Latest news
Results from Distributed Open Proxy Honeypot Project
Posted on 14 May 2007.
Breach Security announced the results of the Web Application Security Consortium's (WASC) new Distributed Open Proxy Honeypot Project. The Honeypot Project is capturing live web attack data with sensors placed around the world to provide concrete examples of the types of attacks occurring "in the wild," in addition to raising awareness and developing effective countermeasures to new threats. Since January, the Honeypot Project has logged nearly one million web requests.
Targeted web applications attacks are on the rise, exposing sensitive information such as credit card numbers, health records and student grades, however, there is little formal research available on attack methodology and remediation. The WASC Honeypot Project serves the security and business communities by providing greater insight into the different types of attacks and statistical evidence on the latest targeted web application attacks.
WASC is a group of international security experts and industry leaders that develop, adopt, and advocate best-practice security standards for web application security. Breach Security is leading the WASC Distributed Open Proxy Honeypot Project.
The Distributed Open Proxy Honeypot Project initially began in January 2007 and is led by WASC officer Ryan C. Barnett, director of Application Security Training for Breach Security, Inc. The Honeypot Project uses one of the web attacker's most trusted tools against them-the open proxy server. Open proxy servers are routinely used by web attackers to hide the true source of their attacks. Seven open proxy servers in countries around the world including Germany, Greece, Russia and the United States are actively collecting attack data. Additional sensors will be added in the near future to broaden the scope of the project.
The open proxy honeypots are used as a conduit for attack data to gather attack intelligence and techniques, rather than operating as targets for attack. By deploying multiple, specially configured open proxy server honeypots, WASC is able to take a granular look at the types of malicious traffic that are attacking these systems. This research project differs from typical web attack data by focusing on the attacks directed at unprotected web applications and not attacks aimed at the operating system or browser vulnerabilities.
While the Distributed Open Proxy Honeypot Project was only recently started, impressive samples of data have already been extracted. The data presented was collected from January 15th to April 30th 2007. Of the nearly one million web requests processed, nearly 20% proved to exhibit known malicious attacks or anomalous behaviour. The results included:
Top attacks by volume:
- The largest amount of traffic was attributed to banner ad/click-through fraud with approximately 157,906 requests
- The majority of web attacks used automated programs with approximately 151,915 alerts generated
- Spammers represent the third highest number of users of the open proxy servers with approximately 109,654 requests
Top attacks by severity:
- SQL Injection attacks were less common; however they were certainly the most critical
- Web defacement attacks that attempted to take advantage of server mis-configurations were identified
- Information leakage proved to be a significant issue as many websites are configured to provide unnecessarily detailed error messages which can reveal vulnerabilities to a hacker
Providing data and research, the global net of honeypots run Breach Security's open source ModSecurity core rules to identify and block attacks. The ModSecurity open source web application firewall is the most widely deployed with 10,000 users worldwide. This highly flexible web application firewall can be used for a wide range of functions including web application monitoring, web intrusion detection and prevention, as well as "just in time" virtual patching of known vulnerabilities. The Honeypot Project is also using the ModSecurity Console, a network-based tool designed to collect logs and alerts from remote ModSecurity sensors in real-time. The console provides security analysts with a single interface for monitoring the security of their web applications.
Targeted web applications attacks are on the rise, exposing sensitive information such as credit card numbers, health records and student grades, however, there is little formal research available on attack methodology and remediation. The WASC Honeypot Project serves the security and business communities by providing greater insight into the different types of attacks and statistical evidence on the latest targeted web application attacks.
WASC is a group of international security experts and industry leaders that develop, adopt, and advocate best-practice security standards for web application security. Breach Security is leading the WASC Distributed Open Proxy Honeypot Project.
The Distributed Open Proxy Honeypot Project initially began in January 2007 and is led by WASC officer Ryan C. Barnett, director of Application Security Training for Breach Security, Inc. The Honeypot Project uses one of the web attacker's most trusted tools against them-the open proxy server. Open proxy servers are routinely used by web attackers to hide the true source of their attacks. Seven open proxy servers in countries around the world including Germany, Greece, Russia and the United States are actively collecting attack data. Additional sensors will be added in the near future to broaden the scope of the project.
The open proxy honeypots are used as a conduit for attack data to gather attack intelligence and techniques, rather than operating as targets for attack. By deploying multiple, specially configured open proxy server honeypots, WASC is able to take a granular look at the types of malicious traffic that are attacking these systems. This research project differs from typical web attack data by focusing on the attacks directed at unprotected web applications and not attacks aimed at the operating system or browser vulnerabilities.
While the Distributed Open Proxy Honeypot Project was only recently started, impressive samples of data have already been extracted. The data presented was collected from January 15th to April 30th 2007. Of the nearly one million web requests processed, nearly 20% proved to exhibit known malicious attacks or anomalous behaviour. The results included:
Top attacks by volume:
- The largest amount of traffic was attributed to banner ad/click-through fraud with approximately 157,906 requests
- The majority of web attacks used automated programs with approximately 151,915 alerts generated
- Spammers represent the third highest number of users of the open proxy servers with approximately 109,654 requests
Top attacks by severity:
- SQL Injection attacks were less common; however they were certainly the most critical
- Web defacement attacks that attempted to take advantage of server mis-configurations were identified
- Information leakage proved to be a significant issue as many websites are configured to provide unnecessarily detailed error messages which can reveal vulnerabilities to a hacker
Providing data and research, the global net of honeypots run Breach Security's open source ModSecurity core rules to identify and block attacks. The ModSecurity open source web application firewall is the most widely deployed with 10,000 users worldwide. This highly flexible web application firewall can be used for a wide range of functions including web application monitoring, web intrusion detection and prevention, as well as "just in time" virtual patching of known vulnerabilities. The Honeypot Project is also using the ModSecurity Console, a network-based tool designed to collect logs and alerts from remote ModSecurity sensors in real-time. The console provides security analysts with a single interface for monitoring the security of their web applications.
Spotlight
Cyber espionage campaign uses professionally-made malware
Posted on 20 May 2013. | A massive cyber espionage campaign has been hitting government ministries, IT companies, academic research institutions, and more.
Ransomware adds password stealing to its arsenal
Posted on 17 May 2013. | Microsoft researchers are warning about a new variant of the well-known Reveton ransomware doing rounds.
Application vulnerabilities still a top security concern
Posted on 16 May 2013. | Respondents to a new (ISC)2 study identified application vulnerabilities as their top security concern. A significant gap persists between software developers’ priorities and security professionals’ concerns.
IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
Hacking charge stations for electric cars
Posted on 15 May 2013. | Ofer Shezaf talks about what charge stations really are, why they have to be ‘smart’ and the potential risks created to the grid, to the car and most importantly to its owner’s privacy and safety.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
