A few key findings from the analysis of 4 years of attack traces from the Leurré.com V1 setup

This page offers a dynamic complement to the special session talk given in Tokyo,Japan, on the 23rd of April, 2008, for the RSA 2008 conference in Japan. It enables you to experiment with the applet presenting some interesting phenomena identified in the traces. Step by step indications are given to help you seeing the phenomena. Feel free to play by yourself with the applet features. There is much more to see than what is described in this page! The findings described below can be found either on the www.leurrecom.org public interface or on the private one that only the Leurré.com partners have access to. In order to become a Leurrecom partner, feel free to contact Engin Kirda (Engin.Kirda@eurecom.fr) who is now in charge of the system.

Number of attacks per month, grouped by type of protocol

This graphs shows the amount of attacking sources, per month, for the last four years, grouped by protocols used in their attacks (TCP, UDP or ICMP).

Among other things, you may notice the following points:
  1. Starting in February 2006 (by passing over the curves with the mouse, dates linked to points appeared above the graph, in the upper right corner), we notice an increase in the ICMP traffic.
  2. This impression is reinforced if we do look at the ratio of ICMP attacks sources vs. UDP vs. TCP.
  3. To highlight this phenomenon, perform the following action on the applet:
  4. This new representation highlights the two abrupt changes in ICMP traffic in March and November 2006. It also shows the corresponding decline of the TCP traffic in March and of TCP and UDP traffic in November, showing that both phenomena are likely linked to different root causes.

Number of attacks per country, grouped by targeted platform (anonymised)

This graphs shows the amount of attacking sources, per originating country, for the last four years, grouped by targeted platform (anonymised).

Among other things, you may notice the following points:
  1. The very first peak on the left side indicates that a very large number of attacks against the 6th Environment do originate from the country labeled CS.
  2. This impression is reinforced if we invert the axis.
  3. To highlight this phenomenon, perform the following action on the applet:
  4. If you know choose the "Global %" choice, as explained for the previous phenomenon, you can now see that the country labeled CS apparently only attacks that specific platform as the curve reaches almost 100% for the point corresponding to CS for that curve. The observation of the same curve leads us to the same conclusion for the country labeled RS. Thus, attacks coming from these two countries are very rarely seen elsewhere than on environment 6. This highlights the fact that attacks phenomena can, sometimes, be very localised.

Number of attacks per country, grouped by port sequences

This graphs shows the amount of attacking sources, per originating country, for the last four years, grouped by port sequences probed by the attacking IPs.

Among other things, you may notice the following points:
  1. The very first peak on the left side, the red curve, indicates that a very large number of attacks coming from the country labeled CA do target the sequence of ports 1026, 1027 and 1028 (UDP), in that specific order.
  2. Strangely enough, this virulent type of attack is almost never coming from any other country
  3. To highlight this phenomenon, perform the following action on the applet:
  4. Another way of seeing this is to invert the axis and look at relative values. To do this, click first on the "Check All" button, then on the "Invert Axis" and, finally choose the "Global %" option, as before. Select the curve that highlights the peaks on the left hand side and you will discover that this port sequence is not the only one that the country CA is solely responsible for.