Over year 2000, Attrition.org recorded over 5800 defacements, over 2000 more defacements over 1999. Where did all of these defacements come from? Did any Top Level Domains manage to reduce their share of defacements over the last year in what can only be described as a harsh environment? The answers surprised me. I didn't expect to see Brazil leading those countries with gains, or the U.S. military heading the list of those TLDs to reduce their absolute share of defacements.
Losers
The largest increase in defacements was Brazil, which actually
outstripped the entire dot-com generic TLD (these tables are taken
from the TLD logs
http://www.attrition.org/mirror/attrition/tldlogs/):
Brazil (br) ----------+----------- ----------+----------- Month |Defacements Month |Defacements ----------+----------- ----------+----------- Jan 1999 | 0 Jan 2000 | 27 Feb 1999 | 1 Feb 2000 | 46 Mar 1999 | 1 Mar 2000 | 42 Apr 1999 | 1 Apr 2000 | 26 May 1999 | 1 May 2000 | 49 Jun 1999 | 5 Jun 2000 | 40 Jul 1999 | 6 Jul 2000 | 39 Aug 1999 | 4 Aug 2000 | 28 Sep 1999 | 7 Sep 2000 | 44 Oct 1999 | 12 Oct 2000 | 65 Nov 1999 | 36 Nov 2000 | 88 Dec 1999 | 50 Dec 2000 | 69 | | Total | 124 Total | 563 ----------+----------- ----------+-----------
The Commercial "com" TLD came in next with about 320 more defacements over last year. I imagined that this TLD would have done much worse, and that it would have dominated the losers by a very large margin:
Commercial (com) ----------+----------- ----------+----------- Month |Defacements Month |Defacements ----------+----------- ----------+----------- Jan 1999 | 39 Jan 2000 | 178 Feb 1999 | 32 Feb 2000 | 153 Mar 1999 | 72 Mar 2000 | 162 Apr 1999 | 129 Apr 2000 | 137 May 1999 | 182 May 2000 | 124 Jun 1999 | 143 Jun 2000 | 114 Jul 1999 | 191 Jul 2000 | 166 Aug 1999 | 172 Aug 2000 | 275 Sep 1999 | 130 Sep 2000 | 192 Oct 1999 | 259 Oct 2000 | 157 Nov 1999 | 243 Nov 2000 | 214 Dec 1999 | 178 Dec 2000 | 219 | | Total | 1770 Total | 2091 ----------+----------- ----------+-----------
The results for Israel are no surprise, having attracted the attention of a number of hacking groups in an on-going cyber-war:
Israel (il) ----------+----------- ----------+----------- Month |Defacements Month |Defacements ----------+----------- ----------+----------- Jan 1999 | 0 Jan 2000 | 0 Feb 1999 | 0 Feb 2000 | 27 Mar 1999 | 0 Mar 2000 | 1 Apr 1999 | 0 Apr 2000 | 3 May 1999 | 1 May 2000 | 0 Jun 1999 | 0 Jun 2000 | 1 Jul 1999 | 0 Jul 2000 | 4 Aug 1999 | 0 Aug 2000 | 3 Sep 1999 | 0 Sep 2000 | 0 Oct 1999 | 0 Oct 2000 | 5 Nov 1999 | 1 Nov 2000 | 62 Dec 1999 | 0 Dec 2000 | 25 | | Total | 2 Total | 131 ----------+----------- ----------+-----------
A pie chart puts this into perspective: each slice of the pie represents the TLD's share in the overall gain in defacements over 2000 (relative to the other TLDs. These pie charts do not represent a TLD's percent change over the last year, but the TLD's relative share in the increase in defacements). Other notables in the list of gains were Non-profit organizations, Korea, U.S. academic institutions, the U.S. country TLD ("us" TLD is usually United States schools, libraries, community colleges and state government institutions), Argentina, Italy (!), India, Germany, the UK, South Africa, U.S. ISPs, and Mexico. If there is anything of special note in this list, it's the number of Latin America countries.
http://www.attrition.org/security/commentary/graphs/tldgains.gif
The Winners
The TLDs that reduced their number of defacements are perhaps not as surprising
as those that gained: The largest single reduction came from the U.S. military,
which appears to have been less of a target after 1999 (no Kosovo this year), and
efforts to harden military networks.
Likewise, the U.S. government TLD also reduced the number of it's defacements,
but just barely. As to why Australia might have fallen, I won't venture a guess;
perhaps some of the members of the defaced-commentary have an idea and wouldn't
mind having something forwarded to the rest of the list? While the reductions are
modest (except the U.S. Military: a 48% decline), a reduction after the year we
just had is significant. Here, as before with the TLDs that gained, are the top
3 tables:
U.S. Military (mil) ----------+----------- ----------+----------- Month |Defacements Month |Defacements ----------+----------- ----------+----------- Jan 1999 | 1 Jan 2000 | 8 Feb 1999 | 1 Feb 2000 | 2 Mar 1999 | 4 Mar 2000 | 4 Apr 1999 | 5 Apr 2000 | 6 May 1999 | 13 May 2000 | 4 Jun 1999 | 6 Jun 2000 | 4 Jul 1999 | 6 Jul 2000 | 1 Aug 1999 | 3 Aug 2000 | 3 Sep 1999 | 2 Sep 2000 | 11 Oct 1999 | 28 Oct 2000 | 1 Nov 1999 | 18 Nov 2000 | 2 Dec 1999 | 6 Dec 2000 | 2 | | Total | 93 Total | 48 ----------+----------- ----------+----------- Australia (au) ----------+----------- ----------+----------- Month |Defacements Month |Defacements ----------+----------- ----------+----------- Jan 1999 | 1 Jan 2000 | 2 Feb 1999 | 0 Feb 2000 | 1 Mar 1999 | 0 Mar 2000 | 4 Apr 1999 | 1 Apr 2000 | 3 May 1999 | 2 May 2000 | 3 Jun 1999 | 11 Jun 2000 | 1 Jul 1999 | 4 Jul 2000 | 2 Aug 1999 | 6 Aug 2000 | 3 Sep 1999 | 9 Sep 2000 | 3 Oct 1999 | 8 Oct 2000 | 4 Nov 1999 | 10 Nov 2000 | 7 Dec 1999 | 6 Dec 2000 | 5 | | Total | 58 Total | 38 ----------+----------- ----------+----------- U.S. Government (gov) ----------+----------- ----------+----------- Month |Defacements Month |Defacements ----------+----------- ----------+----------- Jan 1999 | 7 Jan 2000 | 11 Feb 1999 | 3 Feb 2000 | 15 Mar 1999 | 2 Mar 2000 | 6 Apr 1999 | 12 Apr 2000 | 4 May 1999 | 21 May 2000 | 27 Jun 1999 | 24 Jun 2000 | 9 Jul 1999 | 5 Jul 2000 | 21 Aug 1999 | 3 Aug 2000 | 8 Sep 1999 | 3 Sep 2000 | 6 Oct 1999 | 17 Oct 2000 | 11 Nov 1999 | 51 Nov 2000 | 19 Dec 1999 | 15 Dec 2000 | 15 | | Total | 163 Total | 152 ----------+----------- ----------+-----------
The following pie chart illustrates the TLDs percent of the total reductions for 2000. The other TLDs in the list (Christmas Islands, Hungary, Niue, The Russian Federation, and Jordan) had such small counts to begin with that it's hard to say what might be going on:
http://www.attrition.org/security/commentary/graphs/tldreductions.gif
Other useful resourses:
The Country Table
(available at
http://www.attrition.org/mirror/attrition/country.html) links to more
than 100 pages of TLD categorized defacements, which in turn link to individual
defacements)
TLD logs:
The TLD logs (
http://www.attrition.org/mirror/attrition/tldlogs/) are a series of
very basic annual summary data for each TLD, along with a simple and spare
plot of the defacements per month for the TLD over the year 2000.
© 2001 Matt Dickerson for Attrition.org
Permission is granted to quote, reprint or redistribute provided the text
is not altered, and the author and Attrition.org are credited. The opinions
expressed in this text are not necessarily the opinion of all Attrition
staff members.
To subscribe to this list, send mail to majordomo@attrition.org with subscribe defaced-commentary in the BODY of the mail.
Last modified: Fri Jan 5 06:55:44 EST 2001