Irish Honeynet slammed by attacks

[InfoSec News <isn () c4i org>]

http://www.enn.ie/news.html?code=9352249

by Andrew McLindon
March 13 2003
   
The Irish Honeynet enticed nearly 600 attacks in January, while the
rampant Slammer worm even caused it to be brought down for a day
during the month.

The decoy computer network, which was established to study cyber
attackers, recorded 597 attacks during January. Although this was
slightly down on figures for November (634) and October (613) of last
year, it is a substantial increase from the early days of the project
in mid-2002 when it was attracting around 400 attacks a month.

According to Colm Murphy, technical director with Espion, one of the
companies involved in the Honeynet, this overall increase is probably
due to the length of the time that the Irish Honeynet has been on the
Internet.

"If it is difficult to know what exactly has caused this jump, but it
is safe to say that the longer an IP address is on-line, the more it
will be attacked," Murphy told ElectricNews.Net.

Designed to imitate common Internet infrastructures, Honeynets are
"wired" with detection sensors to capture all network activity. A
Honeynet is not advertised, so any traffic to it is suspicious by
nature. The idea behind it is to learn more about how hackers and
would-be attackers operate so that computer systems can be better
protected.

January also saw a demonstration of how potentially destructive the
recently released Slammer worm could be. The virus, which exploited a
six-month old vulnerability in Microsoft SQL Server 2000, wreaked
havoc for a couple of days in the last week of January.

During that time, it spread rapidly across the world, affecting
Internet performance from China to the US. Another of its victims was
the Irish Honeynet, which had to shut down for a day as the bug
swamped its network with massive amounts of data. However, Slammer
activity on the Irish Honeynet only accounted for around 10 of the
total attacks in January.

Murphy said the impact of Slammer illustrated the need for
organisations to ensure their systems cannot be crippled by such
viruses.

The latest figures from the Irish Honeynet project also showed that
the US continues to be the origin of the majority of the attacks
against it.

"The US has consistently been the largest single source of attack,
accounting for a huge proportion of the traffic seen on a daily basis
in the Honeynet," said Gerry Fitzpatrick, enterprise risk services
partner at Deloitte & Touche, which is the other Irish Honeynet
partner. "In November 2002, for instance, 46 percent of the total
attacks on the Irish Internet came from source addresses in America."

However, as Murphy explained, this does not necessarily mean that
these attacks are coming from people based in America.  
"Cyber-attackers would route their attacks through systems based in a
number of countries. These figures simply show that there are large
amount of vulnerable systems in the US, which hackers are using to
launch the last leg of their attacks," commented Murphy.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.