Survival Time on the Internet

Published: 2008-07-13
Last Updated: 2008-07-14 13:46:58 UTC
by Lorna Hutcheson (Version: 3)
2 comment(s)

I have been asked many by people if I really believed the survival time graph on the ISC site was truly an accurate representation of how long a new system had once connected.  The answer to this is yes for most home users and systems that are internet facing.  It can be longer depending on the system,  what sits in front of it and what it is used for.  The survival time is currently around 4 minutes for unpatched systems.  That is not much time at all and the window has shrunk over the past couple of years.  If you want to do your own experiment by  placing a sacrificial system out there, its really a fun thing to do!  Don't patch the system and see how long it takes before it receives its first probes and actually becomes compromised.  Just  make sure you monitor and its not used against others.  If you really want to do this, I'd advise checking out the Honeynet Project.

The battle, in my experience, is waged between the admins and management who want to get this system up and working and security who is saying not until its been patched and its security posture confirmed.  More than once, I've dealt with a compromise of a system that was place on the network before it was hardened.  I got the same answer every time "We needed it working ASAP".  However, more time was spent playing clean up from it than if it was just done right the first time. 

What I'm really curious about are any experiences that you have had for survival time on the internet that you can share.  Please feel free to sanitize them as necessary and let us know if they can be posted.  What was placed on the network and why?  What was the impact, if any, to other systems?  How long was the system out there before it was compromised.  Also, if you have been able to use the survival time graph as a method of showing why its important to properly secure a system first, please let us know that too.

Update 1100 UTC by Daniel Wesemann:

ISC reader Dr. Neal Krawetz deliberately exposed the management ports of several brands of cable modem / home router devices to the Internet to see if they would be compromised.  Within the week that the experiment lasted, none of them were.

Thorsten Holz from the German Honeynet Project wrote a very interesting blog entry, complete with statistics and graphs, in response to this ISC diary. Read it here

While the survival time measured varies quite a bit across methods used, pretty much all agree that placing an unpatched Windows computer directly onto the Internet in the hope that it downloads the patches faster than it gets exploited are odds that you wouldn't bet on in Vegas.  Using a NAT router and a correctly configured personal firewall is the way to go - both these measures help a lot to improve the odds in favor or your PC.


2 comment(s)


Aren't most of the probes for listening ports? I've noticed that my NetGear router does not open *any* ports by default, which means any Windows device using this router is automatically behind a decent firewall unless they go in and open up some ports. If this is true, how does that affect someone in terms of being able to patch Windows in time? [I can't check -- all Linux here for quite some time ;-)]
One think that Thorsten's otherwise well written piece omits, which is glaring, is that many of those "unsuccessful" attacks may be for unknown vulnerabilities, which the honeypot does not emulate. As fo the "I'm NATed, so I'm safe", response (which we hear a lot), it totally fails to address any DNS or IP level hijack, drive-by, or iFrame.
While these do require that you actually go somewhere other than Windows Update, some of those places have been quite common (Doplhin Stadium, FE).
Last, but by no means least, most users only run Windows Update, instead of Microsoft update and al the updaters for their third party apps (Adobe and Quicktime/iTunes being recent attack vectors), so Office and other stuff remains vulnerable, even if the system is patched.

Diary Archives