Breach Security to Present Hacks and Attacks ReportNovember 8, 2007
The Web Application Security Consortium's honeypot project collected the results presented in the report. In October alone, the group logged over 2 million Web attacks.
CARLSBAD, CA /PRNewswire/ -- Breach Security Inc., the leader in Web application security, will be presenting "Latest Hacks and Attacks" from the Web Application Security Consortium's (WASC) Distributed Open Proxy Honeypot Project at next week's Open Web Application Security Project (OWASP) & WASC AppSec 2007 Conference, in San Jose, CA.
The Distributed Open Proxy Honeypot Project initially began in January 2007 and is led by WASC officer Ryan C. Barnett, Director of Application Security Training for Breach Security Inc. Using globally located open proxy servers and sensors, the Honeypot Project captures live attack data to provide specific examples of targeted Web application attacks. Barnett will discuss the new findings on Wednesday, November 14th, during the first day of the AppSec conference.
The open proxy honeypots are specially configured vmware hosts used as a medium for gathering attack data. Much of the traffic passing through the open proxies is from hackers or spammers looking to cover their tracks. When the project initially began in January, analysts collected data from seven open proxy servers in countries around the world, including Germany, Greece, Russia, and the U.S.
The project has broadened over the past year, with the number of participating sensors doubling in number to 14. New open proxy servers are now located in Romania, Argentina, and Belgium. By deploying multiple open proxy server honeypots, WASC is able to take a granular look at the types of malicious traffic that are using these systems.
"The evidence from this project demonstrates that Web application attacks are increasing at an alarming rate. There are two main contributors to this trend: first, attackers have increased anonymity by looping through numerous open proxies or compromised hosts and are therefore more brazen in their attacks, and second is the increased usage of automation," said Barnett. "Organizations need to ensure that they have adequate anti-automation mitigations in place to protect their Web applications from these forms of attacks. Unfortunately, most Web applications are not able to correlate data between transactions to identify when nonhuman interactions are taking place, and thus, it is only a matter of time before an attacker can gain unauthorized access to data."
While the Distributed Open Proxy Honeypot Project started in January 2007, the data presented below was collected solely in October 2007—all data is compared with the four-month cycle of phase one of the project, which was collected from January 15-April 30, 2007.
- In October alone, the Honeypot Project logged close to 9 million Web requests, compared with nearly 1 million Web requests during phase one.
- Over 2 million of all processed Web requests in October exhibited known malicious attacks or anomalous behavior, as identified by the custom ModSecurity rule set.
Top Attacks by Volume
- The largest amount of traffic was attributed to banner ad/click-through fraud with approximately 2.6 million requests, compared to less than 158,000 in phase one.
- Spammers represent the second highest number of users of the open proxy servers with approximately nearly two million requests, compared to slightly more than 109,600 requests in phase one.
- Continuing to follow the trend from phase one, the majority of web attacks continue to use automated programs, which increase the need for anti-automation defenses.
Top Attacks by Severity
- Spammers are using an extensive, distributed reverse brute force authentication scan against a popular email provider's accounts. They are considered stealthy scans as they are distributing their scan across hundreds of unique email authentication hosts and are using specific common passwords and then cycling through different usernames, thus decreasing the likelihood of locking out accounts. Spammers can enumerate information to identify valid email accounts, or worse, to identify valid login credentials and actually hijack user accounts.
- Information leakage continues to be a significant problem as many Web sites are configured to provide overly detailed error messages that can reveal vulnerabilities to a hacker.
"This research project differs from conventional Web-attack statistics as we have wide visibility of attack traffic, whereas most organizations only see data destined for their specific sites," said Barnett. "We present this project to the security and business community to build awareness by offering fresh insight into the multiple forms of Web application attacks that are occurring."
The global net of honeypots run Breach Security's open source ModSecurity core rules to identify and block attacks and provide research data. The ModSecurity open source Web application firewall is the most widely deployed, with 10,000 users worldwide. This highly flexible Web application firewall can be used for a wide range of functions, including Web application monitoring, Web intrusion detection, and prevention, as well as just-in-time virtual patching of known vulnerabilities. The Honeypot Project is also using Breach Security's commercial ModSecurity Management Appliance (MMA), a network-based tool designed to collect logs and alerts from remote ModSecurity sensors in real time. The MMA provides security analysts with a single interface for monitoring the security of their Web applications.
For more information on the Breach Security, the OWASP & WASC AppSec 2007 Conference, and statistics related to the WASC Distributed Open Proxy Honeypot Project, please call 760-444-6150.
WASC maintains a number of projects to generate Web application security awareness, classify threats against Web applications, and provide evaluation criteria for Web application security solutions.
About Breach Security Inc.
Breach Security Inc. is the leading provider of next-generation Web application security that protects sensitive Web-based information. Breach Security protects Web applications from Internet hacking attacks and provides an effective solution for emerging security challenges, such as identity theft, information leakage, and insecurely coded applications. Breach Security's solutions also support regulatory compliance requirements for security. The company's WebDefend Web application firewall is ICSA Labs certified. Founded in 2004, Breach Security is headquartered in Carlsbad, CA. For more information, please visit the Breach Security Web site.
The Web Application Security Consortium (WASC) is an international group of experts, industry practitioners, and organizational representatives who produce open source and widely agreed upon best-practice security standards for the World Wide Web. As an active community, WASC facilitates the exchange ideas and organizes several industry projects. WASC consistently releases technical information, contributed articles, security guidelines, and other useful documentation. Businesses, educational institutions, governments, application developers, security professionals, and software vendors all over the world use our materials to assist with the challenges presented by Web application security. Membership and participation in WASC related activities is free and open to all.
Most Read Articles