Attack Registry And Intelligence Service 73
thelaw writes: "SecurityFocus just announced the start of their new service, ARIS (Attack Registry and Intelligence Service) Analyzer. The service allows you to submit logs from several different intrusion detection systems automatically and quasi-anonymously. Looking at the front page, they seem to have over 700,000 incidents already reported since starting."
Change the URL to point to port 23 (Score:5)
Potential problem (Score:5)
Of course, (Score:3)
--Blair
Inegrated on-the-fly logging... (Score:1)
"Titanic was 3hr and 17min long. They could have lost 3hr and 17min from that."
How many of those "attacks" (Score:1)
DanH
Cav Pilot's Reference Page [cavalrypilot.com]
Anonymous? (Score:5)
And my bit of paranoia for the day:
Why do they keep saying how 'secure and private' the log files you send them are? Can't they just trace the IP that sent the log right back to the company and/or individual who owns the IP (unless of course it's a dynamic IP being assigned)? Not that they would want to do so, but let's just stop advertising privacy. There is no privacy on the net. It's like streaking thru a crowded marketplace; not many people notice, but those that do get to see the whole deal.
I don't think so. (Score:2)
If I'm shown to be wrong, then I must reconsider. But for now, I'll stay on the sidelines.
Re:I don't think so. (Score:2)
I sincerely hope this won't happen, but you can't be too careful...
US bombarded? (Score:1)
Really? [attrition.org] It doesn't look like the US is disproportionately represented in this list. All of the 'generic' domains plus .us equals ~60%, and a significant number of .coms (over half of that 60%, BTW) are not US sites.
Re:Potential problem (Score:2)
You could prevent such an attack by implementing user IDs with cryptographic signing, but you lose some of your anonymity that way as you'd need to reject user ID applications from throwaway accounts such as from Hotmail.
isn't.... (Score:1)
doing the same thing except that it's not in pretty html format?
hey! (Score:1)
blech...
Am I the only one who missed the point? (Score:4)
I'm not trying to troll or anything but other than the "Cool" factor what does this service do? How is knowing the most common attack types going to help me? The common ones are already patched by clued-in admins. I mean did you see the common attack list? If you're open to SNMP GET you have problems.
Are they going to try and find new attacks with the data or something?
G.H.
An Intrusion database a'la ORBS? (Score:4)
The bright side is that it will bring stats of intrussion attempts. This is particularly interesting, because you can learn wha't going around and take measures before it's too late.
The dark side is that I see a forthcomming IASD (Intrussion Attempt source database) available online, so many ppl will start banning IP's "Just in case".
I do not like ORBS, I feel it's not usefull because of the tendence of give false positives.
As an example, we use a very strict mail relay policy, and every week I get the ORBS tester machines sending mails that end up in postmaster because of their lack of valid rcpt addressess.
Every time is because some ignorant saw SPAM w/bogus reply addresses in some of our domains and thinks that the spam was actually sent from one of our SMTP servers (false, all tend to came from yah00 or h0tmail or some server in korea, who cares).
Imagine a script kiddie who, instead of deleting it's path in the victim's logfile, now replaces it's IP w/someone else's IP address.
Who audits the victim's security policy? Who gives for grant that the supposed victim is honest?
This is very, very difficult to prove.
Re:Anonymous? (Score:1)
This message was encrypted with rot-26 cryptography.
Re:I don't think so. (Score:1)
"I don't see any real benefit for ME to stop spamming. In fact, I only see potential loss of revenue..."
Clarification (Score:1)
Redundant use of cat, missing ', sort problem. (Score:1)
Also, your sort will look like this...
1
10
11
12
2
3
4
5
6
7
8
9
Sounds Interesting... (Score:1)
"ARIS analyzer is a service designed, administered and maintained by SecurityFocus.com to allow participating network administrators to submit suspicious network traffic and intrusion attempts anonymously, for detailed analysis and tracking. Our aim is to help our participants track incidents and find patterns in attacks that will serve as a threat gauging system for the Internet community."
...DAMN! Doesn't apply to me! Still, this looks to be very useful, and I'd probably subscribe to this service if, you know, I weren't just a college kid on a personal computer.
Probably not. (Score:1)
As it says in their FAQ [securityfocus.com]
1)
2)
Also, they only know who you are if you choose to tell them, and, even so, that information is stored separately from the attacks on your system.
but you can't be too careful... Amen to that.
Hrrm (Score:1)
But, could've been far more interesting if you could see graphs of OVERALL statistics, not only graphs and data of the logs you sent.
For example, I really wanted to know what are top 10 countries that most of the attacks origin from.
My experience. . . (Score:1)
I have no idea if those numbers are typical: the DSL ranges are well known, and so is my ISP's netblock. . . But I'd wager it's virtually ALL automated tools. . .
Now you went and took all the fun out of h4x0ring! (Score:3)
What can there possibly be left for old-skool h4x0rz like myself? Those 455hol3z have taken all the phun out of it.
A g4ll3ry of my h4x0r1ng k0nqu3sts [ridiculopathy.com]
Great demographic data (Score:1)
oops. :) (Score:1)
Sort is a bgit smarter then I thought.
1
10
is different then
1
10
super fantastic (Score:1)
Re:Am I the only one who missed the point? (Score:1)
Ad hoc descriptions of vulnerabilities only get so far however. Most of the time the average lamer is trying techniques that were reported on Bugtraq years before and were patched and CERT advised months ago.
Re:isn't.... (Score:1)
Sorry to tell you, but I work for a very large organization in which I use this command on a daily basis to monitor our border routers' logs. This allows me to keep an eye out on different ports being probed and allows me the ability to create ACLs to block those ports..
Why don't you go right click something and upload your logs to have the analisys done for you.
A Real "Hackers Cookbook" this will make (Score:1)
Re:Great demographic data (Score:1)
Just because some kid set off my IDS scanning for SubSeven doesn't mean my site is vulnerable to SubSeven and doesn't mean it was hacked. Fact that they were probably scanning a Solaris system aside all it meant was that my IDS saw the traffic.
Thats what a lot of these are is that the IDS see's the traffic, either because it is in front of the firewall or the port was opened on the firewall and the IDS behind it saw the packet. What that database could do is show you what are the most common scans performed and what type of sites see what type of attacks.
Re:Change the URL to point to port 23 (Score:1)
Re:Am I the only one who missed the point? (Score:2)
NO! The main problem in this sad landscape of crappy administration is that no one bothers patching any of their systems because they:
a) Don't know what CERT is never mind read it
b) Don't know what BUGTRAQ is never mind read it
Most of the systems being hacked are NT or Linux servers which are deployed in the heat of the moment and then forgotten about forevermore.
Re:Anonymous? (Score:1)
LOL
--
Delphis
Re:isn't.... (Score:1)
That and LogCheck [psionic.com] to make picking out interesting log entries a breeze.
--
Delphis
What am I missing? (Score:2)
After looking over the ARIS [securityfocus.com] site, I'm left with a bunch of questions.
First, what the heck is the definition of an "incident"? Their FAQ doesn't indicate what this means. If some goofball script kiddie runs a script that sends out 100,000 pings of death, is that one incident, or 100,000? If he tries a Syn flood attack on my site, setting up 1,000 sessions, is that one incident, or 1,000? It sounds like AOL's goofy customer count: "Here, set up seven screen names so that we can claim you're seven different customers."
Secondly, does handing all your log files over to these guys remind anyone of the movie The Net? How do we know SecurityFocus [securityfocus.com] can be trusted? How do we know we're not handing our log files over to someone who's already hacked SecurityFocus? What does this service do for us?
GIAC Has a Similar System (Score:2)
Incidents.org [incidents.org] is run by the Global Incidents Analysis Center which is associated with the SANS institute. It's be operating for a while and the "current detects" section is very valueable for those of us who have to address day-to-day security issues.
GIAC assigns a "handler" to be on-duty at any given time. All the reported incidents are filtered through the handler.
Re:Sounds Interesting... (Score:2)
Re:Clarification (Score:1)
Anyways, more to the point, it all comes down to this being another potentially useful tool when it comes to what kindof attacks and such are actually being used in the wild...
Re:So... (Score:3)
- A service designed to assist users in reporting incidents. We look up the appropriate contacts for the offending organization and their upstream provider, allow you to select which incidents you wish to report, and draft a report fo you with all the pertinant information.
- Access to descriptions about what the attack was that your IDS spotted. This includes links into the Bugtraq database where approrpiate, articles, exploit code (so you can see if the compromise was successful or not), etc...
- The ability to see how many other ARIS users your attacker has attacked, in case that factors into your decision on whether to report or not.
- We track which incidents have been reported (thorugh our system) for you.
- We cross-correlate reports from different IDS brands, for those users who have more than one type.
Re:Am I the only one who missed the point? (Score:1)
Quite so, which is why the lamers don't need to be any more sophisticated.
If more people stripped down the servers before they deployed them there would be fewer incidents. When I deploy a hardened system I remove ftpd from the inetd file and delete the executable off the system, same for sendmail, finger, nfs etc.
A lot of security problems could also be eliminated by better O/S and programming language design. On the VAX system any attempt to overwrite the stack caused an exception. Array bounds checking was arround and standard in the 1960s. Today we have to put up with buffer overrun errors. It should not be necessary to take the performance hit of Java just to get array bounds checking (and yes I know the markethead claim that there is no hit if you code right - it is maketting bollocks)
UNIX could do with a complete clean up job. There is far too much complexity and left over dross from years ago hanging arround.
Re:Anonymous? (Score:2)
That's the number of attacks the US is sending, not receiving.
Re:I don't think so. (Score:1)
Q: Do I have to clean my IP address and other identifying information out of my IDS logs before sending them to ARIS analyzer?
A: You always have the choice of how much information you wish to send. You may decide to strip address information when cleaning logs in ARIS extractor.
So clean yer logs of IP's you don't want to give them... :)
Re:isn't.... (Score:1)
Boy, you sure are smarter than your average pet rock. Maybe you should take that Netopia router back to where you bought it and let them know that you finally realized that having it != you being a network admin.
It'd be hard to run a global network with multiple links to the net and multiple campuses running on that single router eh?
Re:Clarification (Score:1)
Yes, why do you ask? To me, it looks like roughly 50% of the cracks are in the US, which is roughly the share of websites. YMMV.
Re:Shutdown requests (Score:3)
If you automatically shut down a system which looked like it was being hacked, you risk turning off the front door on your 24/7 international business!
It's very difficult to detect a real alert from a false alarm. Case in point:
Last client I was working in had a pair (!) of Sun E10Ks in a failover cluster forming the engine of their website. The Cisco Netranger IDS in the network segment occassionally thought one E10K was launching "ping smurf" attacks on the other E10K, and no amount of IDS tuning would get round it. It turned out it was part of normal Sun cluster network chatter, and it's extremely difficult to harden a clusterised E10K: that's why you deploy an extremely tight firewall in front of it.
Hilarious I grant you, but not at 3am when your mobile goes off and someone is screaming "Help!!" down it
Re:Am I the only one who missed the point? (Score:3)
The common attacks ARE patched against by clued-in admins, but you don't get an army of DDoS zombie boxes by ignoring the obvious exploits. I get scanned all the time for the most obvious security holes; port 137, port 53, port 111. When I've bothered to look, the source boxes have been (half the time - often the sources are fake!) unpatched-looking RedHat boxes from home internet connections (ISPs,broadband or otherwise). And in the weeks following the recent issues with BIND, I have regularly been scanned for port 53, and these guys are scanning whole networks of addresses for this port only.
In an ideal world, I would report these scans, and the administrators of the source boxen might be notified that their machines have already been hacked and are being used for scans, which could help prevent major DoS attacks, or even be used to observe packet monkeys early enough in the game to trace back to their origin (as opposed to getting to the attack boxes and finding a bunch of erased logs).
I'm not saying it will work, or that this is the best way to acheive that goal, but there are solid reasons (beyond giving wannabes a source of interesting info) to think that this is useful.
Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.
Re:What am I missing? (Score:5)
Actually, that's done on a per IDS entry basis. We take each attack description that comes out of each IDS, and correlate those all to a central attack description of our own creation. Then, for each of those, we make a judgement call on whether it is something that should be reported or not. The majority of reports we get are classified as event or probes, things you should't report on. They aren't attacks in and of themselves. There are other attempts that, were the victim vulnerable to what was being checked for, they would just have been penetrated. Those we classify as incidents.
If some goofball script kiddie runs a script that sends out 100,000 pings of death, is that one incident, or 100,000? If he tries a Syn flood attack on my site, setting up 1,000 sessions, is that one incident, or 1,000?
It depends how your IDS groups them. We get our information from the IDS logs. Many IDS systems can treat that sort of thing as a collective event.
How do we know SecurityFocus can be trusted? How do we know we're not handing our log files over to someone who's already hacked SecurityFocus?
That's the reason we provide an anonymous upload capability, and the upload tool is open-source. You can check yourself exactly what is being sent.
What does this service do for us?
A took a short at proving that bit of info here:
http://slashdot.org/comments.pl?sid=01/03/26/1631
Re:What am I missing? (Score:1)
Q: First, what the heck is the definition of an "incident"? Their FAQ doesn't indicate what this means.
A: Again, common sense...if you're getting DDoS'd, you can generate huge amounts of logs if everything is getting recorded...one incident even though (potentially) 2.4million packets were reported (lol).
Um, what else... if someone probes for 34 different vulnerabilities, hell, report it 34 times if you want.
Q: Secondly, does handing all your log files over to these guys remind anyone of the movie The Net? How do we know SecurityFocus can be trusted?
Aa: Um, no not really, "the net" thing was a back door.
Ab: Hrm, if you're the really paranoid type, SecurityFocus can't be trusted. No one can. Therefore it would be logical to clean your logs of the "attacked address" before submitting them.
Anyways, hopefully this has helped out, sorry if I'm a bit off in these responses, I'm tired and this was too unfortunately typical of responses for me to not respond.
Re:What am I missing? (Score:2)
It's one attack. If you don't understand how these things are reported, then you are certainly not up to date or involved in ongoing network security. This is not a criticism, I am pointing out that you seek to knock Security Focus without realising what a valuable community they provide to anyone involved in network security.
How do we know SecurityFocus can be trusted?
See above comments. While I would hesitate to give them the password to my numbered Swiss bank accounts (I wish!), I have been using their services FOR FREE for the last 15 months, and I think they deserve a massive THANK YOU from everyone trying to stop people cracking their systems, or trying to evaluate best of breed security products.
I don't work for Security Focus. I am a completely unbiased consultant who recommends their site to anyone wishing to get into the field of security.
Re:What am I missing? (Score:1)
May seem a tad 'goofy' but if the same ip does one thing today then another 6 months from now is it one incident (same source) or two separate ones (time differential)? There isn't a definite line in the sand though stating exactly what the timeframes should be except each organizations security policy. This isn't as precise as nuclear science, yet. Give it a few years.
Re:What am I missing? (Score:2)
You should see a variety of D-DOS attacks, NMAP syn scans, spam-probes on 25, and a look for any recent DNS vulnerabilities.
Once you have cooled your LAN cable down and paid your 10Gb ISP bill you can analyse your logs and decide how to start categorising it *grin*
Is ARIS secure? (Score:1)
Re:I don't think so. (Score:2)
Not really. IDS' don't typically record whether the intrusion was successful, they just record attempts. This information doesn't really help you attack anybody. You'd still have to make the attempt yourself to determine vulnerability.
Re:Is ARIS secure? (Score:2)
Re:An Intrusion database a'la ORBS? (Score:1)
I know I don't think anything of whipping out a default drop on entire B class networks if they are owned in a country that the customers have little business with currently or are known for trouble (Pakistan for instance is really starting to find itself unwelcome in a lot of places).
There are social issues against doing this but frankly if a given area is known for fire, why play with it. Drop and forget, revist later if conditions improve. Case in point, B class network today in Russia just found itself permanently unwelcome at any of the sites for the company I'm with, and companies where I know friends. They're blocked in 12 B classes and a few C classes on the side now just from refusing to respond against one of their users lauching a hostile attack.
Ultimately the best solution is that the ISPs or uplinks for the areas take action against attacks but you try getting an internet cafe in the middle of the Gaza strip to block attacks against a jewish owned business. Go ahead, if you can manage it great. My only sucessful recourse has been to drop all incoming packets.
Re:isn't.... (Score:2)
This certainly seems like valuable data (Score:2)
Further, one could do post-hoc correlations of attacks to salient events, yearly cycles, etc. Such data could lead to more accurate predictions of the impacts of same on a company.
In other words, this will be useful for helping to figure out the big picture of how the internet creates and deals with attacks.
Re:Shutdown requests (Score:1)
Someone hacks on me site, I shut it down using whatever mechanism required, including pulling the plug.
Don't hack on me!Re:What am I missing? (Score:2)
Thank you, Ryan.
It's refreshing to see a vendor reading the articles on SlashDot and replying with useful information. I appreciate it.
Re:What am I missing? (Score:2)
Shardis wrote, "If you're responsible for corporate network security, hopefully you have some..."
What makes you think I'm responsible for corporate network security? I never said that. My day job is in curriculum development, and doesn't involve IP security at all. That, however, doesn't stop me from trying to understand how it all works, and asking lots of questions.
Um, no not really, "the net" thing was a back door. :P ...
Details, details ;) I know the background of SecurityFocus, and I've followed BugTraq for years. The point I was making is that I don't know the people. I don't know who would have access to my information. My sole rationale for trusting them (or not) is what other people say about them.
"...and a bad movie when it comes to technical points, although not as bad as the infamous 'hackers'"
My wife won't even watch that kind of movie with me anymore, because I keep pointing out the technical flaws. It takes some serious willing suspension of disbelief to enjoy movies like those. I did enjoy Sneakers, though.
"I'm tired and this was too unfortunately typical of responses for me to not respond."
No sweat.
Fun to watch (Score:2)
All your Jews are belong to us!! (Score:2)
had to, it just sounded great
Incident Handlers (Score:1)
GIAC [sans.org] has a similar system already at incidents.org [incidents.org]. They assign a "handler" to be on duty at any given time, and all incident reports are filtered through the handler. Someone might submit falsified logs, but unless a lot of sources report the same incidents they problably won't get much mention.
Re:Fun to watch (Score:1)
What's even better is getting logged intrusion attempts from people with static IPs. Six and seven times a day for a week. Then watching them completely go away after you email their provider once.
I'm glad I have my log size limited...otherwise I'd have a drive full of logs and no room to run Quake III.
Re:GIAC Has a Similar System (Score:1)
*ON* their homepage.
Plus this (a link back to the old site):
Welcome
Incidents.org is the new name of the SANS Global Incidents Analysis Center (GIAC).
NEWS: New Linux worm. Check out www.sans.org/current.htm
Not ready?
Re:All your Jews are belong to us!! (Score:2)
"All your Jew are belong to us!"
GIAC has been around for a long while. (Score:1)
The incidents.org website is new, but the GIAC has been around for a while. It used to be just the "current.html" page but they are now expanding to include a whole website. Obviously the web site is nothing much yet. I have a lot of faith in both GIAC and SecurityFocus but I tend to think that GIAC will do a better job by virtue of the experience of their handlers and especially because of the quality of the people already submitting incidents to GIAC.
Re:Fun to watch (Score:1)
"This h4x0r who calls himself 'ma573r0fm4yh3m' comes from Point Pleasant, WI and is using the 486 Dell his mother brought home from work after the last upgrade. He's never going to get beyond the firewall here at (fill in juicy target) but let's watch him try. What's this he's using a Smurf attack to overwhelm his own ISP. OOps looks to me like he forgot to spoof the return address. Better luck next time."
Deja Vous... (Score:1)
--
*Condense fact from the vapor of nuance*
25: ten.knilrevlis@wkcuhc
Re:Fun to watch (Score:1)
Re:Is ARIS secure? (Score:1)
Disclaimer: I'm not a Linux zealot, please don't classify me as one
sweet. (Score:1)
distributed intrusion detection system (Score:1)