Results from Distributed Open Proxy Honeypot Project

Breach Security announced the results of the Web Application Security Consortium’s (WASC) new Distributed Open Proxy Honeypot Project. The Honeypot Project is capturing live web attack data with sensors placed around the world to provide concrete examples of the types of attacks occurring “in the wild,” in addition to raising awareness and developing effective countermeasures to new threats. Since January, the Honeypot Project has logged nearly one million web requests.

Targeted web applications attacks are on the rise, exposing sensitive information such as credit card numbers, health records and student grades, however, there is little formal research available on attack methodology and remediation. The WASC Honeypot Project serves the security and business communities by providing greater insight into the different types of attacks and statistical evidence on the latest targeted web application attacks.

WASC is a group of international security experts and industry leaders that develop, adopt, and advocate best-practice security standards for web application security. Breach Security is leading the WASC Distributed Open Proxy Honeypot Project.

The Distributed Open Proxy Honeypot Project initially began in January 2007 and is led by WASC officer Ryan C. Barnett, director of Application Security Training for Breach Security, Inc. The Honeypot Project uses one of the web attacker’s most trusted tools against them-the open proxy server. Open proxy servers are routinely used by web attackers to hide the true source of their attacks. Seven open proxy servers in countries around the world including Germany, Greece, Russia and the United States are actively collecting attack data. Additional sensors will be added in the near future to broaden the scope of the project.

The open proxy honeypots are used as a conduit for attack data to gather attack intelligence and techniques, rather than operating as targets for attack. By deploying multiple, specially configured open proxy server honeypots, WASC is able to take a granular look at the types of malicious traffic that are attacking these systems. This research project differs from typical web attack data by focusing on the attacks directed at unprotected web applications and not attacks aimed at the operating system or browser vulnerabilities.

While the Distributed Open Proxy Honeypot Project was only recently started, impressive samples of data have already been extracted. The data presented was collected from January 15th to April 30th 2007. Of the nearly one million web requests processed, nearly 20% proved to exhibit known malicious attacks or anomalous behaviour. The results included:

Top attacks by volume:

– The largest amount of traffic was attributed to banner ad/click-through fraud with approximately 157,906 requests
– The majority of web attacks used automated programs with approximately 151,915 alerts generated
– Spammers represent the third highest number of users of the open proxy servers with approximately 109,654 requests

Top attacks by severity:

– SQL Injection attacks were less common; however they were certainly the most critical
– Web defacement attacks that attempted to take advantage of server mis-configurations were identified
– Information leakage proved to be a significant issue as many websites are configured to provide unnecessarily detailed error messages which can reveal vulnerabilities to a hacker

Providing data and research, the global net of honeypots run Breach Security’s open source ModSecurity core rules to identify and block attacks. The ModSecurity open source web application firewall is the most widely deployed with 10,000 users worldwide. This highly flexible web application firewall can be used for a wide range of functions including web application monitoring, web intrusion detection and prevention, as well as “just in time” virtual patching of known vulnerabilities. The Honeypot Project is also using the ModSecurity Console, a network-based tool designed to collect logs and alerts from remote ModSecurity sensors in real-time. The console provides security analysts with a single interface for monitoring the security of their web applications.

Don't miss