Top Level Domains: Winners and Losers, 2000

Over year 2000, Attrition.org recorded over 5800 defacements, over 2000 more defacements over 1999. Where did all of these defacements come from? Did any Top Level Domains manage to reduce their share of defacements over the last year in what can only be described as a harsh environment? The answers surprised me. I didn't expect to see Brazil leading those countries with gains, or the U.S. military heading the list of those TLDs to reduce their absolute share of defacements.


Losers
The largest increase in defacements was Brazil, which actually outstripped the entire dot-com generic TLD (these tables are taken from the TLD logs http://www.attrition.org/mirror/attrition/tldlogs/):

Brazil (br)
----------+-----------                    ----------+-----------
    Month |Defacements                        Month |Defacements
----------+-----------			  ----------+-----------
 Jan 1999 |          0			   Jan 2000 |         27
 Feb 1999 |          1			   Feb 2000 |         46
 Mar 1999 |          1			   Mar 2000 |         42
 Apr 1999 |          1			   Apr 2000 |         26
 May 1999 |          1			   May 2000 |         49
 Jun 1999 |          5			   Jun 2000 |         40
 Jul 1999 |          6			   Jul 2000 |         39
 Aug 1999 |          4			   Aug 2000 |         28
 Sep 1999 |          7			   Sep 2000 |         44
 Oct 1999 |         12			   Oct 2000 |         65
 Nov 1999 |         36			   Nov 2000 |         88
 Dec 1999 |         50			   Dec 2000 |         69
          | 				            |           
    Total |        124			      Total |        563
----------+-----------			  ----------+-----------
    

The Commercial "com" TLD came in next with about 320 more defacements over last year. I imagined that this TLD would have done much worse, and that it would have dominated the losers by a very large margin:

Commercial (com)
----------+-----------                    ----------+-----------
    Month |Defacements                        Month |Defacements
----------+-----------			  ----------+-----------
 Jan 1999 |         39			   Jan 2000 |        178
 Feb 1999 |         32			   Feb 2000 |        153
 Mar 1999 |         72			   Mar 2000 |        162
 Apr 1999 |        129			   Apr 2000 |        137
 May 1999 |        182			   May 2000 |        124
 Jun 1999 |        143			   Jun 2000 |        114
 Jul 1999 |        191			   Jul 2000 |        166
 Aug 1999 |        172			   Aug 2000 |        275
 Sep 1999 |        130			   Sep 2000 |        192
 Oct 1999 |        259			   Oct 2000 |        157
 Nov 1999 |        243			   Nov 2000 |        214
 Dec 1999 |        178			   Dec 2000 |        219
          | 				            |           
    Total |       1770			      Total |       2091
----------+-----------			  ----------+-----------
    

The results for Israel are no surprise, having attracted the attention of a number of hacking groups in an on-going cyber-war:

Israel (il)
----------+-----------                    ----------+-----------
    Month |Defacements                        Month |Defacements
----------+-----------			  ----------+-----------
 Jan 1999 |          0			   Jan 2000 |          0
 Feb 1999 |          0			   Feb 2000 |         27
 Mar 1999 |          0			   Mar 2000 |          1
 Apr 1999 |          0			   Apr 2000 |          3
 May 1999 |          1			   May 2000 |          0
 Jun 1999 |          0			   Jun 2000 |          1
 Jul 1999 |          0			   Jul 2000 |          4
 Aug 1999 |          0			   Aug 2000 |          3
 Sep 1999 |          0			   Sep 2000 |          0
 Oct 1999 |          0			   Oct 2000 |          5
 Nov 1999 |          1			   Nov 2000 |         62
 Dec 1999 |          0			   Dec 2000 |         25
          | 				            |           
    Total |          2			      Total |        131
----------+-----------			  ----------+-----------
    

A pie chart puts this into perspective: each slice of the pie represents the TLD's share in the overall gain in defacements over 2000 (relative to the other TLDs. These pie charts do not represent a TLD's percent change over the last year, but the TLD's relative share in the increase in defacements). Other notables in the list of gains were Non-profit organizations, Korea, U.S. academic institutions, the U.S. country TLD ("us" TLD is usually United States schools, libraries, community colleges and state government institutions), Argentina, Italy (!), India, Germany, the UK, South Africa, U.S. ISPs, and Mexico. If there is anything of special note in this list, it's the number of Latin America countries.

http://www.attrition.org/security/commentary/graphs/tldgains.gif

Pie Chart of TLDs that gained in 2000

The Winners
The TLDs that reduced their number of defacements are perhaps not as surprising as those that gained: The largest single reduction came from the U.S. military, which appears to have been less of a target after 1999 (no Kosovo this year), and efforts to harden military networks. Likewise, the U.S. government TLD also reduced the number of it's defacements, but just barely. As to why Australia might have fallen, I won't venture a guess; perhaps some of the members of the defaced-commentary have an idea and wouldn't mind having something forwarded to the rest of the list? While the reductions are modest (except the U.S. Military: a 48% decline), a reduction after the year we just had is significant. Here, as before with the TLDs that gained, are the top 3 tables:

U.S. Military (mil)
----------+-----------                    ----------+-----------
    Month |Defacements                        Month |Defacements
----------+-----------			  ----------+-----------
 Jan 1999 |          1			   Jan 2000 |          8
 Feb 1999 |          1			   Feb 2000 |          2
 Mar 1999 |          4			   Mar 2000 |          4
 Apr 1999 |          5			   Apr 2000 |          6
 May 1999 |         13			   May 2000 |          4
 Jun 1999 |          6			   Jun 2000 |          4
 Jul 1999 |          6			   Jul 2000 |          1
 Aug 1999 |          3			   Aug 2000 |          3
 Sep 1999 |          2			   Sep 2000 |         11
 Oct 1999 |         28			   Oct 2000 |          1
 Nov 1999 |         18			   Nov 2000 |          2
 Dec 1999 |          6			   Dec 2000 |          2
          | 				            |           
    Total |         93			      Total |         48
----------+-----------			  ----------+-----------

Australia (au)
----------+-----------                    ----------+-----------
    Month |Defacements                        Month |Defacements
----------+-----------			  ----------+-----------
 Jan 1999 |          1			   Jan 2000 |          2
 Feb 1999 |          0			   Feb 2000 |          1
 Mar 1999 |          0			   Mar 2000 |          4
 Apr 1999 |          1			   Apr 2000 |          3
 May 1999 |          2			   May 2000 |          3
 Jun 1999 |         11			   Jun 2000 |          1
 Jul 1999 |          4			   Jul 2000 |          2
 Aug 1999 |          6			   Aug 2000 |          3
 Sep 1999 |          9			   Sep 2000 |          3
 Oct 1999 |          8			   Oct 2000 |          4
 Nov 1999 |         10			   Nov 2000 |          7
 Dec 1999 |          6			   Dec 2000 |          5
          | 				            |           
    Total |         58			      Total |         38
----------+-----------			  ----------+-----------

U.S. Government (gov)
----------+-----------                    ----------+-----------
    Month |Defacements                        Month |Defacements
----------+-----------			  ----------+-----------
 Jan 1999 |          7			   Jan 2000 |         11
 Feb 1999 |          3			   Feb 2000 |         15
 Mar 1999 |          2			   Mar 2000 |          6
 Apr 1999 |         12			   Apr 2000 |          4
 May 1999 |         21			   May 2000 |         27
 Jun 1999 |         24			   Jun 2000 |          9
 Jul 1999 |          5			   Jul 2000 |         21
 Aug 1999 |          3			   Aug 2000 |          8
 Sep 1999 |          3			   Sep 2000 |          6
 Oct 1999 |         17			   Oct 2000 |         11
 Nov 1999 |         51			   Nov 2000 |         19
 Dec 1999 |         15			   Dec 2000 |         15
          | 				            |           
    Total |        163			      Total |        152
----------+-----------			  ----------+-----------
    

The following pie chart illustrates the TLDs percent of the total reductions for 2000. The other TLDs in the list (Christmas Islands, Hungary, Niue, The Russian Federation, and Jordan) had such small counts to begin with that it's hard to say what might be going on:

http://www.attrition.org/security/commentary/graphs/tldreductions.gif

Pie Chart of TLDs that fell in total defacements in 2000

Other useful resourses:
The Country Table (available at http://www.attrition.org/mirror/attrition/country.html) links to more than 100 pages of TLD categorized defacements, which in turn link to individual defacements)
TLD logs:
The TLD logs ( http://www.attrition.org/mirror/attrition/tldlogs/) are a series of very basic annual summary data for each TLD, along with a simple and spare plot of the defacements per month for the TLD over the year 2000.


munge@attrition.org

© 2001 Matt Dickerson for Attrition.org
Permission is granted to quote, reprint or redistribute provided the text is not altered, and the author and Attrition.org are credited. The opinions expressed in this text are not necessarily the opinion of all Attrition staff members.

To subscribe to this list, send mail to majordomo@attrition.org with subscribe defaced-commentary in the BODY of the mail.

Last modified: Fri Jan 5 06:55:44 EST 2001