Re: Source of hack attemps

["Bob Radvanovsky" <rsradvan () unixworks net>]

If it's any consolation, I can, without a doubt, state that since I have
installed/configured an IDS solution on my "home lab" network (small lab...
http://www.unixworks.net/lab), that I have had OVER 68,000 signatured
attacks, all the way from slow/fast port scans to full-blown NetBIOS/NETBUI
attacks.  Of the 68,000+ attacks, over 24,000 were port scans.

Of the remaining 45%, approx. 60% are TCP packets, 30% are UDP packets, and
roughly 10% are ICMP packets.

[TCP]
Of the TCP packets, approx. 23% are US-based, of which almost 80% are from
cable-modems and ADSL connections, with the remaining 20% from
corporate-based environments or hosting providers; over 55% were from the
Pacfic Rim region, with almost 70% of that originating from China, of which,
6 locations were from China, 4 of which originated from Singapore, almost
even split between Korea, Taiwan, and Japan (in that order), with mostly
dial-up connections originating from dialup providers, with Japan being the
exception with some ADSL connections; over 20% originating from Eastern
Block countries (Russia, Czechoslovakia, Yugoslovakia, Romania [in that
order]), and the remaining amount mostly from Central and Southern Americas
(tied between Argentina and Brazil, with Mexico last).
Attack signatures were mostly NetBIOS and NETBUI-based (have 2 Windows
servers online, and they are broadcasting beacons for keep-alive
connections).

[UDP]
Similar statistics of originating countries, except that the next statistics
were with various trojans and worms (MS-SQL being highest amount at 65% of
the trojan/worm category, with the latest Bagel virus next, and
miscellaneous after that).  Of which, there was a significantly higher
number of trojans and worms originating from the Pacific Rim region, with
over 73% originating from China!  Taiwan was next at 15%, Japan next at 7%,
and Korea (believe it or not) was the lowest.

[ICMP]
Here, the statistics originated from predominately the Eastern Block
countries, with Russia holding at 86% of most ICMP attacks, mostly slow
stealth and tunneling attacks, Czechoslovakia having approx. 7%, and the
remaining amount was from France!  None from the Americas or the U.S.

Do any of these statistics help you in your endeavors?

The source is my network, through which the IDS has been operational since
23-Feb-2004.  ;)

Cheers!

Bob Radvanovsky [/unixworks]
rsradvan(at)unixworks.com
"knowledge squared is information shared."

----- Original Message -----
From: "Austin Moran" <mis () nysar com>
To: <security-basics () securityfocus com>
Sent: Thursday, March 11, 2004 7:49 AM
Subject: Source of hack attemps


> Does anyone know what the leading countries are for attempts to violate
network security?  Is there a list which might show the top five or ten
countries for sources of computer hackers?
> thanks in advance,
> Austin
>
> --------------------------------------------------------------------------
-
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
> any course! All of our class sizes are guaranteed to be 10 students or
less
> to facilitate one-on-one interaction with one of our expert instructors.
> Attend a course taught by an expert instructor with years of in-the-field
> pen testing experience in our state of the art hacking lab. Master the
skills
> of an Ethical Hacker to better assess the security of your organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> --------------------------------------------------------------------------
--


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------