Honeypot Project Finds Unpatched Linux PCs Stay Secure Online For Months

Study says the average unpatched Linux system survives for months on the Internet before being hacked. Another report sasy Windows PCs last just minutes.

Gregg Keizer, Contributor

December 23, 2004

3 Min Read

The average unpatched Linux system survives for months on the Internet before being hacked, a report recently issued by the Honeypot Project claims.

The life expectancy of Linux has lengthened dramatically since 2001 and 2002, the project said, from a mere 72 hours two and three years ago to an average of three months today.

Honeypot Project is a non-profit that, as its name suggests, connects vulnerable systems to the Internet in the hope of drawing attacks so that they can be studied. To figure out the lifespan of a Linux system, the group set up a dozen "honeynets" -- the project's term for a system that hosts numerous virtual honeypot machines -- in eight countries, then tracked the time it took for those machines to be compromised.

"What's surprising is that even though threats and activity are reported as increasing, we see the life expectancy of Linux increasing against random attacks," said the group's report.

In comparison, unpatched Windows systems often are hacked within minutes of connecting to the Internet. Late last month, similar "honeypot" research done by AvanteGarde tallied the average survival time of several versions of Windows at just four minutes.

Although Honeypot Project deployed several Windows-based honeypots, it felt they were too few in number to use in drawing conclusions. It did note that several of the Windows honeypots were compromised in mere minutes. A pair of honeypots in Brazil, however, were online several months before being eventually compromised by worms.

The group also spotted several interesting facts about Linux's lifespan.

The older the Linux distribution, the more likely it would be hacked, said the group, which attributed that to more secure default settings by newer versions, a trait Windows, particularly Windows XP SP2 and Windows Server 2003, shares with Linux.

And once a system had been compromised, it was more likely to be compromised again (and possibly again and again). One honeypot running Red Hat Linux, for example, was hacked 18 more times in just one month after its initial compromise. Again, that's not uncommon in the wider world of Windows, where previously-compromised PCs are often "updated" with the latest worm to take advantage of an even new vulnerability.

Although the data was somewhat of a surprise, particularly the huge increase in life expectancy even as Windows' continues to shrink, the group had several explanations for the results.

Default installations of Linux are, the report said, "becoming harder to compromise" thanks to changes such as fewer services automatically enabled and host based firewalls filtering inbound connections.

More important, however, is that hackers are now using tactics to target users, not the systems they work on. The best example is the flood of phishing attacks cranked out by criminals this year that need nothing more than an enticing e-mail message, an easily-duped consumer, and a bogus Web site to haul in dollars and steal identities.

The group also admitted the obvious, that Linux, by virtue of its small slice of the market, is a much less appealing target than Windows. "Based purely on economies of scale, attackers are targeting Win32 systems and their users, as this demographic represents the largest percentage of the installed base," the report stated.

"[You'd] expect that a greater threat could exist to Windows than Linux," the group concluded.

And from the results of this honeypot experiment, you'd be right.

About the Author(s)

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights