SolarWinds.com Blog Contact Us
LOG MANAGEMENT AND ANALYTICS
INFRASTRUCTURE MONITORING
APPLICATION MONITORING
DIGITAL EXPERIENCE

Get unified visibility and intelligent insights with SolarWinds Observability SaaS

LEARN MORE

Log Management and Analytics

Explore the full capabilities of Log Management and Analytics powered by SolarWinds Loggly

View Product Info

FEATURES

Proactive Log MonitoringTroubleshooting and Diagnostics with LogsSecurity and ComplianceLog Analysis and ReportingDevOps IntegrationsLoggly for Enterprise ScaleDevOps Products

Infrastructure Monitoring Powered by SolarWinds AppOptics

Instant visibility into servers, virtual hosts, and containerized environments

View Infrastructure Monitoring Info

Application Performance Monitoring Powered by SolarWinds AppOptics

Comprehensive, full-stack visibility, and troubleshooting

View Application Performance Monitoring Info

Digital Experience Monitoring Powered by SolarWinds Pingdom

Make your websites faster and more reliable with easy-to-use web performance and digital experience monitoring

View Digital Experience Monitoring Info

SUPPORTED LOG SOURCES

Android Docker Nginx Linux Apache .NET Python PHP Syslog AWS CloudTrail Heroku Tomcat Syslog endpoint DigitalOcean IIS Kubernetes MySQL Docker Network devices and routers Windows system logs Java Node.js Javascript
View All Supported Log Sources

Technical Resources

Using Loggly Product Documentation API Loggly Library Catalog Sending Logs to Loggly Ultimate Guide to Logging Troubleshooting

Educational Resources

Videos & Webinars Infographics Whitepapers Case Studies Use Cases

APM Integrated Experience

Datasheet Infographic Video: Failed Transaction Check SolarWinds vs Dynatrace SolarWinds vs Datadog SolarWinds vs AppDynamics SolarWinds vs New Relic

Connect with Us

System Status Support Request Blog COVID-19 Resource Center

Blog Technology

Taobao’s security breach from a log erspective

By Sven Dummer 10 Feb 2016

Taobao.com, one of the world’s top 10 most visited websites, just faced what seems like a brute force attack of staggering proportions on its user accounts. Taobao is a Chinese buying-and-selling site owned by China’s online giant, Alibaba, and offers a consumer-to-consumer (C2C) retail platform, where users are not buying from the website but through sellers offering their goods on it.

It seems the attackers didn’t attempt to breach Taobao’s own systems but used a very large database of usernames and passwords that stem from previous hacks of various other web sites. They then used these credentials for massive automated login attempts to Taobao.com. Because many people use the same name and password on different web sites, a number of these login attempts were successful. What makes this particular case special is the dimension: Reports say the hackers executed approximately 100 million login attempts, and almost 21 million of these turned out to be successful.

Some of the key learnings from Taobao’s security breach, from a log data perspective:

  • Log management and log monitoring are crucial security assets. Logs are where login attempts and other system activities are being recorded, and they are where suspicious events can be tracked.
  • Proactive, automated detection of unusual activity, like anomaly detection, is a must-do. The complexity of modern web sites and their levels of traffic result in log data volumes that can only be machine-monitored.
  • Website operators should proactively define alerts based on log event patterns that might reveal attacks. You might not be able to know every potential attack pattern in advance, so this is not an easy task. But if you don’t analyze your logs and look for what’s going on, you’ll never be able to detect suspicious activity. Also, try to anticipate what normal activity on your system might be used to fly under the radar. In Taboo’s case, it looks as if the hackers’ activity didn’t trigger any alerts because multiple login attempts to a single account were considered normal.
  • Even very large amounts of log data need to be retained and archived. In the case of a successful attack, you would need to be able to analyze past events, be it to understand what exactly happened or to provide forensic data for a potential legal aftermath (which could be prosecuting the attackers or just defending yourself against charges). In most cases, you can’t and you don’t have to archive everything forever, but you need to carefully think through what a reasonable log data retention time is for your business.
The Loggly and SolarWinds trademarks, service marks, and logos are the exclusive property of SolarWinds Worldwide, LLC or its affiliates. All other trademarks are the property of their respective owners.
Sven Dummer

Sven Dummer

Latest Posts

Categories

Related blog posts