Slashdot Mirror

← Back to Stories (view on slashdot.org)

Distributed, Low-Intensity Botnets

Posted by kdawson on from the slow-probe dept.

badger.foo writes "We have seen the future of botnets, and it is distributed and low-key. Are sites running free software finally becoming malware targets? It all started with a higher-than-usual number of failed ssh logins at a low-volume site. I think we are seeing the shape of botnets to come, with malware authors doing their early public beta testing during the last few weeks."

4 of 167 comments (clear)

  1. Re:Old news by Sancho · · Score: 5, Interesting

    I've noticed a significantly increased number of brute-force attacks in the last week or so. They're also spacing the number of attempts per IP address out, however I'll get several attempts in a row for the same invalid username from several different IP addresses within seconds of each other. Then all of the addresses will back off for a couple of minutes, and then they'll retry with a new username.

    It's gotten to the point where I have finally installed Denyhosts. Prior to this week, I got away with limiting the number of new connections to port 22 per IP address per minute, but with the backoff that they're doing now, that no longer works.

    Denyhosts is fantastic, though. Since I last evaluated it, they've added the ability to sync with a centralized server, meaning that I can potentially block attackers before they even hit me. I wish that everyone would use it, now.

  2. Re:SSH probes are nothing new by ShaunC · · Score: 5, Interesting

    Yeah, same here, except right now there's a rather humongous distributed bruteforce campaign going on. The 20-30 attempts I tend to see have skyrocketed to several thousand per day. It's actually pretty impressive - it's clearly a distributed sequential dictionary attack. Most of the IPs will only try once or twice, in an effort to avoid exactly the sort of reactive firewalling you mention.

    Dec 1 11:17:57 shaunc sshd[35178]: Failed unknown for illegal user griffin from 196.211.53.74 port 20893 ssh2
    Dec 1 11:18:17 shaunc sshd[35262]: Failed unknown for illegal user griffith from 92.50.243.18 port 40689 ssh2
    Dec 1 11:18:30 shaunc sshd[35308]: Failed unknown for illegal user griffith from 82.207.103.151 port 60822 ssh2
    Dec 1 11:18:33 shaunc sshd[35354]: Failed unknown for illegal user grizelda from 65.203.231.41 port 60602 ssh2

    Many thousands of these, seconds apart, all day long. It got so bad that for the time being I've moved sshd to a different port.

    --
    Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
  3. Re:Isn't that... by Duckie01 · · Score: 4, Interesting

    Yeah these worms were attacking my home linux router as well, like a year ago or some.

    Worms just tried to brute force ssh using "administrator" and such as username. I guess they were trying to get into badly (default) configured broadband routers. That's never going to work of course on my linux box but all the login attempts caused the hd to be busy *all* the time.

    My sollution was to drop ssh packets by default in the firewall. Not that these attacks were likely to succeed but I didn't want my consumer grade hd to wear down in a year ;) I then created a small php script that'd insert a firewall rule to accept ssh connections from the IP it's called from. Finally I password protected the php script with .htaccess.

    So now I can enable ssh to my machine wherever I am, while still blocking the rest of the internet.

  4. Re:Isn't that... by weetabeex · · Score: 5, Interesting

    You could also be interested in port knocking.

    Turned out to be quite handy when I had that same issue with bots connecting to my ssh port all day long.