Menu:

Become a Partner

It's easy to participate!
If you are interested in knowing if you are more/less/differently attacked than others, join our worldwide informal consortium.

Read more...

The site is partially supported by ReSIST "Network of Excellence"

SAP Security and Trust Research Workshop


Recent findings on the Leurré.com V1 platforms

This is an excerpt of the keynote talk given at SAP Research Lab, France, on the 16th of July 2007, for the opening of the SAP internal Security and Trust research workshop. The findings described below can be found either on the www.leurrecom.org public interface or on the private one that only the Leurré.com partners have access to.


Number of attacks per day, grouped by port sequences

In this graph, we have grouped the traces of attacks according to the sequence of ports targeted by the attackers. The number of attacks per day, for each of these groups is represented in the applet here below that offers you some features that you can play with.



Among other things, you may notice the following points:

  1. At first glance, the number of attacks per day seems pretty stable
  2. This impression is misleading though, as the vision is biased by a few stable attack processes, mostly ICMP reconnaissance, that are hiding the variations of other, less important attacks.
  3. To highlight this phenomenon, perform the following action on the applet:
    • click on Clear all
    • On the left side, click on the box corresponding to the 7th row, labelled 1026U|1027..
    You notice that, since the 26th of June, that specific port sequence is much more frequently probed that in the past. This reveals the existence of a new tool that is specifically targeting these ports. It is worth noting that on the Dshield side, at the contrary, hits against port 1026, 1027 and 1028 are decreasing around that period (Dhsield does not offer the possibility to search for port sequences) as you can see in the attached figure taken from that site

    click here to see the updated version of this graph from the dshield site click here to see the updated version of this graph from the dshield site click here to see the updated version of this graph from the dshield site
  4. We have observed other important peaks in the last 90 days. To see them, perform the following actions
    • Click on Check all
    • Find the horizontal escalator on the bottom of the applet. Left-click on the left hand side of the gray bar and move it to the leftmost position. This will reveal the attacks of the previous days that were initially hidden. In particular, this highlights a peak on the 19th of April where the specific port 6769 was targeted (TCP). If you position the mouse over this peak, its name will appear just above the upper right part of the graph. You can select that curve by left clicking and drawing a box around a few of its points. By doing so, you will see that this port has only been targeted during two days.
  5. There are distinct port sequences that do behave similarly over time. In other words, if you look at the shape of their curves over some period of time, they look alike. The applet offers you a way to systematically identify them. As an example, perform the following actions:
    • Click on Check all
    • Click on Similitude
    • In that new window, click on Calc. Total Similitude
    • Left click on the right line in the middle of the window and move it down (keep clicking) until it reaches the value between 90 and 100
    • You have now two groups of circles highlighted in red. They correspond to two groups of curves that are highly similar. To see them, click on View. This brings you back to the original window of the applet and shows you the members of the Group 1. To see the curves of the other group, choose Group 2 instead of Group 1 in the upper right corner of the applet. Members of the Leurré.com project could query the DB further to find more about these phenomena. For instance, the attackers found in the second group identified here before, linked to port 13796, come from more than 50 different countries but they have hit only one of our platforms, out of 50!

Origin of the attacks, grouped by port sequences

In this graph, we have grouped the traces of attacks according to the sequence of ports targeted by the attackers. These groups have then been broken down according to the country of origins of the attackers. Note the following points:

  1. Some countries are notably more responsible than others for some types of attacks (eg, CA, CN, KR, US)
  2. To select some curves, left click and create a box around a few points belonging to that curve. Try it out with the left hand peak corresponding to Canada. You notice that this specific port sequence is only probed by attackers located in that country
  3. Remember this huge peak we found on the 19th of April where the specific port 6769 was targeted. This new viewpoint offers a way to identify where this attack came from.
  4. To do so, perform the following action on the applet:
    • click on Clear all
    • Find, on the left side, in the list of port sequences the one we are interested in, namely |6769T and click on the corresponding box (it is the 5th port sequence before the bottom, without touching to the vertical elevator)
    This highlights the fact that this important attack has almost only been launched from compromised machines located in Italy. Leurré.com partners, thanks to the full access they have to the database, could also see which platforms have been hit in the world. In that specific case, it is worth noting that a single platform, out of 50, has been hit by this attack!
  5. If you perform the following action on the applet:
    • click on Reset
    • click on Invert Axis
    • in the upper right corner select Global % instead of Values
    • select all curves that have a Y-value above 70 by drawing a box around them while left-clicking.
    This shows you all countries that have been responsible, in the case of at least one port sequence, for more than 70% of attacks related to it.
  6. Note the special case of Italy, the green curve in the center These weird attacks are quite likely related to the so called Italian Job that several sites have talked about. Note that, in the case of the port 6769, Italy accounts only for 50 % of the total of the attacks. The previous viewpoint we had on this phenomenon did give the impression that its contribution was much more important than that though. Visual impressions can be very misleading!

Jul 25, 2007