Monday, 14 April 2008

Does Linux frighten off Hackers?

A comparative study of attacks against Corporate IIS and Apache Web Servers

It has been suggested that an attacker[1] will specifically target the Windows operating system. This research has shown that rather than this being the case an attacker will in fact not target Microsoft Windows, but rather seeks to avoid attacking Linux.

This study has shown significant support for the assertion that an attacker shies away from Linux and not that they aim to attack windows.

In particular, this study was designed to collect data on attacks against corporate Web servers. Unlike many of the other proceeding studies using honeypot systems, this experiment was designed to collect information on attacks against "secured" corporate systems.

Data analysis, Anova tables etc available on request.

It has been suggested that Microsoft Server Software is more likely to be attacked than Linux (Broersma, 2004) due to perceived insecurities within these systems. Previous research has focused on investigating the trends[2] against the underlying operating system as a whole. The purpose of this research was to investigate a single factor, namely, the Web server software as a vector for attack.

This project is not designed to test the relative strengths or security levels of either Operating System, but rather to determine the relative attractiveness of each of these systems to an attacker.

In this experiment, the systems were configured to appear as a financial services organisations client website. There were two systems, one running on Apache the other on IIS.
Unlike previous research, the focus of the experiment was to record the volume of attacks from individual sources. By this process, we were able to answer the following questions:
Which web server software product (IIS or Apache) will have the most “scans”[3]?

Which product will an attacker spend the most time with in an attempt to “break” or “crack” the software security settings?

What is the effect of hiding the host headers[4] on the servers?

By restricting access to the servers through a firewall to only the Web service on port 80 it was possible to demonstrate system attractiveness on a single defined service. The results of this experiment support the research efforts of the HoneyNet Project[5], Symantec[6], and the Internet Storm Centre[7]. In correlation to the prior research on this topic it was initially confirmed that and greater number of attacks were made against the Windows host.
Rather than focus on the survivability of a host, this experiment has been designed to determine the attractiveness of the host to an attacker. Unlike many of the experiments on this topic, which have preceded this one, the experiment has been designed to test the effect of obscuring the servers by hiding the host headers and information thus available to an attacker.
The interesting effect shown in this study was not that IIS on Windows was more attractive than Apache on Linux, but rather that Linux is less attractive to attackers.

Methodology used in the study
Description of experimental study
The research was based on a controlled trial with naturally randomized subjects.
Subjects (i.e. the attackers) discovered the systems based on their own activities. As there is no way to attract Subjects to the systems, it was expected that a random sample of the population of “hackers” on the Internet would find and explore the system at any given time. No details of the source of the attacks were analysed.

The analysis took the nature of the probes into account as well as the relative amount of time spent on each system.

Experimental procedure
The data collected from this experiment is based on two “honeynets” deployed to appear as the primary and DR site for a financial organisation. Each HoneyNet consisted of two servers configured to run VMWare. Each of the VMWare servers was configured to run a Web server using bridged network access.

The first virtual server was configured using Red Hat Linux 9.0 and Apache version 2. The second virtual server consisted of a Windows 2000 server system running IIS 6.0 each of the pages was configured to appear as a client portal in our fictitious financial services organisation.
To simulate a financial services organisation, these systems were installed behind a firewall, which only allowed access to TCP port 80. The HoneyNet was linked to “real”[8] servers from a fictitious organisation. Both Systems were configured to require authenticated access before allowing any access to a backend application.

Using the Snort IDS[9] software, the number of attacks and thus the effort expended by an attacker on each server was measured and recorded. The open source IDS product, SNORT[10], was used to collect the data. SNORT was installed on the underlying system. In this manner, it was not possible to detect the IDS deployment from the web server. All systems where patched fully before being deployed.

There where two phases to the experiment with the first phase involving leaving the web host headers unaltered. The second phase involved hiding the web host headers. By this, the server was stopped from advertising its software version. In the first phase, the systems responded as Apache version 2 and IIS. In the second phase, both systems where configured to respond with “Secure Web Server version 2.3”

Figure 1 - Network Diagram
The results were collected daily for the period of the test[11]. Informational data was excluded from the results. All attacks detected by SNORT were collected together and no effort has been made to correlate the levels of attack against each server.

Steps to physically control variation
In order to minimise variation, the HoneyNet Servers were configured as follows;
  1. Both systems were installed on matching hardware and domain addresses,
  2. Both systems were booted from a Knoppix[12] CD
  3. Both systems resided on the same switched network and be active at the same times
  4. The IDS system was not be available or visible to the external network.
  5. Results will be randomized as the systems will not be “advertised” and it is expected that they will be found by general network scans and probes.
  6. The IP[13] addresses of the systems will be sequentially allocated such that a probe would be expected to detect both at the same time.

Steps to statistically control variation
When either system was attacked by a DOS[14] attack, both systems where made unavailable to not continue to record data on one system while the other is not being tested.
The Honeypots were deployed using the methodology detailed in the paper by Greg M. Bednarski and Jake Branson (2004) titled, “Information Warfare: Understanding Network Threats through Honeypot Deployment”.

Results and Discussion
We subsequently analysed the data based on the average number of individual source hosts and attacking each system and the number of individual attacks registered per host.

Figure 2
We collected data for several weeks with the Web servers host headers remaining visible. Next, we reconfigured the servers to each display an alternate host header; “Secure Web Server version 2.3”. This was designed to obscure the system details from a potential attacker.

Figure 3

Apache is less attractive to attackers
The results of the experiment clearly demonstrate a similarity in the results obtained when the server type either is unknown or is determined to be a Microsoft Windows system. However, there was a markedly lower intensity and volume of attacks against the Apache Web server when its host headers were displayed.

Table 1
In order to determine whether the Microsoft Windows IIS Web server or the Apache Linux Web server would attract a larger number of scans or attacks than its counterpart, a two-sample t test was performed on the "Number of Source Hosts Detected per Day" (Figure 3). When choosing a null hypothesis (Ho) that there is no difference between the apache or IIS Web server, it was found that the results of the initial phase of the experiment were significantly different (t = 29.59, df = 54, p < name="">Attacks against Linux with Apache are less intense
An ANONA analysis of the results of the subsequent tests test demonstrate a significant difference (F=5.4402; df = 3, p < f="0.0007;" df =" 2," p="0.9993)." alpha =" 5">

Attackers treat unknown web servers as IIS
ANOVA Analysis of Attacks by source hosts when the header was not Apache on Linux[16]demonstrated no significant difference (F=0.0007; df = 2; p=0.9993).
ANOVA again supports the assertion that there is no significant variation (F=0.0344; p=0.8538, RSquare = 0.000859) when we compare the results of the phase 1 tests against IIS to the phase 2 tests with the host headers obscured.

Conversely an analysis by ANOVA of the phase 1 tests against Apache to the phase 2 tests with the host headers obscured significantly (F=5.7659; p=0.0211, df =3) supports our claim that attackers are less likely to attack Apache on Linux.

Further, when these results are coupled with the initial analysis (F=14.4513; p=0.0004, df = 3) of attacks against Apache vs. IIS from above it is easy to see that there is support for the assertion that an attacker does not care what the server is as long as it is not Linux.[17]
These results would suggest that the threat against Internet deployed hosts is moving from automated scanning tools to more human intensive processes. By specifically avoiding the Apache Linux system (when not obscured), there is evidence to support the contention that attackers are manually targeting systems and actively stopping attacks they deem to be “too difficult”.

Limitations in this study
No effort was made to analyse and the levels of attacks against any server. It may be that more high-level attacks are made against a Linux server for example; this assertion has not been tested. In this study, all levels of attack were treated equally whether they were designated as a low, medium or high-level attack.

Suggestions for further research
Some potential areas of further research have emerged from this study. It is clear that an attacker will avoid Linux servers that are not obscured, though this study can provide no reasons for this behaviour.

It is suggested that researchers consider this study and its conclusions as an initial exploration into the methodology of an attacker. Research into the motivations driving this behaviour in an attacker needs to be determined. Further research is essential in order to develop appropriate strategies and measures to secure systems sufficiently. It is essential to understand the psychology of the attacker if effective controls are to be developed and deployed.
A study where the host headers on a Microsoft Windows IIS host are altered to simulate Apache on Linux could determine some further important results.

This study has shown that attackers are not so much attracted to Windows, but rather shy away from Linux based systems.

One potential reason for this could be the increased W32 market penetration. Another possible reason could stem from a perceived greater level of security with Linux hosts.
The results of this study do not demonstrate that either Linux or Microsoft Windows is more secure. However, the results do support the claim that attackers believe that Linux is more difficult to attack, as it is more secure.

Further research is needed on this topic to determine “WHY” Linux is less attractive than Windows to attackers. In addition, experiments into the effects of using other systems (such as the MAC OS) could be further explored.

Acohido, Byron and Swartz, Jon; “Unprotected PCs can be hijacked in minutes”, 30th Nov 2004, USA Today
Bednarski, Greg M. and Branson, Jake; Carnegie Mellon University; “Information Warfare: Understanding Network Threats through Honeypot Deployment”, March 2004
Broersma, Matthew; Techworld, “Linux servers safer than ever” Published 20th January 2005 by TechWorld
CSO magazine/U.S. Secret Service/CERT Coordination Center, “2004 E-Crime Watch Survey Shows Significant Increase in Electronic Crimes”, 2004,
CERT, “CERT/CC Statistics 1988-2005”, 2005,
Honeynet Project & Research Alliance, “Know Your Enemy: Honeywall CDROM Roo”, 17th May 2005,
Honeynet Project & Research Alliance, “Know your Enemy: Tracking Botnets - Using honeynets to learn more about Bots”, 13th March 2005,
Honeynet Project & Research Alliance, “Know Your Enemy: Honeynets in Universities - Deploying a Honeynet at an Academic Institution”, 26th April 2004,
Honeynet Project & Research Alliance, “Know your Enemy: Trend Analysis”, 17th December 2004,
Negus, Christopher, 2003“Red Hat Linux 9 Bible”, 1st Edition, Wiley Publishing, Indianapolis US.
Symantec, “Symantec Internet Security Threat Report”, January 1 – June 30, 2004.
The SANS Institute, “Survival Time History”, 2005, The Internet Storm Centre,

[1] The Term “Attacker” has been used in this paper to refer to the commonly used designations of “hacker” or “cracker” and covers anyone attacking the computer host.
[2] “Know your enemy – Trend analysis”– The HoneyNet Project
[3] A Scan is defined as a single attempt to gain information on the system from a single host for the purpose of this experiment.
[4] This is the HTTP Server host header. Both IIS and Apache allow an administrator to change or “hide” this system field.
[5] The HoneyNet Project is a research project conducted by the HoneyNet Project & Research Alliance,
[6] Symantec Internet Security Threat Report, January 1 – June 30, 2004
[7] “Survival Time History” The Internet Storm Centre, The SANS Institute.
[8] These systems will be running the software being tested though they will have no real function.
[9] IDS – Intrusion Detection System
[11] The test was conducted from February 2005 to April 2005.
[12] Knoppix is a Mini-Linux installation which may be booted from read only media
[13] Internet Protocol
[14] Denial of Services (DDOS is a Distributed Denial of Services) attack.
[15] A higher level of alpha was chosen for the initial test as a lower volume of data had been collected at this point.
[16] The results where either an unknown server (based on the hidden host header) or the IIS web service.
[17] HO, There are no differences between the number of attacks against a server type;
HA, There is a difference between at least one of the tests. Tests conducted at the alpha = 5 level.

No comments: