Log Management and Analytics

Explore the full capabilities of Log Management and Analytics powered by SolarWinds Loggly

View Product Info

FEATURES

Infrastructure Monitoring Powered by SolarWinds AppOptics

Instant visibility into servers, virtual hosts, and containerized environments

View Infrastructure Monitoring Info

Application Performance Monitoring Powered by SolarWinds AppOptics

Comprehensive, full-stack visibility, and troubleshooting

View Application Performance Monitoring Info

Digital Experience Monitoring Powered by SolarWinds Pingdom

Make your websites faster and more reliable with easy-to-use web performance and digital experience monitoring

View Digital Experience Monitoring Info

Blog Technology

Taobao’s security breach from a log erspective

By Sven Dummer 10 Feb 2016

Taobao.com, one of the world’s top 10 most visited websites, just faced what seems like a brute force attack of staggering proportions on its user accounts. Taobao is a Chinese buying-and-selling site owned by China’s online giant, Alibaba, and offers a consumer-to-consumer (C2C) retail platform, where users are not buying from the website but through sellers offering their goods on it.

It seems the attackers didn’t attempt to breach Taobao’s own systems but used a very large database of usernames and pasSolarWinds Observability SaaS (formerly known as SolarWinds Observability)rds that stem from previous hacks of various other web sites. They then used these credentials for massive automated login attempts to Taobao.com. Because many people use the same name and pasSolarWinds Observability SaaS (formerly known as SolarWinds Observability)rd on different web sites, a number of these login attempts were successful. What makes this particular case special is the dimension: Reports say the hackers executed approximately 100 million login attempts, and almost 21 million of these turned out to be successful.

Some of the key learnings from Taobao’s security breach, from a log data perspective:

  • Log management and log monitoring are crucial security assets. Logs are where login attempts and other system activities are being recorded, and they are where suspicious events can be tracked.
  • Proactive, automated detection of unusual activity, like anomaly detection, is a must-do. The complexity of modern web sites and their levels of traffic result in log data volumes that can only be machine-monitored.
  • Website operators should proactively define alerts based on log event patterns that might reveal attacks. You might not be able to know every potential attack pattern in advance, so this is not an easy task. But if you don’t analyze your logs and look for what’s going on, you’ll never be able to detect suspicious activity. Also, try to anticipate what normal activity on your system might be used to fly under the radar. In Taboo’s case, it looks as if the hackers’ activity didn’t trigger any alerts because multiple login attempts to a single account were considered normal.
  • Even very large amounts of log data need to be retained and archived. In the case of a successful attack, you would need to be able to analyze past events, be it to understand what exactly happened or to provide forensic data for a potential legal aftermath (which could be prosecuting the attackers or just defending yourself against charges). In most cases, you can’t and you don’t have to archive everything forever, but you need to carefully think through what a reasonable log data retention time is for your business.
The Loggly and SolarWinds trademarks, service marks, and logos are the exclusive property of SolarWinds Worldwide, LLC or its affiliates. All other trademarks are the property of their respective owners.
Sven Dummer

Sven Dummer