Survival of the Fittest
The Internet Storm Center blogged about the Survival Time on the Internet today. The survival time is defined as:
With the help of honeypots, we can measure the survival time. For example, we can use low-interaction honeypot such as nepenthes or amun that emulate common network-based vulnerabilities and deploy them at different locations. The average time it takes to download the first binary is an estimation of the survival time: The honeypots emulate known vulnerabilities and are thus exploited by different kinds of autonomous spreading malware - similar to an unpatched system. At our lab, we deployed ten honeypots in different network ranges and measured different things as I'll explain with the following graphs. These are all based on measurements between August 2007 and July 2008.
This plot shows the total number of attacks (blue) and of downloads (red) per sensor for the measurement period. We see that there are huge differences depending on the network location (e.g., whether or not the ISP filters specific ports). Furthermore, not all attacks are successful and we also observed quite a lot failed attacks.
This plot shows the percentage of attacks (red) and downloads (blue) per time of day. We can observe a clear diurnal pattern: lower attack volume during the night and higher attack volume during the day, following the typical behavior of humans.
This plot shows the attacks (blue) and the downloads (red) per weekday for all sensors during the measurement period. The values are given in percentage of the sum of all attacks/downloads over the chosen period of time. The attack traffic is slightly higher during the weekends.
Another interesting observation is whether or not the attacks originate from the same ASN as the honeypot as depicted in the above picture. The figure shows the percentage of attacks coming from the same ISP as the honeypot, e.g., for sensor 1, about 90% of the attacks originate from machines within the same autonomous system. The graph can be interpreted as many attacks being local - which makes sense since autonomous spreading malware often prefers to propagate locally. In some ASNs, however, it seems like most attacks originate from other ASNs.
Finally, this graph shows an estimation of the survival time: The graph shows the average amount of time for the honeypot to be attacked successfully. Red bars are honeypots with a static IP address, thus we have only one measurement point for these honeypots. For the blue bars, each honeypot had a dynamic IP address, e.g., a disconnect every 24 hours. The bar depicts the average time from obtaining a new DHCP lease to first download which can be interpreted as the time it would take for an unpatched system to be compromised. Compared to the survival time from the Internet Storm Center which is currently below five minutes, we measure a higher survival time. However, the time is still short and you need to patch a system before taking it online.
More information and many more graphs are available in the thesis from Laura Itzel (unfortunately in German only).
Update: I updated the description of the fourth figure to explain it a bit better for non-German speaking readers.
The survivaltime is calculated as the average time between reports for an average target IP address. If you are assuming that most of these reports are generated by worms that attempt to propagate, an unpatched system would be infected by such a probe.
The average time between probes will vary widely from network to network. Some of our submitters subscribe to ISPs which block ports commonly used by worms. As a result, these submitters report a much longer 'survival time'. On the other hand, University Networks and users of high speed internet services are frequently targeted with additional scans from malware like bots. If you are connected to such a network, your 'survival time' will be much smaller.
The main issue here is of course that the time to download critical patches will exceed this survival time.
With the help of honeypots, we can measure the survival time. For example, we can use low-interaction honeypot such as nepenthes or amun that emulate common network-based vulnerabilities and deploy them at different locations. The average time it takes to download the first binary is an estimation of the survival time: The honeypots emulate known vulnerabilities and are thus exploited by different kinds of autonomous spreading malware - similar to an unpatched system. At our lab, we deployed ten honeypots in different network ranges and measured different things as I'll explain with the following graphs. These are all based on measurements between August 2007 and July 2008.
This plot shows the total number of attacks (blue) and of downloads (red) per sensor for the measurement period. We see that there are huge differences depending on the network location (e.g., whether or not the ISP filters specific ports). Furthermore, not all attacks are successful and we also observed quite a lot failed attacks.
This plot shows the percentage of attacks (red) and downloads (blue) per time of day. We can observe a clear diurnal pattern: lower attack volume during the night and higher attack volume during the day, following the typical behavior of humans.
This plot shows the attacks (blue) and the downloads (red) per weekday for all sensors during the measurement period. The values are given in percentage of the sum of all attacks/downloads over the chosen period of time. The attack traffic is slightly higher during the weekends.
Another interesting observation is whether or not the attacks originate from the same ASN as the honeypot as depicted in the above picture. The figure shows the percentage of attacks coming from the same ISP as the honeypot, e.g., for sensor 1, about 90% of the attacks originate from machines within the same autonomous system. The graph can be interpreted as many attacks being local - which makes sense since autonomous spreading malware often prefers to propagate locally. In some ASNs, however, it seems like most attacks originate from other ASNs.
Finally, this graph shows an estimation of the survival time: The graph shows the average amount of time for the honeypot to be attacked successfully. Red bars are honeypots with a static IP address, thus we have only one measurement point for these honeypots. For the blue bars, each honeypot had a dynamic IP address, e.g., a disconnect every 24 hours. The bar depicts the average time from obtaining a new DHCP lease to first download which can be interpreted as the time it would take for an unpatched system to be compromised. Compared to the survival time from the Internet Storm Center which is currently below five minutes, we measure a higher survival time. However, the time is still short and you need to patch a system before taking it online.
More information and many more graphs are available in the thesis from Laura Itzel (unfortunately in German only).
Update: I updated the description of the fourth figure to explain it a bit better for non-German speaking readers.
".
Heise Security fragt sich, was eigentlich zu halten sei von der immer wieder kolportierten Behauptung, ein ungepatchtes System am Netz sei nach wenigen Minuten kompromittiert. Am Ende steht eine Wette: »Und wer’s nicht glaubt: Ich wette einen Ka...
Tracked: Jul 24, 14:49