FireHost, a provider of secure cloud hosting, uses an IP reputation filter to help protect its customers. Reputation filters use a blacklist of known 'bad' IP addresses belonging to malevolent networks and botnets. When traffic arrives from an IP address in this database, it is simply blocked and discarded. The source of the traffic gets no response – the probe simply falls into a blackhole.
You might think that the presence of this blackhole would flag the existence of a valid target beyond it and spur the attacker into greater efforts; but the reality is different. FireHost's statistics for Q4, 2013 on the volume of blocked cyberattacks against its customers show a dramatic decrease in the amount of traffic blocked by its reputation filter.
While the total number of blocked attacks excluding those blocked by the reputation filter remained almost identical, the number of filter-blocked attacks fell by almost 50% from more than 17 million to less than 9 million from Q3 to Q4 2013. "If an automated attack detects a dead address, it's unlikely to probe it any further," explains FireHost CEO, Chris Drake. "It will simply move on to another, a new vulnerable target, and launch the same attack there.”
Thomas Byrnes, CEO of ThreatSTOP, which developed the IP reputation filter FireHost uses, thinks there may be an element of 'seasonality' in the reduction of attacks. “Much like any legitimate corporate industry, cybercrime observes regular business cycles... this would, in part, account for a decrease in attacks on FireHost's servers. "That said," he added, "there's no doubt that the black hole effect also had a significant impact, with automated attacks unable to recognize the value of FireHost's IPs."
It demonstrates a principle long recognized in policing the physical world, known as crime prevention through environmental design (CPTED): it holds that making criminal activity more difficult will deter all but the most determined criminal.
Firehost's latest report further demonstrates this principle from the opposite view: cybercriminals have shown no inclination to develop new attack methodologies because the old ones are still working – they simply haven't had to. The four most common attack methods, cross-site scripting, cross-site request forgery, directory traversal and SQL injection remain little changed from Q3 to Q4.
“Attackers are still using relatively old attack methods and it's easy to see why," says Drake. "There's very little push-back from potential victims and the security industry is struggling to keep up... Security measures and countermeasures are not advancing at a quick enough pace to force attackers to be incredibly innovative. There are still many potential victims vulnerable to attack using the same old exploits and tools.
“Until the information attackers seek is properly protected, and we break out of the status quo," he says, "intruders will stick to their favored attacks and do well by them.”