Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Slow Bruteforce Botnet(s) May Be Learning

Posted by kdawson on from the knock-who's-there-knock dept.

badger.foo writes "We've seen stories about the slow bruteforcers — we've discussed it here — and based on the data, my colleague Egil Möller was the first to suggest that since we know the attempts are coordinated, it is not too far-fetched to assume that the controlling system measures the rates of success for each of the chosen targets and allocates resources accordingly. (The probes of my systems have slowed in the last month.) If Egil's assumption is right, we are seeing the bad guys adapting. And they're avoiding OpenBSD machines." For fans of raw data, here are all the log entries (3MB) that badger.foo has collected since noticing the slow bruteforce attacks.

16 of 327 comments (clear)

  1. Solution: Public Key Auth by slifox · · Score: 5, Interesting

    The obvious solution is to use public/private key authentication and disallow password logins.

    This is much safer anyways, since your private key and your passphrase stays on your local machine always, so even if the server is compromised and the SSHd is bugged, no one will have immediate access to your login token.

    1. Re:Solution: Public Key Auth by FugitiveMind · · Score: 5, Interesting

      Since changing my SSH ports to something really high (above 50000), I have had exactly *zero* failed password attempts in the last 14 months.

      I know the plural of 'anecdote' is not 'data', but this is the case across *all* my servers.

    2. Re:Solution: Public Key Auth by HeronBlademaster · · Score: 5, Interesting

      I didn't change my ssh port to something that high, but I changed it to something above 1024, and the botnet attacks have stopped, so you can add my anecdote to yours...

    3. Re:Solution: Public Key Auth by Sancho · · Score: 4, Interesting

      Unfortunately, this is often too hard for your users.

      What's really scary is that I'm starting to see really good passwords coming through (I modified the OpenSSH source to log the password sent for one of my jails.) I'm seeing passwords that have no particular rhyme or reason (in other words, they're either random or are generated through an obfuscated scheme.) I have to assume that they're passwords which were harvested in some way. It really makes me wonder where they're getting them.

    4. Re:Solution: Public Key Auth by corsec67 · · Score: 4, Interesting

      Since changing my SSH ports to something really high (above 50000), I have had exactly *zero* failed password attempts in the last 14 months.

      That means that you haven't been attacked by a portscanning bot yet.
      I don't know that any exist yet, so you would be safe until they do. Really, wouldn't any port other than 22 that isn't used for anything else bots attack work?

      --
      If I have nothing to hide, don't search me
    5. Re:Solution: Public Key Auth by supernova_hq · · Score: 4, Interesting

      Actually no. Most port scanners (read: almost all of them) only scan up to 1024. This is because that is where 99% of vulnerable machines open their ports. The only people that scan higher than that are the ones with a list of specific targets. If you are on that list, chances are you are going to see some incoming traffic no matter what you do.

    6. Re:Solution: Public Key Auth by Anonymous Coward · · Score: 4, Interesting

      You can still use the standard port, just install a simple defense system in iptables.

      iptables -A INPUT -p tcp --dport ssh -m state --state NEW -m recent --update --seconds 99 -j DROP
      iptables -A INPUT -p tcp --dport ssh -m state --state NEW -m recent --set

      Now any particular IP address can only open a tcp connection to your ssh server once every 99 seconds, or longer if they keep trying during the blackout period^^

      Maybe put some whitelist rules before that. Change it to 900 (fifteen minutes) if you don't log into your server that often from other addresses.

    7. Re:Solution: Public Key Auth by houghi · · Score: 4, Interesting

      I use BlockHosts and even though I still get hit, the amount of tries is 4-5 and the IP address will be blocked for 12 hours.
      Very seldom I see them hit me a second time.
      The advantage is that it is live and although initially looks in the log files it does not depend on them.

      Entry currently in my hosts.allow, which is after some IP addresses I specifically always allow.

      #---- BlockHosts Additions
      ALL: 216.146.46.29 : deny
      ALL: 65.111.164.53 : deny
      ALL: 77.48.41.174 : deny

      #bh: ip: 122.166.17.253 : 1 : 2008-12-22 09:48:44 CET
      #bh: ip: 216.146.46.29 : 5 : 2008-12-22 09:43:41 CET
      #bh: ip: 65.111.164.53 : 4 : 2008-12-22 02:02:53 CET
      #bh: ip: 77.48.41.174 : 5 : 2008-12-22 02:02:49 CET

      #bh: logfile: /var/log/messages
      #bh: offset: 5717251
      #bh: first line:Dec 20 19:15:07 pasta syslog-ng[2148]: new configuration initialized

      #---- BlockHosts Additions
      sshd : ALL: spawn /usr/bin/blockhosts.py & : allow

      --
      Don't fight for your country, if your country does not fight for you.
  2. AI by religious+freak · · Score: 4, Interesting

    I swear, some of the most adaptive, sophisticated, and advanced techniques seem to be coming out of the Botnets.

    It's my (admittedly probably crazy) idea that we WILL begin to see "emergent intelligence properties" out of some sophisticated system at some point in time, whether it be Google, an AGI lab, or a botnet. I shudder at the prospect of our first AI of power will have grown from one of these botnets.

    NOTE: I'm not saying this will happen tomorrow, but extrapolating the current state of botnets relative to the current state of other systems leads me to believe, on a relative basis, systems may be complex relative to one another as they are today. If that is the case, well... that would be bad.

    --
    If you can read this... 01110101 01110010 00100000 01100001 00100000 01100111 01100101 01100101 01101011
  3. OpenBSD hosts make stupid targets... by fuzzyfuzzyfungus · · Score: 4, Interesting

    In principle, OpenBSD is no more or less vulnerable to weak username/password pairs than is any other OS. I suspect that, on average, OpenBSD machines are more likely to be set up for keypair auth; but any that aren't are in the same boat as everybody else(since, after all, username/password guesses aren't OS weaknesses, OSes are supposed to respond to correct username/password pairs.)

    There is still reason to avoid them, though. Because OpenBSD is something of a niche system, you can make plausible inferences about the systems running it. Specifically, they most likely have admins who are interested in security and are watching activity fairly closely, and are more likely than average to do something about it. If you are doing something illegal, why attract such attention?

  4. Botnet solution by Anonymous Coward · · Score: 5, Interesting

    Bots were knocking on my door to the point I was worry about performance degradation. I know there are many ways to defeat these but here was my solution.

    In hosts.deny
    -----------------
    sshd:ALL EXCEPT /var/www/html/allow.txt
    -----------------

    Create a simple cgi-script (password protected and accessed via secret random url) that writes your browser IP address to the allow.txt file and all those nasty botnets and go to hell.

  5. I want to see a death bounty for these people by erroneus · · Score: 4, Interesting

    These people are a tremendous illness upon the world. If it were legal, I would contribute to a bounty on the lives of the people responsible for this stuff. These people make me beyond sick. I have said it many times and sometimes I actually mean it -- if I knew of someone involved in this sort of business close by, I would appear on the news shortly thereafter. And I am pretty sure I am not alone in this sentiment.

    1. Re:I want to see a death bounty for these people by Opportunist · · Score: 4, Interesting

      Nobody keeps you from putting a bounty on the head of a spammer and botnetter. You can't ask for them being killed, but you can without a problem issue a bounty on them, payable to whoever tracks down a botnetter and drags him to court.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  6. Economics by jimpop · · Score: 5, Interesting

    Don't forget about the economies surrounding botnets. There are two sides, those that profit from the botnets (the operators), and those that profit fighting the botnets (the fighters). Additionally, there are those that profit from providing botnet remedial "solutions" whilst not being in either of the primary (operator or fighter) categories. If botnets ceased to exist, there would be a *lot* more lost on the fighter and solution side than on the operator side. So... like SPAM, this raises the question of just who actually benefits the most from botnet existing.

    1. Re:Economics by Opportunist · · Score: 5, Interesting

      As someone being in the latter group (to avoid confusion, the ones fighting them), yes, we make some money fighting that crap. Looking at the money being made on the other side, some are already wondering why we stay here.

      We stay on this side because we (well, most of us) hate botnets. Most people I met at various conventions and meets are somewhere between zealous, fanatic or outright crazy, but generally see the money as some sort of pleasant side effect.

      Believe me one thing: We know we cannot fight it, we know it's almost impossible to track them down and we know how it works. If we were in it for the money, we'd switch sides before you're done reinstalling your system. There's about ten times the money to be gained on the dark side.

      Conservatively estimating, that is.

      If spam and botnets ceased to exist overnight, we'd gladly return to more interesting and maybe also more profitable professions. Most of us are network experts. Some know more about the way Windows works on the "inside" than most people at MS. And if everything fails, we could actually maybe even create a copy protection system that is hard enough to break that nobody would willingly do it (after all, we spend a good deal of our time with disassembly). Do you really think that any of the (good) spam and botnet fighters would have a hard time finding a "honest" job that maybe even paid better than this?

      I could enjoy having a life again, instead of this sorta permanent on-call duty. Again, no christmas for me, because yes, this is one of the hottest times of the year (many people at home, many new computers needing infections, so many new opportunities for botherders...). I would also prefer to create something, like some new software to make people happy or more productive, instead of poking at malware and trying to find a sensible way to detect it. It's not really good for your ego if your product is seen as the necessary evil that steals valuable computer time instead of something that people actually want to have.

      Thanks for hearing out the rant. Now we're back to your scheduled program.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  7. This is not a game changing tactic. by dweller_below · · Score: 5, Interesting

    I do computer and network security for a university.

    This distributed SSH password guessing is not a new tactic. We have seen and tracked this tactic off and on for over a year.

    If this tactic was a game changer, we would have seen it ramp up before now. It would occur all the time. But it doesn't. It only seems to occur during holidays.

    At it's heart, this tactic is not any more effective than non-distributed password guessing. Either way, the attacker has to enumerate the same number of guesses before finding a hit. If a machine is vulnerable, it will be successfully attacked by either approach to password guessing. If it is not vulnerable, neither approach will work.

    Modern hacking is a economic activity. It must balance risk and reward. This attack doesn't offer any more reward than conventional password guessing. It's main feature is to try to change the risk side of the equation.

    Conventional SSH password guessing is noisy. One machine will portscan for TCP/22. Then it rapidly guesses passwords against everything that responds. That one machine is usually lost to the attacker. Automated defense systems block it. Also, defenders report it to the owning ISP. The only way this works for the attacker is if he can harvest more that he loses.

    The distributed guessing attack is also noisy, but in a different way. Currently, we see the attacker start by sacrificing 1 computer to do a TCP/22 portscan. At this point, he has already risked as much as a conventional password guessing attack. Then he feeds the results to a bunch of bots. Each bot then takes turns guessing passwords. Each bot guesses 1 password at a time. However, each bot guesses against multiple SSH servers at the same time.

    This attack is inherently more risky that conventional password guessing. The attacker exposes many of his computers. If we can detect and respond, this attack is not as cost effective as conventional password guessing.

    It is easy for my university to detect and respond to these attacks. We detect it in three different ways.
    1) Each attacker has a distinctive network behavior pattern. We can automate detection by looking at aggregate Cisco netflow data.
    2) It is trivial to pick off this attack using a SSH honeypot.
    3) We use a network visualization tool to watch aggregate SSH activity. This password guessing is obvious on our visualization tool.

    Once we have detected the attackers, we respond to them in the normal way. We block them. We inform our peer institutions and the authorities. We inform the owning ISP.

    The main difference in this situation is that detection and response is easy if you have access to aggregate traffic or multiple SSH servers. It is difficult if you only manage 1 SSH server.

    I don't expect this form of attack to last much longer. I am sure that everybody else is adapting. Once the defenders adapt, this tactic is too expensive to be used.

    Miles