I'm interested to know what types, and frequency, of attacks are received in different sorts of setups. Many security companies may over-hype the risk of attacks to get business; on the other hand few companies will admit to having been hacked; so what is the real picture?

Can you post for any organisation you know of (without naming it) :
For internet-facing servers :
- number of worm/virus infections
- number of script-kiddie cracks
- number of more serious cracks

For internal servers :
- number of worm/virus infections
- number of script-kiddie cracks
- number of more serious cracks

I guess attacks fall into three categories : viruses/worms (no human interaction), script kiddie type attacks and serious crackers. My hunch is that for Unix/Linux servers inside a firewall, only the last is a big threat, and there are probably fewer attacks by serious crackers than are sometimes made out. I think script kiddies are generally looking for easy wins and that means servers directly connected to the Internet.

For servers directly connected to the Internet (or directly visible from the Internet) all types are probably relevant.

This is important for organisations with limited experitise and resources (which is pretty much all of them). Without knowing the threats, how can you focus resources effectively? I'm especially interested to find out what the real threats are to servers inside firewalls, not visible to the Internet.

I think not.
On my non-critical home server I get exploit attempts daily.
Most of the attempts are known M$ vulnerabilities that do not affect me other than fill up my logs.
Within a few days of the Qmail exploit news, my logs filled with strange Qmail attempts. Qmail is shut down now.
I watched my not yet upgraded kernel get hacked before my eyes. I saw the screen fill with nmap errors. Kernel is upgraded now.
There are lots of people that have nothing better to do than scan the internet trying to hack computers, apparently.
If you leave your computer on, connected to the internet, and vulnerable, you will be hacked. No ifs ands or buts.
IMO

Thanks. I think servers connected directly to the Internet do have a problem (though my computers behind a dedicated DSL Router have been OK for the last year, as was my Windows PC with ZoneAlarm for a year before that - logged studd but never had a problem).

For larger organisations, most of their servers will tend to be behind firewalls and not directly connected to the Internet. I'm especially interested to what extent these servers (which might be 99% of a company's servers) get attacked; and the lessons that can be drawn from that.

In large organisations where I've worked, suspected attacks on the internal servers are pretty rare (despite being potentially high-profile targets).

Not really, when I had DSL and was running seti@home, I had 2 win98se boxes crunching numbers 24/7 and never got hack'd once and I have never been infected with a windows virus/worm.
I've never used OUTLOOK EXPRESS. Plus I don't open email attachments except in notepad/wordpad...........
If you want to beat a hacker, you have to think like one!!

I have never got hacked either... running a regular ol' hub with Windows for 4 years (Linux now, no Windows) - not a single hack or anything of the sort. I didn't use Outlook either... maybe that's the cause...

No attacks on computers yet.
On a lighter side, i get attacked by viral infections too often. LOL

TRINOO_MASTER
Few hours to get rid of it....i had few servers running...internet connexion on all the time and never home.

I took my precautions after and more look to logs, i test my firewall and exploits on the regular against my own machine.

2damncommon has the right idea - if you leave an unprotected PC connected to the internet, sooner or later it will get "0wn3d". Just because you personally haven't been hacked doesn't mean that the risk doesn't exist, it just means you've been lucky and haven't been nailed yet. It's sort of like speeding on the freeways - sure, maybe you can hit 90 or 100 mph on a regular basis, but don't be surprised if one day Officer Friendly busts you with the radar gun. Hmmm - suddenly you might realize that you should have played your cards differently. Think about it -- J.W.

True; but what I'm trying to find out is what level the risk is and how the risk differs depending on the placing of the server (e.g. Internet facing vs inside dedicated firewall). There's always a risk; but unless a company can quantify it, how does it know how much resource to put into mitigating the risk?

There seem to be a lot of people saying that hackers are everywhere; the general public behaving as if hackers were nowhere and a big black hole in the middle where some facts should be.

What I would love to know is, for example, how much more vulnerable a server it to being hacked if it is directly attached to the Internet rather than inside a firewall. That sort of information would allow companies to make sensible judgements about how to focus their limited resources. I don't see that information out there; I was hoping to draw on the experience of people here to start gathering it

What youre asking is an extremely difficult question to answer due to the fact that is will be based on a number of things, such as what applications do you have running, how often are those applications updated, what will it be used for..etc..

As anyone here knows, linux is secure but when a security hole is discovered and its in the application you happen to be running is a race between you and the hacker to get to that hole first.

Its impossible to give exact numbers but since linux is free I dont see why not run a firewall? The majority of hacks are due to human error, you not doing your diligence (running proftpd when sftp would do) while maintaining a proactive approach about weaknesses within the system. So in my opinion, companies should focus those resources on a talented staff which obviously isnt cheap.

P.S.
Anyone who says they havent seen an attack while running a DSL or cable modem 24/7 is either blind or foolish. I see 50-100 attempts per day.
How do you know there hasnt been any attempts on your system? What type of monitoring are you running?

That's exactly the problem, as I see it. There are various methods to figure out how to focus your security efforts, such as Schneier's attack trees. However, they all rely on knowing facts about how likely an attack is, and how much it will cost to fix. As Schneier and others acknowledge, this is not easy.

One way you could do this would be to survey a large number of people and get a rough average for the risks in different situations. OK, every situation is unique but it gives you a start which is more than we have right now.

Point taken; but I think it depends on what counts as an attack. If a burglar goes goes a road and looks through every window to see who is out, has the burglar tried to break into every house in the road? Maybe, but it's debatable. If you do count port scans as an attack then you would probably conclude that simply having a firewall was a hugely effective defence, reducing your exposure many-fold.

From my Firewall snort log today:
8 MS-SQL Worm propagation attempts
46 spp_portscans (These used to be zero. Lots of them now.)
12 webdav search access
6 ICMP PING CyberKit 2.2 Windows (from one of the last years Windoes virus'. Used to flood my logs with an attempt about every second.)
4 WEB-IIS cmd.exe access
2 WEB-IIS CodeRed v2 root.exe access
3 WEB-IIS unicode directory traversal attempt
1 WEB-FRONTPAGE /_vti_bin/ access
1 WEB-IIS _mem_bin access
2 ICMP PING NMAP

From webserver behind the firewall:
11 SEARCH /\x90\x02..... (buffer overrun attempt-the webdav in Snort. Each line fills over 2 pages in a text editor. Some days I get 20-30 of these.)
1 GET /default.ida?XXX.....(buffer overrun attempt-some IIS hack in the Snort log)
Numerous GET /...(from multiple IPs, page not downloaded-some bizzare activity noted by many others in server logs)
Bits of other IIS atempts noted in the Snort log.

I am much relieved to learn all these folks are just looking in my Window and nothing more.

Looking in a window or going door to door testing to see if any of them are unlocked? That may not be against the law but you have the law watching you very closley.

My point is this : one of the common statements on this forum is that firewalls by themselves are not effective security because a skilled attacker can break through most low-end firewalls, and even high end firewalls are vulnerable, especially if misconfigured.

This statement is true if a significant proportion of attacks are from skilled attackers. If one in ten attacks is from a skilled attacker then just relying on a firewall is crazy. If only one in a million is, then just sticking with a firewall is probably the sensible approach for most people : the chance of a skilled attacker targeting you is tiny so you would need to have a lot to lose to make it worthwhile on a cost-benefit basis doing any more than having a decent firewall.

So, the fact that people get all these port scans and suchlike is in itself not very important. The question is whether they are potential skilled attacks or just kiddies scanning thousands of IP addresses and waiting for someone who has gone out and left their door unlocked. If the former, be very afraid. If the latter, get a good firewall and don't worry about it too much.

My hunch is that reality is nearer to the latter than the former situation so for most people most of the time, the appropriate cost-benefit approach is to get a good firewall and leave it at that.

The same is true for large companies (probably even more so) : the ratio of virus <-> script kiddie <-> skilled cracker is critical to determining how to focus security spending effectively, just as much as the overall level of attacks and probably even more so.

My point is this : one of the common statements on this forum is that firewalls by themselves are not effective security because a skilled attacker can break through most low-end firewalls, and even high end firewalls are vulnerable, especially if misconfigured.
No, it's not because of ineffectivity, it's because a firewall isn't and shouldn't be thought of as, a single line of defense. Create a single point of failure and bam, there's the prize.


This statement is true if a significant proportion of attacks are from skilled attackers. If one in ten attacks is from a skilled attacker then just relying on a firewall is crazy. If only one in a million is, then just sticking with a firewall is probably the sensible approach for most people : the chance of a skilled attacker targeting you is tiny so you would need to have a lot to lose to make it worthwhile on a cost-benefit basis doing any more than having a decent firewall.
Wrong. FWIW, I recently witnessed an incident involving one big company and a hole the size of Tokyo in their fw. Executive summary: firewall, human error, gain access. Single lines of defense suck major.


My hunch is that reality is nearer to the latter than the former situation so for most people most of the time, the appropriate cost-benefit approach is to get a good firewall and leave it at that.
Security isn't a firewall and configuring and deploying a network perimeter firewall is NOT the only thing to do. That would be equivalent to choosing quick wins over long term benefits.


The same is true for large companies (probably even more so) : the ratio of virus <-> script kiddie <-> skilled cracker is critical to determining how to focus security spending effectively, just as much as the overall level of attacks and probably even more so.
The amount of money a company should spend should be related to the level of assurance, protection they need to maintain integrity, business operations. IOW, the value of the assets you're protecting should be a leading factor, not the amount of "threats". Threats will change over time. And I'm not even talking about insider threats.