The Slow Bruteforce Botnet(s) May Be Learning

badger.foo writes "We've seen stories about the slow bruteforcers — we've discussed it here — and based on the data, my colleague Egil Möller was the first to suggest that since we know the attempts are coordinated, it is not too far-fetched to assume that the controlling system measures the rates of success for each of the chosen targets and allocates resources accordingly. (The probes of my systems have slowed in the last month.) If Egil's assumption is right, we are seeing the bad guys adapting. And they're avoiding OpenBSD machines." For fans of raw data, here are all the log entries (3MB) that badger.foo has collected since noticing the slow bruteforce attacks.

Re:Solution: Public Key Auth

[Hojima]

The other solution is to use asshole seeking missiles on the botnets. Of course it would probably end up leading astray from the pricks with the checklist that always responds to peoples' solutions to spam.

Re:Solution: Public Key Auth

That wont work and Ill tell you why:

1)Those launching the missiles also have assholes.
2)Knives would be funner
3)Barney sucks
4)People like checklists

Next Slashdot headlines...

• The Slow Bruteforce Botnet(s) may be learning
• The Slow Bruteforce Botnet(s) are learning at an exponential rate
• The Slow^H^H^H^HFast Bruteforce Botnet(s) become self-aware at 2:19 AM, August 29
• Botnet masters try to pull plug, botnets fight back with DDoSur8ghgw43899 NO CARRIER

If only it were so simple

[failedlogic]

At the risk of being unpopular ..... Just turn off the Internet already!

Re:AI

[Fluffeh]

Because computers are widely known for their common sense?

It's like saying to a robot "Can you watch this lamb in the oven?" and they do. They bloody watch it burning for three hours.

Ahh thank you Red Dwarf, even historically, you were so accurate of the future...

Re:Solution: Public Key Auth

[beav007]

Since changing my SSH ports to something really high (above 50000), I have had exactly *zero* failed password attempts in the last 14 months.

That means that you haven't been attacked by a portscanning bot yet.

That or they got the password right...

Re:Solution: Public Key Auth

[techno-vampire]

It really makes me wonder where they're getting them.

One way to get them is to set up some sort of site that logically requires you to log in, let it become popular, then harvest the password file and use it in your attacks. Be sure to make the site geeky, though, to get good passwords and give it an attention-getting name. Something like "Slashdot."

Re:Solution: Public Key Auth

[ion.simon.c]

Unfortunately, this is often too hard for your users.

:(
We need to grow smarter users.

Re:Solution: Public Key Auth

[chaim79]

Yah but two anecdote's don't make a parable... right?

Re:Solution: Public Key Auth

[ion.simon.c]

You seem to be a chatbot. I'm not sure how you got onto slashdot, but welcome!

Re:How do the botnets know it's OpenBSD?

[Slashdotvagina]

You can infer a lot about the OS from the way it crafts it's packets.

Similarly, you can learn a lot about a person from the way it crafts it is sentences.

Re:OpenBSD hosts make stupid targets...

[Anne+Thwacks]

will OpenBSD refuse a valid username and password combination because the person logging in has a hidden evil deep in their hearts

Yes

You are obviously a Windows user.

Re:Solution: Public Key Auth

[maxume]

Using a high port number is like parking in an empty part of a parking lot. It adds a small amount of inconvenience, reduces the likelihood of an incident, but fails to mitigate any of the consequences of an incident that does happen.