
I'm interested to know what types, and frequency, of attacks are received in different sorts of setups. Many security companies may over-hype the risk of attacks to get business; on the other hand few companies will admit to having been hacked; so what is the real picture?
Can you post for any organisation you know of (without naming it) : For internet-facing servers : - number of worm/virus infections - number of script-kiddie cracks - number of more serious cracks For internal servers : - number of worm/virus infections - number of script-kiddie cracks - number of more serious cracks I guess attacks fall into three categories : viruses/worms (no human interaction), script kiddie type attacks and serious crackers. My hunch is that for Unix/Linux servers inside a firewall, only the last is a big threat, and there are probably fewer attacks by serious crackers than are sometimes made out. I think script kiddies are generally looking for easy wins and that means servers directly connected to the Internet. For servers directly connected to the Internet (or directly visible from the Internet) all types are probably relevant. This is important for organisations with limited experitise and resources (which is pretty much all of them). Without knowing the threats, how can you focus resources effectively? I'm especially interested to find out what the real threats are to servers inside firewalls, not visible to the Internet. |
Quote:
On my non-critical home server I get exploit attempts daily. Most of the attempts are known M$ vulnerabilities that do not affect me other than fill up my logs. Within a few days of the Qmail exploit news, my logs filled with strange Qmail attempts. Qmail is shut down now. I watched my not yet upgraded kernel get hacked before my eyes. I saw the screen fill with nmap errors. Kernel is upgraded now. There are lots of people that have nothing better to do than scan the internet trying to hack computers, apparently. If you leave your computer on, connected to the internet, and vulnerable, you will be hacked. No ifs ands or buts. IMO |
Quote:
For larger organisations, most of their servers will tend to be behind firewalls and not directly connected to the Internet. I'm especially interested to what extent these servers (which might be 99% of a company's servers) get attacked; and the lessons that can be drawn from that. In large organisations where I've worked, suspected attacks on the internal servers are pretty rare (despite being potentially high-profile targets). |
Quote:
I've never used OUTLOOK EXPRESS. Plus I don't open email attachments except in notepad/wordpad........... If you want to beat a hacker, you have to think like one!! |
I have never got hacked either... running a regular ol' hub with Windows for 4 years (Linux now, no Windows) - not a single hack or anything of the sort. I didn't use Outlook either... maybe that's the cause...
|
No attacks on computers yet.
On a lighter side, i get attacked by viral infections too often. LOL |
TRINOO_MASTER
Few hours to get rid of it....i had few servers running...internet connexion on all the time and never home. I took my precautions after and more look to logs, i test my firewall and exploits on the regular against my own machine. |
2damncommon has the right idea - if you leave an unprotected PC connected to the internet, sooner or later it will get "0wn3d". Just because you personally haven't been hacked doesn't mean that the risk doesn't exist, it just means you've been lucky and haven't been nailed yet. It's sort of like speeding on the freeways - sure, maybe you can hit 90 or 100 mph on a regular basis, but don't be surprised if one day Officer Friendly busts you with the radar gun. Hmmm - suddenly you might realize that you should have played your cards differently. Think about it -- J.W.
|
Quote:
There seem to be a lot of people saying that hackers are everywhere; the general public behaving as if hackers were nowhere and a big black hole in the middle where some facts should be. What I would love to know is, for example, how much more vulnerable a server it to being hacked if it is directly attached to the Internet rather than inside a firewall. That sort of information would allow companies to make sensible judgements about how to focus their limited resources. I don't see that information out there; I was hoping to draw on the experience of people here to start gathering it :( |
What youre asking is an extremely difficult question to answer due to the fact that is will be based on a number of things, such as what applications do you have running, how often are those applications updated, what will it be used for..etc..
As anyone here knows, linux is secure but when a security hole is discovered and its in the application you happen to be running is a race between you and the hacker to get to that hole first. Its impossible to give exact numbers but since linux is free I dont see why not run a firewall? The majority of hacks are due to human error, you not doing your diligence (running proftpd when sftp would do) while maintaining a proactive approach about weaknesses within the system. So in my opinion, companies should focus those resources on a talented staff which obviously isnt cheap. P.S. Anyone who says they havent seen an attack while running a DSL or cable modem 24/7 is either blind or foolish. I see 50-100 attempts per day. How do you know there hasnt been any attempts on your system? What type of monitoring are you running? |
Quote:
One way you could do this would be to survey a large number of people and get a rough average for the risks in different situations. OK, every situation is unique but it gives you a start which is more than we have right now. Quote:
|
Quote:
8 MS-SQL Worm propagation attempts 46 spp_portscans (These used to be zero. Lots of them now.) 12 webdav search access 6 ICMP PING CyberKit 2.2 Windows (from one of the last years Windoes virus'. Used to flood my logs with an attempt about every second.) 4 WEB-IIS cmd.exe access 2 WEB-IIS CodeRed v2 root.exe access 3 WEB-IIS unicode directory traversal attempt 1 WEB-FRONTPAGE /_vti_bin/ access 1 WEB-IIS _mem_bin access 2 ICMP PING NMAP From webserver behind the firewall: 11 SEARCH /\x90\x02..... (buffer overrun attempt-the webdav in Snort. Each line fills over 2 pages in a text editor. Some days I get 20-30 of these.) 1 GET /default.ida?XXX.....(buffer overrun attempt-some IIS hack in the Snort log) Numerous GET /...(from multiple IPs, page not downloaded-some bizzare activity noted by many others in server logs) Bits of other IIS atempts noted in the Snort log. I am much relieved to learn all these folks are just looking in my Window and nothing more. :) |
Quote:
|
My point is this : one of the common statements on this forum is that firewalls by themselves are not effective security because a skilled attacker can break through most low-end firewalls, and even high end firewalls are vulnerable, especially if misconfigured.
This statement is true if a significant proportion of attacks are from skilled attackers. If one in ten attacks is from a skilled attacker then just relying on a firewall is crazy. If only one in a million is, then just sticking with a firewall is probably the sensible approach for most people : the chance of a skilled attacker targeting you is tiny so you would need to have a lot to lose to make it worthwhile on a cost-benefit basis doing any more than having a decent firewall. So, the fact that people get all these port scans and suchlike is in itself not very important. The question is whether they are potential skilled attacks or just kiddies scanning thousands of IP addresses and waiting for someone who has gone out and left their door unlocked. If the former, be very afraid. If the latter, get a good firewall and don't worry about it too much. My hunch is that reality is nearer to the latter than the former situation so for most people most of the time, the appropriate cost-benefit approach is to get a good firewall and leave it at that. The same is true for large companies (probably even more so) : the ratio of virus <-> script kiddie <-> skilled cracker is critical to determining how to focus security spending effectively, just as much as the overall level of attacks and probably even more so. |
My point is this : one of the common statements on this forum is that firewalls by themselves are not effective security because a skilled attacker can break through most low-end firewalls, and even high end firewalls are vulnerable, especially if misconfigured.
No, it's not because of ineffectivity, it's because a firewall isn't and shouldn't be thought of as, a single line of defense. Create a single point of failure and bam, there's the prize. This statement is true if a significant proportion of attacks are from skilled attackers. If one in ten attacks is from a skilled attacker then just relying on a firewall is crazy. If only one in a million is, then just sticking with a firewall is probably the sensible approach for most people : the chance of a skilled attacker targeting you is tiny so you would need to have a lot to lose to make it worthwhile on a cost-benefit basis doing any more than having a decent firewall. Wrong. FWIW, I recently witnessed an incident involving one big company and a hole the size of Tokyo in their fw. Executive summary: firewall, human error, gain access. Single lines of defense suck major. My hunch is that reality is nearer to the latter than the former situation so for most people most of the time, the appropriate cost-benefit approach is to get a good firewall and leave it at that. Security isn't a firewall and configuring and deploying a network perimeter firewall is NOT the only thing to do. That would be equivalent to choosing quick wins over long term benefits. The same is true for large companies (probably even more so) : the ratio of virus <-> script kiddie <-> skilled cracker is critical to determining how to focus security spending effectively, just as much as the overall level of attacks and probably even more so. The amount of money a company should spend should be related to the level of assurance, protection they need to maintain integrity, business operations. IOW, the value of the assets you're protecting should be a leading factor, not the amount of "threats". Threats will change over time. And I'm not even talking about insider threats. |
Quote:
Quote:
Of course, even big companies have to decide where to spend a limited security budget and you can never do everything. Quote:
Yes, threats will change over time, but of course security is hardly static either. Big companies have a security budget to spend each year. They have a selection of security products to consider, of which they can afford to implement only a small proportion. My problem (and the initial point of the thread) is that it is very difficult to determine what the threats are; and as a consequence many companies are spending money on security which might be wasted and could be better spend elsewhere (e.g. maybe spending less money on securing the firewall and more on internal defence layers would be better; or maybe the reverse is true : without the data, how can you know?). |
Agreed, but that still misses the point that you can't defend against every eventuality - with limited resources you defend against the ones that are most likely to happen and cause you problems.
Yes, of course you can't defend against everything. The conclusion that means you only defend against things you know of though is a choice you would make based on criteria that don't sound solid. But of course that was your initial question... If I had to reason stuff I've gotta defend against I'd choose have each networked device get the same basic hardening treatment to get security to a certain level. No questions asked and no discussion needed. Then, depending on the purpose of the box, I'd have to add/tweak/lessen security features to make things work. I'm perfectly aware this doesn't work at all times and certainly not if you don't have the knowledge and discipline or aren't forced to comply with policies. BTW, are you familiar with stuff like security policies? For home users or small businesses with no expertise in security, nor the money to buy that expertise, a simple, preconfigured firewall may be the most appropriate level. The problem here is education and awareness. SOHO users usually don't understand the power a Linux box really has, sys admin basics let alone want to educate themselves wrt that and enhancing security. That's where the real problem starts. My problem (and the initial point of the thread) is that it is very difficult to determine what the threats are Even tho I ain't no fan of stats cuz stuff usually will happen outside of what them stats try to predict, I think we should ask around/hunt the 'net for statistics. Maybe that'll help paint a picture. I know SF has a yearly Bugtraq stats page, and I'm sure the various honeypot projects have stats. |
Quote:
Quote:
Quote:
Of course, the more awareness and security knowledge the better; I don't dispute your aim. I just think that in the real world it isn't going to happen to the extend necessary so we need to deal with what is going to happen before the bad guys do. Given the struggle I sometimes have getting a basic level of security awareness amongst Unix administrators, my hopes for the general population are not high :( Quote:
|
You know, it's interesting to say you (320mb, vi0lat0r) had Windows boxes connected directly to the Internet and never hacked--how would you know? Win98 doesn't have much logging to speak of, very weak process monitoring (unless you install third party software), and it was prone to crashing even if not hacked so people thought that was normal. So tell me, how would you know if Win98 had been hacked?
Now I'm not saying it can't be done, because I know a few things about networking and security and I still have a Win98 box that has never been compromised, but that's because I knew what I was doing and took a lot of extra steps to protect it. |
There is one big difference between larger companies and SOHO/home users. Larger companies need to allow some traffic inwards through their firewall. They have VPN setups, web servers, mail servers,DNS servers and so on. An attacker looking at a big company's firewall is almost guaranteed to find open ports.
For many small businesses and home users, there is no need to have any ports open at all on the firewall. Their website (if any) is hosted elsewhere. They might run a mail server with port 25 open, but more likely they use POP3 to pull mail in. They won't have VPN or DNS servers. So, for all these low-end users, a firewall which blocks every single port, dropping all connections, means that they would have to be pretty unlucky for a port scan to turn into an attack. An attacker would have to decide that a host with no ports open and nothing suggesting it has any special interest was more worthy of attack than lower hanging fruit. Yes, an attacker could target them but for this sort of user a closed firewall probably makes the odds of any more than port scan attacks low enough to not make it worth worrying about (taking the low risk would be the rational approach, given limited time, money and expertise). Of course, there are other threats; principally viruses/worms and fraud (phishing etc.) for which other defences are appropriate. For low-end users with a firewall, I think these are the more serious (and more difficult to defend against for the security-unaware user). For example, my mother's Win 98 PC was recently infected by a very nasty virus despite running an up-to-date virus scanner, a firewall and being careful about opening attachments. Our best guess is that it came through a bulletin board for which she has specialist software (i.e. not browser access); but who knows. |
I have now done some research (though I could do more, there are not too many honeypots making their findings public). I looked at the honeynet project, a few other sites and had a very helpful email from Anton Chuvakin.
My tentative conclusions are 1. Large organisations need defence in depth; no excuses. First, any large organisation will have open ports on their firewall and second they will almost certainly attract attackers who are targetting the organisation and so will not be turned away merely by a secure firewall (e.g. they will look for alternative routes in, for bugs in the firewall etc.). 2. Anyone who has an open port onto the Internet will attract exploits common to that port, and lots of them. Anyone in this situation must ensure that they are up to date with security patches and have a secure setup. Many home/SOHO users in this situation have owned computers but don't know it. 3. Normal users who have no open ports on the Internet have least to fear. In Anton's honeynet, systems which were fully firewalled had no attacks at all beyond port scans. Of course, if such a user were to attract the attention of a serious attacker for some reason, they would still be vulnerable, but this is reasonably unlikely. Other threats such as viruses and web exploits are still effective. I guess the lesson is that, if at all possible, having a firewall with no ports exposed is highly beneficial. Exposing any ports at all dramatically increases the risk of attack. In addition to this, running an up-to-date virus checker, or a non-Windows OS, is a Good Thing. It does seem to be that for the normal user, a good closed firewall + virus checker + basic security understanding is probably sufficient for all but the most risk-averse. |
Dunno if this applies, but I like formal procedures anyway. Here's an oldy (pub 1999), still interesting, but kind of advanced, and it needs lotsa research: http://www.schneier.com/paper-attacktrees-ddj-ft.html
|
All times are GMT -5. The time now is 01:12 PM. |