Honeynet hack attacks come daily by the dozen
1 April 2005 | 0
The Irish Honeynet Project (www.honeynet.ie) aimed at attracting, tracking and studying hackers, reveals an almost constant threat as malicious hackers aggressively scan for vulnerable systems and holes more than a dozen times a day.
Espion, Deloitte & Touche, and Data Electronics have been maintaining and monitoring the Honeynet since April 2002 and it came as no great surprise to see a massive 614 attacks recorded during the month of October 2002. It seems the longer we leave the computers online, the bigger the target they become.
Since the Irish Honeynet became operational we have seen the number of attacks increase month on month leaving the project members with volumes of data from which important lessons can be learnt and shared.
We have been attacked from all around the world at all times of the day and night. We have captured and analysed the hacker’s rootkits, their trojans, their exploits, their viruses and their worms — we have even recorded their online conversations.
And the beauty of it all is that this is not just another theory. This is real. The blackhats and the hackers unwittingly show us step-by-step how they operate in the real world, thus enabling us to better secure our organisations against attack.
An important objective of the Honeynet project has been to raise awareness in the Irish business community of the importance of information security to an organisation, large or small. It would be unthinkable for anyone running a business to leave an unlocked, un-alarmed office for the night.
The very same applies to an Internet connection. Just like the real world, cyberspace has its dangers and it seems that the frequency with which we are faced with those dangers is not going to reduce. The Honeynet statistics serve as a wake up call to any of the remaining doubters and critics. The threat is real. Ignore it at your peril.
Quickly looking over the month-on-month data from the Honeynet leaves a certain feeling of unease. Any organisation that values its information may be interested to note that despite the Honeynet’s anonymous location, April saw 223 attacks in 20 days uptime, May 335, June 365, July 414, August 395, September 435 and October saw a massive 614.
Some believe that it is no coincidence that the return of students to college coincides with this increase, but such claims are nothing more than speculation.
Have we really spawned a whole generation of hackers, crackers and blackhats who spend their idle hours scanning the Internet for vulnerable servers?
‘We need to decipher the data that we have and determine why the increase has happened in the past six months,’ says Gerry Fitzpatrick, partner in charge of enterprise risk services at Deloitte & Touche Dublin. ‘Because if attacks continue at this rate we could be dealing with over 1,200 attacks per month this time next year.’
October was a busy month by all accounts. The heart of the Internet itself sustained its largest and most sophisticated attack ever, although only partially successful. Nine out of thirteen backbone root servers were attacked simultaneously in what one industry official described as ‘the most sophisticated and large-scale assault against these crucial computers in the history of the Internet’.
We saw an Irish ISP fall victim to serious problems with spam mail. The sheer volume of spam mail being relayed through the organisation overloaded internal systems and caused an outage. Delivery of e-mail to subscribers was delayed for a period of time. Incidents like these reinforce the message of the Honeynet Project. If you are vulnerable, they will find you. It is simply a matter of when.
Although we can’t be certain as to why attacks have almost doubled in the first six months of operation, it can safely be argued that the longer a system is online, the greater the likelihood of attack. The Irish project team, along with its international counterparts in the USA, Canada, Greece, Switzerland, India, Mexico and Brazil, have an overwhelming source of data and evidence that supports this case.
One important lesson can be learnt here. Colman Morrissey, managing director of Espion points out: ‘The longer an Internet-connected system remains online, the more attention needs to be paid to security. Systems will be constantly and aggressively probed and if they are running outdated, or un-patched and vulnerable software, they will, undoubtedly, fall victim to these people’.
The Irish Honeynet is designed to mimic the Internet infrastructures commonly used by organisations, but it is ‘wired’ with detection sensors that capture all activity to and from the system. The Honeynet is not advertised in any way, so any traffic to it from the Internet is suspicious by nature, as it arises from hackers and crackers who are deliberately attempting to identify and attack systems that are vulnerable.