[unisog] AV for MACS

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Mon Dec 6 18:47:02 GMT 2004


On Mon, 06 Dec 2004 10:20:33 MST, Jim Dillon said:
> A recent honeypot test (6 systems, configured, plugged into broadband, left
> alone for two weeks) by Avantgarde in San Francisco should make it clear enough
> why you should be using AV (and other security in depth features.)  Note the
> frequency of attacks on the platforms in the following table - notice the two
> favorites - and unpatched XP box and a Mac OS X box, almost identical in
> number of attempts.  Seems to me the attackers must know something about which
> platforms yield results given the number of times they attack particular
> platforms.

> Platform    Total attacks     Attacks/day     Attacks/hour
> XP SP1      139,024           8,177           341
> OS X        138,647      	8,155           339

All that tells *ME* is that the attacks most likely don't bother fingerprinting
the target before being launched, because 95% of the time, the target will be
Windows. I'll place bets that the vast majority of the 8,155 "attacks" on OSX
had some variety of Windows payload attached to them.

Given the vast difference in number of attacks reported, I *really* need to
feel that the people who ran the test didn't configure all 6 boxes to report
the same things as an "attack".  If the same 'probe for open share' packet
was sent to all 6 boxes, would all 6 report an "attack"?  If the same "probe
for Apache/SSL hole" was sent to all 6, would they all squawk?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20041206/3327f25d/attachment-0002.bin


More information about the unisog mailing list