If your organisation has any value, or is advertised in any way, you are most likely exposed to even greater threat

Honeynet Project report

Statistics gathered by the network show that computers connected to the web are scanned for weaknesses up to 14 times per day and that, on average, an attempt will be made to break into a net-connected computer every three days.

The good news is that this project has highlighted the attack patterns used by hackers, which could help people predict when they are about to face an assault.

The decoy network, made up from six machines, is operated out of the back bedroom of Lance Spitzner, a computer consultant and security expert.

Recorded attacks

His network is similar to thousands of others operated by small businesses and technology enthusiasts that make up the network of networks we know as the internet, with one significant exception.

The network set up and overseen by Mr Spitzner was specifically set up to tempt malicious or "black hat" hackers into fiddling with it. When they do, it records every action they take and every keystroke they make.

Mr Spitzner set up the network as part of the Honeynet Project, which aims to gather information about the working methods of black hat hackers to aid organisations that want to avoid their attentions.

Too often, said Mr Spitzner, information was gathered in the wake of an attack rather than before it occurred. The Honeynet should help redress the balance.

Over the 11-month period from April 2000 to February 2001, the decoy network has been gathering statistics on every attack on the network, every successful takeover and all attempts to make it launch attacks on someone else's behalf.

Predictable patterns

Although no attempt was made to advertise the existence of the network, it was regularly discovered and attacked. "Theoretically this site should see very little activity, as we do not advertise any services nor the systems," said Mr Spitzner's report on the project. "However, attack they do, and frequently.

"If your organisation has any value, or is advertised in any way, you are most likely exposed to even greater threat," the report warns.

At busy times, the network was being scanned up to 14 times per day by black hat hackers, using automated tools that probe the net's networks looking for specific vulnerabilities.

The six computers making up the network were also regularly attacked by crackers looking to see if they had well-known vulnerabilities patched up.

The report said that, on average, any computer newly connected to the web would only have to wait three days before hackers came calling. In one instance, someone tried to crack open one of the Honeynet computers a mere 15 minutes after it went online.

More honey

But the news is not all bad. The report reveals that because malicious hackers are using automated tools to find and fiddle with networks, they follow predictable attack patterns.

The report found a strong link between the type of scanning or probing a network would suffer and the subsequent attacks that would be launched upon it. Using these data, companies might be able to work out the vulnerabilities of their networks and take action before the hackers come to visit.

Mr Spitnzer, a former tank commander and founding member of the Honeynet Project, has been joined by a rough coalition of 30 others, including security experts, psychologists, technologists and forensic scientists.

The report was released in advance of a book produced by Honeynet members entitled Know Your Enemy, which is due to go on sale later this year. Proceeds from the sale of the book will be used to establish other, larger Honeynets, helping to gather more accurate statistics about how malicious hackers ply their trade.