What types of attacks do you get? Please post.
 

I'm interested to know what types, and frequency, of attacks are received in different sorts of setups. Many security companies may over-hype the risk of attacks to get business; on the other hand few companies will admit to having been hacked; so what is the real picture?

Can you post for any organisation you know of (without naming it) :
For internet-facing servers :
- number of worm/virus infections
- number of script-kiddie cracks
- number of more serious cracks

For internal servers :
- number of worm/virus infections
- number of script-kiddie cracks
- number of more serious cracks

I guess attacks fall into three categories : viruses/worms (no human interaction), script kiddie type attacks and serious crackers. My hunch is that for Unix/Linux servers inside a firewall, only the last is a big threat, and there are probably fewer attacks by serious crackers than are sometimes made out. I think script kiddies are generally looking for easy wins and that means servers directly connected to the Internet.

For servers directly connected to the Internet (or directly visible from the Internet) all types are probably relevant.

This is important for organisations with limited experitise and resources (which is pretty much all of them). Without knowing the threats, how can you focus resources effectively? I'm especially interested to find out what the real threats are to servers inside firewalls, not visible to the Internet.

I think not.
On my non-critical home server I get exploit attempts daily.
Most of the attempts are known M$ vulnerabilities that do not affect me other than fill up my logs.
Within a few days of the Qmail exploit news, my logs filled with strange Qmail attempts. Qmail is shut down now.
I watched my not yet upgraded kernel get hacked before my eyes. I saw the screen fill with nmap errors. Kernel is upgraded now.
There are lots of people that have nothing better to do than scan the internet trying to hack computers, apparently.
If you leave your computer on, connected to the internet, and vulnerable, you will be hacked. No ifs ands or buts.
IMO

Thanks. I think servers connected directly to the Internet do have a problem (though my computers behind a dedicated DSL Router have been OK for the last year, as was my Windows PC with ZoneAlarm for a year before that - logged studd but never had a problem).

For larger organisations, most of their servers will tend to be behind firewalls and not directly connected to the Internet. I'm especially interested to what extent these servers (which might be 99% of a company's servers) get attacked; and the lessons that can be drawn from that.

In large organisations where I've worked, suspected attacks on the internal servers are pretty rare (despite being potentially high-profile targets).

Not really, when I had DSL and was running seti@home, I had 2 win98se boxes crunching numbers 24/7 and never got hack'd once and I have never been infected with a windows virus/worm.
I've never used OUTLOOK EXPRESS. Plus I don't open email attachments except in notepad/wordpad...........
If you want to beat a hacker, you have to think like one!!

I have never got hacked either... running a regular ol' hub with Windows for 4 years (Linux now, no Windows) - not a single hack or anything of the sort. I didn't use Outlook either... maybe that's the cause...

No attacks on computers yet.
On a lighter side, i get attacked by viral infections too often. LOL

TRINOO_MASTER
Few hours to get rid of it....i had few servers running...internet connexion on all the time and never home.

I took my precautions after and more look to logs, i test my firewall and exploits on the regular against my own machine.

2damncommon has the right idea - if you leave an unprotected PC connected to the internet, sooner or later it will get "0wn3d". Just because you personally haven't been hacked doesn't mean that the risk doesn't exist, it just means you've been lucky and haven't been nailed yet. It's sort of like speeding on the freeways - sure, maybe you can hit 90 or 100 mph on a regular basis, but don't be surprised if one day Officer Friendly busts you with the radar gun. Hmmm - suddenly you might realize that you should have played your cards differently. Think about it -- J.W.

True; but what I'm trying to find out is what level the risk is and how the risk differs depending on the placing of the server (e.g. Internet facing vs inside dedicated firewall). There's always a risk; but unless a company can quantify it, how does it know how much resource to put into mitigating the risk?

There seem to be a lot of people saying that hackers are everywhere; the general public behaving as if hackers were nowhere and a big black hole in the middle where some facts should be.

What I would love to know is, for example, how much more vulnerable a server it to being hacked if it is directly attached to the Internet rather than inside a firewall. That sort of information would allow companies to make sensible judgements about how to focus their limited resources. I don't see that information out there; I was hoping to draw on the experience of people here to start gathering it :(

What youre asking is an extremely difficult question to answer due to the fact that is will be based on a number of things, such as what applications do you have running, how often are those applications updated, what will it be used for..etc..

As anyone here knows, linux is secure but when a security hole is discovered and its in the application you happen to be running is a race between you and the hacker to get to that hole first.

Its impossible to give exact numbers but since linux is free I dont see why not run a firewall? The majority of hacks are due to human error, you not doing your diligence (running proftpd when sftp would do) while maintaining a proactive approach about weaknesses within the system. So in my opinion, companies should focus those resources on a talented staff which obviously isnt cheap.

P.S.
Anyone who says they havent seen an attack while running a DSL or cable modem 24/7 is either blind or foolish. I see 50-100 attempts per day.
How do you know there hasnt been any attempts on your system? What type of monitoring are you running?

That's exactly the problem, as I see it. There are various methods to figure out how to focus your security efforts, such as Schneier's attack trees. However, they all rely on knowing facts about how likely an attack is, and how much it will cost to fix. As Schneier and others acknowledge, this is not easy.

One way you could do this would be to survey a large number of people and get a rough average for the risks in different situations. OK, every situation is unique but it gives you a start which is more than we have right now.

Point taken; but I think it depends on what counts as an attack. If a burglar goes goes a road and looks through every window to see who is out, has the burglar tried to break into every house in the road? Maybe, but it's debatable. If you do count port scans as an attack then you would probably conclude that simply having a firewall was a hugely effective defence, reducing your exposure many-fold.

From my Firewall snort log today:
8 MS-SQL Worm propagation attempts
46 spp_portscans (These used to be zero. Lots of them now.)
12 webdav search access
6 ICMP PING CyberKit 2.2 Windows (from one of the last years Windoes virus'. Used to flood my logs with an attempt about every second.)
4 WEB-IIS cmd.exe access
2 WEB-IIS CodeRed v2 root.exe access
3 WEB-IIS unicode directory traversal attempt
1 WEB-FRONTPAGE /_vti_bin/ access
1 WEB-IIS _mem_bin access
2 ICMP PING NMAP

From webserver behind the firewall:
11 SEARCH /\x90\x02..... (buffer overrun attempt-the webdav in Snort. Each line fills over 2 pages in a text editor. Some days I get 20-30 of these.)
1 GET /default.ida?XXX.....(buffer overrun attempt-some IIS hack in the Snort log)
Numerous GET /...(from multiple IPs, page not downloaded-some bizzare activity noted by many others in server logs)
Bits of other IIS atempts noted in the Snort log.

I am much relieved to learn all these folks are just looking in my Window and nothing more. :)

Looking in a window or going door to door testing to see if any of them are unlocked? That may not be against the law but you have the law watching you very closley.

My point is this : one of the common statements on this forum is that firewalls by themselves are not effective security because a skilled attacker can break through most low-end firewalls, and even high end firewalls are vulnerable, especially if misconfigured.

This statement is true if a significant proportion of attacks are from skilled attackers. If one in ten attacks is from a skilled attacker then just relying on a firewall is crazy. If only one in a million is, then just sticking with a firewall is probably the sensible approach for most people : the chance of a skilled attacker targeting you is tiny so you would need to have a lot to lose to make it worthwhile on a cost-benefit basis doing any more than having a decent firewall.

So, the fact that people get all these port scans and suchlike is in itself not very important. The question is whether they are potential skilled attacks or just kiddies scanning thousands of IP addresses and waiting for someone who has gone out and left their door unlocked. If the former, be very afraid. If the latter, get a good firewall and don't worry about it too much.

My hunch is that reality is nearer to the latter than the former situation so for most people most of the time, the appropriate cost-benefit approach is to get a good firewall and leave it at that.

The same is true for large companies (probably even more so) : the ratio of virus <-> script kiddie <-> skilled cracker is critical to determining how to focus security spending effectively, just as much as the overall level of attacks and probably even more so.

My point is this : one of the common statements on this forum is that firewalls by themselves are not effective security because a skilled attacker can break through most low-end firewalls, and even high end firewalls are vulnerable, especially if misconfigured.
No, it's not because of ineffectivity, it's because a firewall isn't and shouldn't be thought of as, a single line of defense. Create a single point of failure and bam, there's the prize.


This statement is true if a significant proportion of attacks are from skilled attackers. If one in ten attacks is from a skilled attacker then just relying on a firewall is crazy. If only one in a million is, then just sticking with a firewall is probably the sensible approach for most people : the chance of a skilled attacker targeting you is tiny so you would need to have a lot to lose to make it worthwhile on a cost-benefit basis doing any more than having a decent firewall.
Wrong. FWIW, I recently witnessed an incident involving one big company and a hole the size of Tokyo in their fw. Executive summary: firewall, human error, gain access. Single lines of defense suck major.


My hunch is that reality is nearer to the latter than the former situation so for most people most of the time, the appropriate cost-benefit approach is to get a good firewall and leave it at that.
Security isn't a firewall and configuring and deploying a network perimeter firewall is NOT the only thing to do. That would be equivalent to choosing quick wins over long term benefits.


The same is true for large companies (probably even more so) : the ratio of virus <-> script kiddie <-> skilled cracker is critical to determining how to focus security spending effectively, just as much as the overall level of attacks and probably even more so.
The amount of money a company should spend should be related to the level of assurance, protection they need to maintain integrity, business operations. IOW, the value of the assets you're protecting should be a leading factor, not the amount of "threats". Threats will change over time. And I'm not even talking about insider threats.

Agreed, but that still misses the point that you can't defend against every eventuality - with limited resources you defend against the ones that are most likely to happen and cause you problems. Yes, a single point of defence is a bad thing; but in many situations it might be quite sufficient - the average home user probably being one of those.

It certainly isn't the only thing that can be done. For any reasonable-sized company, merely having a firewall to protect the business is madness. I've spent a big chunk of my time over the last few years helping some large companies implement just that defence in depth. For home users or small businesses with no expertise in security, nor the money to buy that expertise, a simple, preconfigured firewall may be the most appropriate level. There is a risk in not providing defence in depth; but there is also a cost to do so. For larger companies, the risk clearly outweighs the cost. For small companies and home users, it is not clear to me that this holds true.

Of course, even big companies have to decide where to spend a limited security budget and you can never do everything.

Well, yes and no. The total spend might relate to the assets, but how you allocate the money must surely relate to the threats. For example, if the threats were mostly physical (gangs breaking in and stealing your hardware), it would be sensible to spend more money on physical security and less on network security. If the threats are mainly script kiddies, it makes more sense to spend more on measures which will keep them out.

Yes, threats will change over time, but of course security is hardly static either. Big companies have a security budget to spend each year. They have a selection of security products to consider, of which they can afford to implement only a small proportion.

My problem (and the initial point of the thread) is that it is very difficult to determine what the threats are; and as a consequence many companies are spending money on security which might be wasted and could be better spend elsewhere (e.g. maybe spending less money on securing the firewall and more on internal defence layers would be better; or maybe the reverse is true : without the data, how can you know?).

Agreed, but that still misses the point that you can't defend against every eventuality - with limited resources you defend against the ones that are most likely to happen and cause you problems.
Yes, of course you can't defend against everything. The conclusion that means you only defend against things you know of though is a choice you would make based on criteria that don't sound solid. But of course that was your initial question... If I had to reason stuff I've gotta defend against I'd choose have each networked device get the same basic hardening treatment to get security to a certain level. No questions asked and no discussion needed. Then, depending on the purpose of the box, I'd have to add/tweak/lessen security features to make things work. I'm perfectly aware this doesn't work at all times and certainly not if you don't have the knowledge and discipline or aren't forced to comply with policies. BTW, are you familiar with stuff like security policies?


For home users or small businesses with no expertise in security, nor the money to buy that expertise, a simple, preconfigured firewall may be the most appropriate level.
The problem here is education and awareness. SOHO users usually don't understand the power a Linux box really has, sys admin basics let alone want to educate themselves wrt that and enhancing security. That's where the real problem starts.


My problem (and the initial point of the thread) is that it is very difficult to determine what the threats are
Even tho I ain't no fan of stats cuz stuff usually will happen outside of what them stats try to predict, I think we should ask around/hunt the 'net for statistics. Maybe that'll help paint a picture. I know SF has a yearly Bugtraq stats page, and I'm sure the various honeypot projects have stats.

I hadn't thought of that conclusion. My conclusion was that organisations will put more resources into defending against threats they perceive to be higher (e.g. the spend on anti-virus sofware increases greatly in times of high virus infection). Given this, it seems sensible for that perception of risk to reflect the reality of risk as closely as possible. Which gets the highest share of the budget : desktop, Unix, Windows servers, network, mainframe,...? The most precious assets are almost certainly on the Mainframe and Unix but I'll bet that in most organisations, Windows gets more security money.

Sounds like very good advice - thanks. I'm painfully familiar with security policies; the good, the bad and the ugly :)


I think that's a very interesting debate that's starting out. My take on it is that, as Linux grows in popularity on both servers and desktop, it is going to be used increasingly by people who have little knowledge of or interest in security. Either basic security on Linux is simple enough that it works well enough out of the box and keeps on working, or Linux will get discredited with floods of new attacks.

Of course, the more awareness and security knowledge the better; I don't dispute your aim. I just think that in the real world it isn't going to happen to the extend necessary so we need to deal with what is going to happen before the bad guys do. Given the struggle I sometimes have getting a basic level of security awareness amongst Unix administrators, my hopes for the general population are not high :(

Thank you for the leads. I will check those out and post back to the forum with anything useful I come up. Stats aren't perfect; but they are better than anecdotes where your conclusions get wildly skewed by who you happen to talk to and 10 people have 10 totally different views based on equally valid anecdotal evidence.

You know, it's interesting to say you (320mb, vi0lat0r) had Windows boxes connected directly to the Internet and never hacked--how would you know? Win98 doesn't have much logging to speak of, very weak process monitoring (unless you install third party software), and it was prone to crashing even if not hacked so people thought that was normal. So tell me, how would you know if Win98 had been hacked?

Now I'm not saying it can't be done, because I know a few things about networking and security and I still have a Win98 box that has never been compromised, but that's because I knew what I was doing and took a lot of extra steps to protect it.

There is one big difference between larger companies and SOHO/home users. Larger companies need to allow some traffic inwards through their firewall. They have VPN setups, web servers, mail servers,DNS servers and so on. An attacker looking at a big company's firewall is almost guaranteed to find open ports.

For many small businesses and home users, there is no need to have any ports open at all on the firewall. Their website (if any) is hosted elsewhere. They might run a mail server with port 25 open, but more likely they use POP3 to pull mail in. They won't have VPN or DNS servers.

So, for all these low-end users, a firewall which blocks every single port, dropping all connections, means that they would have to be pretty unlucky for a port scan to turn into an attack. An attacker would have to decide that a host with no ports open and nothing suggesting it has any special interest was more worthy of attack than lower hanging fruit. Yes, an attacker could target them but for this sort of user a closed firewall probably makes the odds of any more than port scan attacks low enough to not make it worth worrying about (taking the low risk would be the rational approach, given limited time, money and expertise).

Of course, there are other threats; principally viruses/worms and fraud (phishing etc.) for which other defences are appropriate. For low-end users with a firewall, I think these are the more serious (and more difficult to defend against for the security-unaware user). For example, my mother's Win 98 PC was recently infected by a very nasty virus despite running an up-to-date virus scanner, a firewall and being careful about opening attachments. Our best guess is that it came through a bulletin board for which she has specialist software (i.e. not browser access); but who knows.

I have now done some research (though I could do more, there are not too many honeypots making their findings public). I looked at the honeynet project, a few other sites and had a very helpful email from Anton Chuvakin.

My tentative conclusions are

1. Large organisations need defence in depth; no excuses. First, any large organisation will have open ports on their firewall and second they will almost certainly attract attackers who are targetting the organisation and so will not be turned away merely by a secure firewall (e.g. they will look for alternative routes in, for bugs in the firewall etc.).

2. Anyone who has an open port onto the Internet will attract exploits common to that port, and lots of them. Anyone in this situation must ensure that they are up to date with security patches and have a secure setup. Many home/SOHO users in this situation have owned computers but don't know it.

3. Normal users who have no open ports on the Internet have least to fear. In Anton's honeynet, systems which were fully firewalled had no attacks at all beyond port scans. Of course, if such a user were to attract the attention of a serious attacker for some reason, they would still be vulnerable, but this is reasonably unlikely. Other threats such as viruses and web exploits are still effective.

I guess the lesson is that, if at all possible, having a firewall with no ports exposed is highly beneficial. Exposing any ports at all dramatically increases the risk of attack. In addition to this, running an up-to-date virus checker, or a non-Windows OS, is a Good Thing. It does seem to be that for the normal user, a good closed firewall + virus checker + basic security understanding is probably sufficient for all but the most risk-averse.

Dunno if this applies, but I like formal procedures anyway. Here's an oldy (pub 1999), still interesting, but kind of advanced, and it needs lotsa research: http://www.schneier.com/paper-attacktrees-ddj-ft.html