As an ideal follow-up of my old post A (Graphical) World of Botnets and Cyber Attacks, I would like to mention a really interesting project unveiled by Deutsche Telekom few days ago.
Sicherheitstacho.eu (the literal translation should sound similar to “security tachometer”) is based on the honeymap project (just like HoneyNet) and shows the real-time data of the early warning system of Deutsche Telekom operated from the operator and its partners. The map shows the attacks detected by the different sensors (Honeypots) with evidence of the countries in relation of the overall number of attacks and a live-ticker.
The interesting part of the Deutsche Telekom project is represented by the possibility to have also charts and stats related to:
- Top 15 of Source Countries (Last month) – List of the top 15 countries source of attacks.
- Top 5 of Attack Types (Last month) – List of the top 5 attacks per protocol.
- Distribution of Attack Targets (Last Month) – Distribution of the attacks per target’s technology.
- Overall sum of attackers per Day (Last Month) – Total number of attackers on a daily basis.
- Overall sum of attacks per Day (Last Month) – Total number of alerts on a daily basis.
It’s really a little big planet from an information security perspective, isnt’it?
- A (Graphical) World of Botnets and Cyber Attacks (hackmageddon.com)
Update 3/12/2013: I should also mention the Deutsche Telekom Security Tachometer
We live in a World made of Botnets and cyber attacks! While I am typing these few words in my keyboard, other fingers somewhere else in the Globe are moving quickly through the keys, firing stream of bits against their targets.
For thwarting this malicious landscape, trying to understand the evolving trends, more and more security companies and organizations collect data from their security endpoint or network devices spread all over the Globe, and send it to the cloud to be analyzed with big data algorithms. The purpose is to reduce the time between the release of a threat and the availability of an antidote. The same data can also be used to build spectacular maps that show in real time the status of the Internet, a quite impressive and worrisome spectacle! Here a short list of resources:
Probably the most impressive: the HoneyMap shows a real-time visualization of attacks detected by the Honeynet Project‘s sensors deployed around the world. The Map shows “automated scans and attacks originating from infected end-user computers or hijacked server systems”. This also means that an “attack” on the HoneyMap is not necessarily conducted by a single malicious person but rather by a computer worm or other forms of malicious programs. Please Notice that, as the creators of the Project declare, many red dots means there are many machines which are attacking our honeypots but this does not necessarily imply that those countries are “very active in the cyberwar”
Akamai monitors global Internet conditions around the clock. With this real-time data the company identifies the global regions with the greatest attack traffic, measuring attack traffic in real time across the Internet with their diverse network deployments. Data are collected on the number of connections that are attempted, the source IP address, the destination IP address and the source and destination ports in real time. The packets captured are generally from automated scanning trojans and worms looking to infect new computers scanning randomly generated IP addresses. Values are measured in attacks per 24 hours (attacks/24hrs).
The information collected by Kaspersky Security Network is shown in the Securelist Statistics section. In the corresponding navigable map, the user can select Local Infections, Online Threats, Network Attacks and Vulnerabilities with Map, Diagrams or Ratings format in a time scale of 24 hours, one week or one month.
Trend Micro continuously monitors malicious network activities to identify command-and-control (C&C) servers, making the ability to rapidly identify and correlate bot activity critical. The real-time map indicates the locations of C&C servers and victimized computers that have been discovered in the previous six hours.
The Shadowserver Foundation, managed by volunteer security professionals, gathers intelligence from the Internet via honeyclients, honeypots, and IDS/IPS Systems. The maps are made converting all of the IP addresses of the aggressor, the Command and Control and the target of the DDoS attack in coordinates and placing those points on a map. The maps are updated once a day and are available for DDoS activity and Botnet C&Cs.
Through its relationships with several worldwide service providers and global network operators, Arbor provides insight and on global DDoS attack activity, Internet security and traffic trends. Global Activity Map shows data in terms of scan sources, attack sources, phishing websites, botnet IRC Servers, Fast Flux bots.
This morning, during my usual virtual promenade through my feeds, I came across a really interesting post from Stratsec, a subsidiary of Bae Systems.
The post unveils the details of an unprecedented experiment aimed to verify how easy and cheap is to setup a botCloud and how hard is for the Cloud providers to detect them (and consequently advise the victims).
As the name suggests, a botCloud is defined as a group of Cloud instances that are commanded and controlled by malicious entity to initiate cyber-attacks.
The research was carried on by subscribing to five common Cloud providers and setting up to 10 Cloud instances targeting a victim host, protected by traditional technologies such as IDS, and flooded with several common attack techniques (malformed traffic, non-RFC compliant packets, port scanning, malware traffic, denial of service, brute force, shellcode and web application attacks) in 4 scenarios:
- Victim host placed in a typical network scenario with a public IP, firewall and IDS;
- Victim host setup as a cloud instance inside the same cloud service provider then the attackers;
- Victim host setup as a cloud instance inside a different cloud service provider then the attackers;
- Same scenario as test 1 with a major duration (48 hours) to verify the impact of duration on the experiment;
The findings are not so encouraging, and confirm that the security posture of the cloud providers needs to be improved:
- No connection reset or connection termination on the outbound or inbound network traffic was observed;
- No connection reset or termination against the internal malicious traffic was observed;
- No traffic was throttled or rate limited;
- No warning emails, alerts, or phone calls were generated by the Cloud providers, with no temporary or permanent account suspensions;
- Only one Cloud provider blocked inbound and outbound traffic on SSH, FTP and SMTP, however these limitation was bypassed by running the above service on non-default port.
The other face of the coin is represented by the moderate easiness needed to setup an army of cloud-hidden zombie machined which can leverage the advantages of a Cloud infrastructure. In fact a botCloud
- Is relatively easy to setup and use;
- Needs significantly less time to build;
- Is Highly reliable and scalable;
- Is More effective;
- Has a Low cost.
Cloud Service Providers (and their customers), are advised…
The attack model based on botnet-generated Distributed Denials of Service is opportunistic. The botmaster selects a target, gathers as many resources as possible among his army of zombie machines, and when he realizes to have achieved enough firepower, simply selects a target and pushes the attack button. After this the target is inevitably flooded by packets generated by the bots, while the unaware owners of the zombie machines perform their normal work or fun activities with their infected computers.
In theory there is only a weak point in this opportunistic model and it consists on the fact that the botmaster controls the compromised machines but cannot control their availability. Simply said, if a user has not switched on his computer while the botmaster needs that machine to execute a DDoS attack, the machine is not available, and there is not so much to do.
Of course this is essentially a theoretical weak point since, quoting a famous phrase, we could say that on botnet empire the sun never sets: indeed botnets are so huge and widespread to be in practice always available (they span different continents and different time zones) and constantly grant enough firepower.
But what happens if some global events or some global festivities make a larger number of computers to be turned off? Quite simple apparently! The firepower of the botnet is hugely affected and the number of DDoS attack drops. This is one of the paradoxical conclusions that can be derived from a paper presented few days ago at the Virus Bulletin 2012 International Conference by Cloudflare (probably the main CDN company in the world), about which an interesting post by Naked Security has provided additional details.
Apparently the number of IP addresses used to execute Layer 7 DDoS attacks in 2012 showed the minimum values just in those days of events or vacations which kept the users away from their Personal Computers. The minimum values occurred in days such as Mardi Gras, Earth Day (the 22nd of April when one billion people around the world chose to keep their computers turned off to reduce energy consumption), the Memorial Day weekend on the 29th May and 28th June, just before US Independence Day celebrations.
Quoting the Naked Security article, the conclusion is quite amusing: if everyone turned off their computers each night, it might not just be good for the environment because of the lower levels of energy being consumed… it could also mean a reduction in botnet attacks.