Tuesday, May 08, 2007

Report available for WASCs Distributed Open Proxy Honeypot Project

Ryan C. Barnett, WASCs Distributed Open Proxy Honeypot Project Lead, released his first Threat Report! This is wicked cool stuff. For those not familiar with this project:

“This project will use one of the web attacker's most trusted tools against him - the Open Proxy server. Instead of being the target of the attacks, we opt to be used as a conduit of the attack data in order to gather our intelligence. By deploying multiple, specially configured open proxy server (or proxypot), we aim to take a birds-eye look at the types of malicious traffic that traverse these systems. The honeypot systems will conduct real-time analysis on the HTTP traffic to categorize the requests into threat classifications outlined by the Web Security Threat Classification and report all logging data to a centralized location.”

That’s right the ability to view, analyze and measure real-live web attacks. Ryan has put a lot of work in and coordinated proxies in 7 locations around the world (Moscow, Russia - Crete, Greece – Karlsruhe, Germany – San Francisco, USA – Norfolk, USA – Falls Church USA – Foley USA). Time to start migrating away from the theoretical or hypothesized conversation about what the “bad guys” might be doing. Here is a taste of attacks found in the wild:

- SQL Injection Attacks
- Brute Force Attacks
- OS Command Injection

- Web Defacement Attempts

- Google-Abuses (Google-Hacking and Proxying for BannerAd/Click Fraud)

- Information Leakage

Obviously the more sensors that are available, the more chance of juicy data we can capture and the group is already set to grow. And as Ryan notes in the report, there is a lot of interesting and challenging aspects to this project that could really use some good people to solve. If you would like to contribute to this project, please contact Ryan Barnett RCBarnett_-at-_gmail.com.

No comments: