Logo of the European Computer Security Incident Response Team Network (eCSIRT.net)

WP4 Public Statistics

     
eCSIRT.net > Service > Documents > WP4 Statistics  
 

WP4: Clearinghouse Function - public statistics, type 3

The statistics on this page provide information about the general hazard level of internet connected systems. The data is collected automatically using Intrusion Detection Systems (IDS). The IDS sensors are autonomous systems without providing any services. This way every connection to these systems cannot be a valid request but can be counted as an act of scanning or attacking. The sensors are using honeypot techniques to be able to answer to requests of attackers, so the IDS sensors can record these events. The sensors are running on hosts in different European countries.

Powered by Prelude

 

Complete Statistics: Overview.

The following graph shows all alerts since the deployment of the sensors. The deployment of each sensor is marked in the graph at the according time.

 

Daily stats of attacks seen by the sensors.

The following graphs show the number of the monitored attacks on each day, divided into the most significant classes.

Links to the previous graphs:

2003-09:   01   02   03   04   05   06   07   08   09   10   11   12   13   14   15   16
   17   18   19   20   21   22   23   24   25   26   27   28   29   30  
2003-10:   01   02   03   04   05   06   07   08   09   10   11   12   13   14   15   16
   17   18   19   20   21   22   23   24   25   26   27   28   29   30   31  
2003-11:   01   02   03   04   05   06   07   08   09   10   11   12   13   14   15   16
   17   18   19   20   21   22   23   24   25   26   27   28   29   30  
2003-12:   01   02   03   04   05   06   07   08   09   10   11   12   13   14   15   16
   17   18   19   20   21   22   23   24   25   26   27   28   29   30   31  
2004-01:   01   02   03   04   05   06   07   08   09   10   11   12   13   14   15   16
   17   18   19   20   21   22   23   24   25   26   27   28   29   30   31  
2004-02:   01   02   03   04   05   06   07   08   09   10   11   12   13   14   15   16
   17   18   19   20   21   22   23   24   25   26   27   28   29  
2004-03:   01   02   03   04   05   06   07   08   09   10   11   12   13   14   15   16
   17   18   19   20   21   22   23   24   25   26   27   28   29   30   31  

 

Monthly stats of attacks seen by the sensors.

The following graphs show the number of the monitored attacks for full months, divided into the most significant classes.

Links to the previous graphs:

2003-09   2003-10   2003-11   2003-12  
2004-01   2004-02   2004-03  

 

Different kinds of attacks per attacker.

It is interesting to see how many different attacks an attacker tries on a host. This gives us not only a feeling for the many threads that our systems are confronted with. It is also a good indication for the stubbornness of the attackers that sometimes try many different attacks to reach their goal. The following table lists the number of hosts (= source IP addresses) sorted by their number of different attacks.

Attacks:   1   2   3   4   5   6   7   8   9   10   11   12   13   14   15   16   17   18   20   25   90   132   143   159   235
2003-09   13381   2393   1260   107   656   26   11   1   5   3   2   0   0   2   0   0   0   0   0   0   0   1   0   0   0
2003-10   13547   3311   210   165   581   94   24   15   12   10   4   3   2   3   1   0   1   0   2   1   0   0   0   0   0
2003-11   14027   3508   50   46   561   42   6   2   2   1   0   1   0   2   0   0   3   0   0   0   0   0   1   0   0
2003-12   16472   6234   38   32   573   50   5   1   3   5   1   1   0   4   0   0   1   0   0   0   0   0   0   0   0
2004-01   3595   1239   1363   60   502   51   8   0   1   1   1   5   1   1   0   0   1   1   0   0   1   0   0   0   0
2004-02   3399   689   1381   56   465   41   11   2   4   6   0   3   0   0   0   1   0   0   0   0   0   0   0   1   1
2004-03   5831   474   1080   59   464   42   14   5   3   2   1   0   0   0   0   0   0   0   0   0   0   0   0   0   0

As the data shows most of the attacks are only single tries (and many of them are ICMP scans as the previous sections indicate). But there are also some hard attackers firing all their guns on a single host.

 

Hosts that attacked more than one sensor.

Because the eCSIRT.net sensors are placed in separated networks all over Europe it is possible to measure how many of the attackers had more than one target among the sensors. If a host is seen by more than one sensor this indicates that he is actively searching for victims in the net. The following table lists the number of hosts (= source IP addresses) sorted by the number of sensors they attacked.

Sensors:   1   2   3   4   5   6
2003-09   17543   267   32   6   0   0
2003-10   17426   360   109   48   42   1
2003-11   17995   211   37   9   0   0
2003-12   23192   175   33   20   0   0
2004-01   6459   319   34   12   7   0
2004-02   5705   305   22   20   8   0
2004-03   7629   280   31   18   17   0

 

eCSIRT.net > Service > Documents > WP4 Statistics  
     
eCSIRT.net eCSIRT.net
The European Computer Security Incident Response Team Network
News | Sitemap | Imprint | Privacy Statement | Contact | Top
Last changed: 2004-04-01 / AUTO
Copyright © 2002-2003 by PRESECURE Consulting GmbH, Germany
eCSIRT.net