Linux lasting longer against Net attacks

TalkBack 17 of 23:

Next »

« Previous

• Thread View
• Flat View

"but a study"

Having read the report, the statement "this is but a study" seems very appropriate.

http://www.honeynet.org/papers/trends/life-linux.pdf

There are several interesting tidbits in there. For starters, as mentioned in the ZDNet article, the limited number of Win32 machines in the honeynet were primarily compromised by worms. However, the study did report that 2 Win32 machines in Brazil were online for several months before being compromised by worms. I'm guessing they were in some obscure IP address range that the worms rarely scan. It would be interesting to note which versions of Windows we are talking about here.

The details on the Linux/Unix machines is interesting though. For starters, the article implies that the newer versions of Linux are more resistant to attack. However, when you read the report, the honeypots they setup were 1-RH 7.2, 5-RH 7.3, 1-SuSE 6.3, 2-Solaris 8(Sparc), 2-Solaris 9(Sparc) and 1-FreeBSD 4.4. Of those, 4 Linux (3-RH 7.3 and 1 RH 9.0), and 3 Solaris machines were compromised. 2 of the Linux machines were compromised with brute password guessing (some machines were intentionally setup with weak passwords). One of the RH 7.3 machines remained uncompromised for over 9 months. "This is a dramatic increase from the life expectancy for default Linux systems of 72 hours seen in 2001/2002." Yet, RH 7.3 is a 2002 vintage release!?!?

One bit of missing data is how many of these machines were attacked but survived. And of the machines that were compromised, how many were from automated attacks and how many from directed attacks.

This study seems to offer conflicting results. The fact Linux is surviving longer then it did in the 2001/2002 time frame doesn't seem to be an indication on improved Linux since one of the machines that survived uncompromised the longest was a 2002 release. What it does seem to indicate is that there are MANY more worms trolling the internet looking for Win32 machines than Linux (imagine our surprise!:)), and assuming that was also the case in 2001/2002 it would seem the one possible conclusion of this is that there are fewer people attempting to crack into these systems by scanning random IP addresses. Since none of these machines were listed in any DNS, the only way these machines would be found would be random scanning.

Posted by: PA-ITGuy   Posted on: 12/23/04 You are currently: a Guest | Members login | Terms of Use

Alert moderator to an offensive message

Subscribe to this discussion via Email or RSS

SponsoredWhite Papers, Webcasts, and Downloads

• Five Steps to Determine When to Virtualize YourServers VMware Server virtualization isn't just for big companies. Entry-level ... Download Now
• Three Steps You Need to Know to Stop Data Loss Varonis Sensitive data exposed to misuse or loss... it is the stuff of nightmares ... Download Now
• Virtualization: Architectural Considerations And Other Evaluation Criteria VMware Of the many approaches to x86 systems virtualization available in the ... Download Now