Less casual attacks, but why?

by Anton Chuvakin

Related link: http://www.honeynet.org/papers/trends/life-linux.pdf

People are used to an ever-increasing flow of attacks against Internet-exposed system. Thus, the latest research from the Honeynet Project might come as a surprise to many (I certainly was susprised when I first noticed this trend in my honeynet, run as a part of the Project).

Linux systems are actually attacked much less now than 2-3 years ago. Not only the systems are attacked less, they survive much longer even if no security safeguards are applied. It was unthinkable that an unpatched RedHat box will sit there for 3 months, but now it happens fairly often. Obviously, default Linux installs are much more secure now, but this is only part of the picture...


2004-12-23 19:43:47
Well, r00ting boxes usually serves a purpose, it's not an end in itself. What were r00ted machines used for before? If, as I suspect, the answer is spam zombies, then maybe the crackers have simply found that their needs are already well covered so that “acquisition” is no longer as pressing a need.

It's wildly unsubstantiated, of course, because I have absolutely no proof, but at least it does seem like a plausible explanation.

2004-12-28 00:04:55
sounds reasonable.
Up until last year (or so) most attacks were either targeted at a specific system in order to harm that system's owners or they were aimed at gaining bragging rights among peers in the cracker community.

All that changed when in 2003 or so organised crime (spammers, scam artists, possibly terrorist cells) got involved and basically took over.
I've seen less attacks overall in my firewall and webserver logs, and most of those look like automated attempts to get past OS and more specifically Apache and Sendmail weaknesses.
As default installations of Redhat probably no longer install those (I know many other distributions dropped them from the default install), the attacks would not succeed on those systems.