Re: IDS: staistics on intrusion ?
Lance Spitzner (spitzner@dimension.net)
Thu, 8 Apr 1999 08:12:53 -0400 (EDT)
FAQ: See http://www.ticm.com/kb/faq/idsfaq.html
IDS: See http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems.. Then email questions to ids-owner@uow.edu.au
NOTE: You MUST remove this line from reply messages as it will be filtered.
SPAM: DO NOT send unsolicted mail to this list.
USUB: email "unsubscribe ids" to majordomo@uow.edu.au
---------------------------------------------------------------------------
Why not see the actual facts? I've currently working with
the Checkpoint Firewall 1 community on developing IDS
scripts that log most scans of a network. I have also
posted the actual logs of all scans of actual network
since 16 Feb, 1999 (there has been 65 scans so far).
You can see the actual source IPs, date, and what
they were scanning for.
You can find this information at
http://www.enteract.com/~lspitz/alert.log
For more information on the IDS script,
http://www.enteract.com/~lspitz/intrusion.html
> USUB: email "unsubscribe ids" to majordomo@uow.edu.au
> ---------------------------------------------------------------------------
>
> We are doing a study right now on intrusion. We are
> detecting the following intrusion attempts:
>
> * dial-up users: 2 times per month
> * cable-modem/DSL users: 10 times per month
> * high-profile web sites: once per day (highly variable)
>
> Typical intrusions are:
>
> * Back Orifice scans (default password/default port 31337)
> * strobes against list of well-known ports (21, 23, 25, 110, 80, 139)
> * /cgi-bin well-known script tests
>
> For the most part, we are detecting an enormous amount of
> scanning activity, but few exploit attempts. We have set
> up "honeypot" systems that have been successfully scanned,
> but not exploited. For example, we have a Back Orifice
> system that several people have successfully scanned, but
> they have not come back to exploit it.
>
> Another surprising result is that most hackers try UNIX
> exploits, whereas the the biggest vulnerability on the net
> is Windows machines with their hard drives exposed to the
> Internet.
>
> In the last couple of months that we have been doing this
> study, we have detected three "Internet-wide" scans (scans
> that have been detected at virtually all our sites from
> the same source over a long period). Two of these were
> Back Orifice scans, one was an SNMP "public" scan.
>
> We are also seeing the emmergence of Ipswitch's "Whatsup"
> product as a scanning tool. This program is intended to
> monitor the response time of well-known services, but it
> can just as easily be used as a simple scanner.
>
> I hope this information helps. I hope to have more reliable
> statistics in a few months.
>
> Rob.
>
>
> --- Michael Hennecke <Michael.Hennecke@ruhr-uni-bochum.de> wrote:
> > Hello.
> >
> > Are there any staistics or reports about network/computer
> > attacks/intrusion that underline the need for security ?
> > Could you provide some URLs for this topic ?
> >
> > Regards, Michael
> > ---
> > http://mh.home.pages.de
> > (pgp key available)
> >
>
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
>
>
Lance Spitzner
http://www.enteract.com/~lspitz/papers.html
Internetworking & Security Engineer
Dimension Enterprises Inc