Advertisement

Empirical Study of the Impact of Metasploit-Related Attacks in 4 Years of Attack Traces

  • E. Ramirez-Silva
  • M. Dacier
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4846)

Abstract

For several years, various projects have collected traces of malicious activities thanks to honeypots, darknets and other Internet Telescopes. In this paper, we use the accumulated four years of data of one such system, the Leurré.com project, to assess quantitatively the influence, in these traces, of a very popular attack tool, the Metasploit Framework. We identify activities clearly related to the aforementioned exploitation tool and show the fraction of attacks this tool accounts for with respect to all other ones. Despite our initial thinking, the findings do not seem to support the assumption that such tool is only used by, so called, script kiddies. As described below, this analysis highlights the fact that a limited, yet determined, number of people are trying new exploits almost immediately when they are released. More importantly, such activity does not last for more than one or two days, as if it was all the time required to take advantage of these new exploits in a systematic way. It is worth noting that this observation is made on a worldwide scale and that the origins of the attacks are also very diverse. Intuitively, one would expect to see a kind of a Gaussian curve in the representation of the usage of these attacks by script kiddies over time, with a peak after one or two days when word of mouth has spread the rumor about the existence of a new exploit. The striking difference between this idea and the curves we obtain is an element to take into account when thinking about responsible publication of information about new exploits over the Internet.

Keywords

Virtual Machine Release Date Attack Signature Worldwide Scale Attack Trace 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Arbaugh, W.A., Fithen, W.L., McHugh, J.: Windows of Vulnerability: A Case Study Analysis. IEEE Computer 33, 52–59 (2000)Google Scholar
  2. 2.
    Fyodor.: Top 100 Network Security Tools (last visited, July 25, 2007), available on line on http://sectools.org
  3. 3.
    Fyodor.: Top 3 Vulnerability Exploitation Tools (last visited, July 25, 2007), available on line on http://sectools.org/sploits.html
  4. 4.
    Leurré.com Project web page (last visited, July 25, 2007), http://www.leurrecom.org
  5. 5.
    Metasploit Project web page (last visited, July 25, 2007), http://www.metasploit.com
  6. 6.
    Metasploit Framework User Guide. Version 2.5., http://metasploit.com/projects/Framework/docs/userguide.pdf
  7. 7.
    Pouget, F., Dacier, M., Debar, H., Pham, V.H.: Honeynets: foundations for the development of early warning information systems. In: The Cyberspace Security and Defense: Research Issues - NATO Advanced Research Workshop, Gdansk, Poland (September 6-9, 2004)Google Scholar
  8. 8.
    Pouget, F., Dacier, M., Debar, H.: Honeypots, a practical mean to validate malicious fault assumptions. In: PRDC 2004. 10th International symposium Pacific Rim dependable computing Conference, Tahiti, French Polynesia (March 3-5, 2004)Google Scholar
  9. 9.
    Pouget, F., Dacier, M.: Honeypot-based Forensics. In: Proc. AusCERT Asia Pacific Information Technology Security Conference, Brisbane (2004)Google Scholar
  10. 10.
    Pouget, F., Dacier, M.: Honeypot Platform: Analyses and Results. Rapport de recherche RR-04-104 (October 30, 2004)Google Scholar
  11. 11.
    Pouget, F., Dacier, M., H., Pham, V.H.: Leurre.com: on the advantages of deploying a large scale distributed honeypot platform. In: ECCE 2005. E-Crime and Computer Conference, Monaco (March 29-30, 2005)Google Scholar
  12. 12.
    Pouget, F.: Distributed System of Honeypots Sensors: Discrimination and Correlative Analysis of Attack Processes. PhD thesis, Institut Eurecom (2006)Google Scholar
  13. 13.
    Provos, N.: A virtual honeypot framework. In Proceedings of the 12th USENIX Security Symposium, pp. 1-14 (August 2004)Google Scholar
  14. 14.
    Disco tool web page, http://www.altmode.com/disco/
  15. 15.
    p0f passive fingerprinting tool web page, http://lcamtuf.coredump.cx/p0f-beta.tgz

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • E. Ramirez-Silva
    • 1
  • M. Dacier
    • 1
  1. 1.Eurecom Institute, Sophia AntipolisFrance

Personalised recommendations