Slashdot Mirror
The Slow Bruteforce Botnet(s) May Be Learning
badger.foo writes "We've seen stories about the slow bruteforcers — we've discussed it here — and based on the data, my colleague Egil Möller was the first to suggest that since we know the attempts are coordinated, it is not too far-fetched to assume that the controlling system measures the rates of success for each of the chosen targets and allocates resources accordingly. (The probes of my systems have slowed in the last month.) If Egil's assumption is right, we are seeing the bad guys adapting. And they're avoiding OpenBSD machines." For fans of raw data, here are all the log entries (3MB) that badger.foo has collected since noticing the slow bruteforce attacks.
The obvious solution is to use public/private key authentication and disallow password logins.
This is much safer anyways, since your private key and your passphrase stays on your local machine always, so even if the server is compromised and the SSHd is bugged, no one will have immediate access to your login token.
one thing they're not avoiding: Barack Obama's gorgeous asshole!
A couple weeks ago, while browsing around the library downtown, I had to take a piss. As I entered the john, Barack Obama -- the messiah himself -- came out of one of the booths. I stood at the urinal looking at him out of the corner of my eye as he washed his hands. He didn't once look at me. He was busy and in any case I was sure the secret service wouldn't even let me shake his hand.
As soon as he left I darted into the booth he'd vacated, hoping there might be a lingering smell of shit and even a seat still warm from his sturdy ass. I found not only the smell but the shit itself. He'd forgotten to flush. And what a treasure he had left behind. Three or four beautiful specimens floated in the bowl. It apparently had been a fairly dry, constipated shit, for all were fat, stiff, and ruggedly textured. The real prize was a great feast of turd -- a nine inch gastrointestinal triumph as thick as his cock -- or at least as I imagined it!
I knelt before the bowl, inhaling the rich brown fragrance and wondered if I should obey the impulse building up inside me. I'd always been a liberal democrat and had been on the Obama train since last year. Of course I'd had fantasies of meeting him, sucking his cock and balls, not to mention sucking his asshole clean, but I never imagined I would have the chance. Now, here I was, confronted with the most beautiful five-pound turd I'd ever feasted my eyes on, a sausage fit to star in any fantasy and one I knew to have been hatched from the asshole of Barack Obama, the chosen one.
Why not? I plucked it from the bowl, holding it with both hands to keep it from breaking. I lifted it to my nose. It smelled like rich, ripe limburger (horrid, but thrilling), yet had the consistency of cheddar. What is cheese anyway but milk turning to shit without the benefit of a digestive tract?
I gave it a lick and found that it tasted better then it smelled.
I hesitated no longer. I shoved the fucking thing as far into my mouth as I could get it and sucked on it like a big half nigger cock, beating my meat like a madman. I wanted to completely engulf it and bit off a large chunk, flooding my mouth with the intense, bittersweet flavor. To my delight I found that while the water in the bowl had chilled the outside of the turd, it was still warm inside. As I chewed I discovered that it was filled with hard little bits of something I soon identified as peanuts. He hadn't chewed them carefully and they'd passed through his body virtually unchanged. I ate it greedily, sending lump after peanutty lump sliding scratchily down my throat. My only regret was that Barack Obama wasn't there to see my loyalty and wash it down with his piss.
I soon reached a terrific climax. I caught my cum in the cupped palm of my hand and drank it down. Believe me, there is no more delightful combination of flavors than the hot sweetness of cum with the rich bitterness of shit. It's even better than listening to an Obama speech!
Afterwards I was sorry that I hadn't made it last longer. But then I realized that I still had a lot of fun in store for me. There was still a clutch of virile turds left in the bowl. I tenderly fished them out, rolled them into my handkerchief, and stashed them in my briefcase. In the week to come I found all kinds of ways to eat the shit without bolting it right down. Once eaten it's gone forever unless you want to filch it third hand out of your own asshole. Not an unreasonable recourse in moments of desperation or simple boredom.
I stored the turds in the refrigerator when I was not using them but within a week they were all gone. The last one I held in my mouth without chewing, letting it slowly dissolve. I had liquid shit trickling down my throat for nearly four hours. I must have had six orgasms in the process.
I often think of Barack Obama dropping solid gold out of his sweet, pink asshole every day, never knowing what joy it could, and at least once did, bring to a grateful democrat.
I swear, some of the most adaptive, sophisticated, and advanced techniques seem to be coming out of the Botnets.
It's my (admittedly probably crazy) idea that we WILL begin to see "emergent intelligence properties" out of some sophisticated system at some point in time, whether it be Google, an AGI lab, or a botnet. I shudder at the prospect of our first AI of power will have grown from one of these botnets.
NOTE: I'm not saying this will happen tomorrow, but extrapolating the current state of botnets relative to the current state of other systems leads me to believe, on a relative basis, systems may be complex relative to one another as they are today. If that is the case, well... that would be bad.
If you can read this... 01110101 01110010 00100000 01100001 00100000 01100111 01100101 01100101 01101011
The conclusions are a bit too speculative, nonetheless the research is interesting. I am not sure if a few hundred hosts are enough to conclude that the "bad guys" are coordinating and sharing attack output. And as far as avoiding OpenBSD, come on..."OpenBSD is a bitch." Why is this a surprise?? :)
In principle, OpenBSD is no more or less vulnerable to weak username/password pairs than is any other OS. I suspect that, on average, OpenBSD machines are more likely to be set up for keypair auth; but any that aren't are in the same boat as everybody else(since, after all, username/password guesses aren't OS weaknesses, OSes are supposed to respond to correct username/password pairs.)
There is still reason to avoid them, though. Because OpenBSD is something of a niche system, you can make plausible inferences about the systems running it. Specifically, they most likely have admins who are interested in security and are watching activity fairly closely, and are more likely than average to do something about it. If you are doing something illegal, why attract such attention?
Soon BotNet will become self-aware and start searching for Sara Connor
It is now official. Netcraft confirms: *BSD is dying
One more crippling bombshell hit the already beleaguered *BSD community when IDC confirmed that *BSD market share has dropped yet again, now down to less than a fraction of 1 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as fittingly exemplified by failing dead last in the recent Sys Admin comprehensive networking test.
You don't need to be the Amazing Kreskin to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood.
FreeBSD is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant departures of long time FreeBSD developers Jordan Hubbard and Mike Smith only serve to underscore the point more clearly. There can no longer be any doubt: FreeBSD is dying.
Let's keep to the facts and look at the numbers.
OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.
Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.
All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS dilettante dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.
Fact: *BSD is dying
Bots were knocking on my door to the point I was worry about performance degradation. I know there are many ways to defeat these but here was my solution.
In hosts.deny /var/www/html/allow.txt
-----------------
sshd:ALL EXCEPT
-----------------
Create a simple cgi-script (password protected and accessed via secret random url) that writes your browser IP address to the allow.txt file and all those nasty botnets and go to hell.
These people are a tremendous illness upon the world. If it were legal, I would contribute to a bounty on the lives of the people responsible for this stuff. These people make me beyond sick. I have said it many times and sometimes I actually mean it -- if I knew of someone involved in this sort of business close by, I would appear on the news shortly thereafter. And I am pretty sure I am not alone in this sentiment.
At the risk of being unpopular ..... Just turn off the Internet already!
How would the botnet know they are attacking an OpenBSD box (vs Linux or something else)?
Is there some sort of server signature involved (that I'm not aware of)
My (Linux) ssh server at home just responds with a password prompt. I don't see any easy way to determine the underlying system from that.
BTW. On my server at home I use Hashlimits to limit each IP to 1 attempt per minute (maximum). This has taken the attacks down from hundreds / thousands per day ( The most attacks I ever got was ~7,000 from one IP) to about 3 to 6. This is typically, 1 attempt each, they then get blocked, and then they go away.
Ever stop to think
Don't forget about the economies surrounding botnets. There are two sides, those that profit from the botnets (the operators), and those that profit fighting the botnets (the fighters). Additionally, there are those that profit from providing botnet remedial "solutions" whilst not being in either of the primary (operator or fighter) categories. If botnets ceased to exist, there would be a *lot* more lost on the fighter and solution side than on the operator side. So... like SPAM, this raises the question of just who actually benefits the most from botnet existing.
Is there something 'better' about BSDs' ipchains then I can do with Linux and iptables?
Should I switch my firewall? (I've been itching to test BSD cause it's so darned geeky and I am getting annoyed with all these Ubuntu "somebody help me!!" converts plugging the IRC tubes.)
A locked-down firewall is locked-down isn't it?
"The price good men pay for indifference to public affairs is to be ruled by evil men." ~Plato (427-347 BC)
Posting as AC because the people running botnets can be nasty...I had most of their hosts banned two weeks ago and it got more interesting.
To the people who say: "Use fail2ban" --it won't work unless you jail the host on the first failed login forever. They'll be back once every six hours on my system.
After I had a week worth of logs, I added them to hosts.deny--and now things are getting interesting. I'm working on compiling the pattern now--but it looks like there's "micro wordlists" being thrown at it until they get picked up in fail2ban...two or three a day from new hosts.
The botnets are probably programmed with attacks specific to an OS. You don't attack Linux the same way you attack Windows. OpenBSD is niche enough that they don't bother with it. I'll bet they leave IRIX and AS/400 systems alone too. The author only noticed because he has an OpenBSD system.
Another potential reason is that OpenBSD is typically used for stuff like firewalls, they are probably more interested in attacking sites that might be running e-commerce sites and the ones not running Windows are most likely Linux or Solaris. They want to steal credit card numbers, not firewall statistics :)
"Spirit," said Scrooge, with an interest he had never felt before, "tell me if *BSD will live."
"I see a vacant seat," replied the Ghost, "in the poor chimney-corner, and a crutch without an owner, carefully preserved. If these shadows remain unaltered by the Future, *BSD will die."
"No, no," said Scrooge. "Oh, no, kind Spirit! say it will be spared."
"If these shadows remain unaltered by the Future, none other of my race," returned the Ghost, "will find him here. What then? If it be like to die, it had better do it, and decrease the surplus operating system population."
Scrooge hung his head to hear his own words quoted by the Spirit, and was overcome with penitence and grief. It was sad to see any operating system die, even one so obviously flawed and useless as *BSD.
God bless us, every one.
fBSD has always
skynet is gaining power
I've looked at the TFA and the hard data and it seems like admins are the ones making the IT mistakes. With so many attempts for root and none of the other users personally identifiable, I can personally just set up a Bot to run tracert routines on failed attempts and report them for trying to access Root or Admin.
When it comes to multi-user sites however public key auth is standard, but your user ID and password have to match. What I don't understand is why everyone immediately resorts to AI development.
Clearly musing, he is. AI means "Self-adapting code". Self-adaption is too slow in real time and is only controlled by small control variables in games. Botnets have a heard. IT's the ADMIN's fault for being hearded, but they can have a techie d/c the power cord to save the rest of the world. Theres no real threat to secure folks because physical disconnection is trivial over a router (I just disable my IP assignment and I'm disconnected until I get another techie to do it physically) but more of a threat to people who can't control it. People controlled by the law, such as big-time Admins.
Sure, sure, the server won't crash when you're watching it, sure. But how boring will that be?
Here's the real issue: Remote Access
There has to be a way for the slow bots to get into root or admin or a remote access. I usually disable root or admin from working outside the internal loopback - 127.0.0.1 - standard Class A IP Address. I could technically configure a Bot to run Tracert (traceROOT) routines on all of those people (yes, windows user here) and have them reported to the federal government. It can't mess up my personal account, nor can it mess up DNS servers with sheer volume. It's small-scale.
so, the solution is proper remote access protocols. I remember NEVER activating remote access but at the same time using public-key authorized third party demo services to make minor changes remotely, including shutting the system down. I used logmein.com, free demo version, pathetically, but it's actually more secure as long as I have no idea how why I should do it myself. Once I used the shutdown signal it could not boot itself up unless someone would physically press the button. I have to call a physical person in the house to do that myself, so unless demons from hell can use an on/offswitch and my BIOS password without my permission, it ain't starting on it's own nor does it listen for a restart signal until I sign into windows for the first time (Windows XP here). My system has never been breached before, but it constantly deadlocks to save itself from burning the CPU out. It has a thermosensor and cutoff only in the power supply unit, however. Stupid laptops weren't designed for gaming even though thats how its advertised. How do I pull an all nighter at this rate? I'll just remove the sensor in my power supply and WHAM there goes my processor for not having heat sensors. Stupid dell power supply. Rocket fish will at least deadlock my system without damaging my hard disk.
If OpenBSD itself can detect operating systems with varying levels of success (see pf.os finger printing - http://www.openbsd.org/cgi-bin/man.cgi?query=pf.os&sektion=5&manpath=OpenBSD+4.4) it stands to reason other programs can use this same idea.
Is our slow bruteforce botnets learning?
Sheer Volume Versus Adaptability
Sheer volume could target DNS servers themselves, this would only af
Please do not mention self-learning. That's merely musing. There's no self-intelligence here, it's timed with Christmas too catch IT departments offguard with unionized labor. It's just that humans control the fast botnets and make them slow by putting in delay timers. No one in the real IT world will be affected and no personal accounts will get stolen. I can crash MSN clients with some fast typing because MS is unstable, but the Windows XP is at it's prime.
Here. I admit. I'm part of the so-called "whitehat guys" who profit from stoping the botnets. But since I have no ethics or morals, I dont really stop them, I just give them kickbacks to make it look like I'm stopping them.
Now excuse me while I go get a back massage on from the hot ladies serving me martinis on the beach in Tahiti. Me and my fellow whitehats are making millions off you poor fools. If you only knew!
(adjust your tinfoil good sir, you are blocking the wrong signals)
I use OpenBSD for all my firewall and have it block all access to all ports and all IPs once a fail ssh login attempt is made one time - so I leave all my systems on port 22.
Suck on that botnet bitches.
Of course, we can change our ports, upgrade our packages and more...on our systems. But we have accounts on other systems and while we trust those systems to lose our data only rarely or be down from time to time, we have to assume that our password will be stolen and harvested along with our username from one or more of those in the future. Just imagine friendster when it's down to one underpaid intern of a sysadmin.
So the moral of the story is, have a different password for each system and keep track of them whatever way you want(meatspace isn't bad but encrypted is better). Yeah, it's a hassle but it's actually not too bad since browsers can remember passwords and if a box or laptop gets stolen or hacked, you just spend a couple hours revving all your passwords.
I do computer and network security for a university.
This distributed SSH password guessing is not a new tactic. We have seen and tracked this tactic off and on for over a year.
If this tactic was a game changer, we would have seen it ramp up before now. It would occur all the time. But it doesn't. It only seems to occur during holidays.
At it's heart, this tactic is not any more effective than non-distributed password guessing. Either way, the attacker has to enumerate the same number of guesses before finding a hit. If a machine is vulnerable, it will be successfully attacked by either approach to password guessing. If it is not vulnerable, neither approach will work.
Modern hacking is a economic activity. It must balance risk and reward. This attack doesn't offer any more reward than conventional password guessing. It's main feature is to try to change the risk side of the equation.
Conventional SSH password guessing is noisy. One machine will portscan for TCP/22. Then it rapidly guesses passwords against everything that responds. That one machine is usually lost to the attacker. Automated defense systems block it. Also, defenders report it to the owning ISP. The only way this works for the attacker is if he can harvest more that he loses.
The distributed guessing attack is also noisy, but in a different way. Currently, we see the attacker start by sacrificing 1 computer to do a TCP/22 portscan. At this point, he has already risked as much as a conventional password guessing attack. Then he feeds the results to a bunch of bots. Each bot then takes turns guessing passwords. Each bot guesses 1 password at a time. However, each bot guesses against multiple SSH servers at the same time.
This attack is inherently more risky that conventional password guessing. The attacker exposes many of his computers. If we can detect and respond, this attack is not as cost effective as conventional password guessing.
It is easy for my university to detect and respond to these attacks. We detect it in three different ways.
1) Each attacker has a distinctive network behavior pattern. We can automate detection by looking at aggregate Cisco netflow data.
2) It is trivial to pick off this attack using a SSH honeypot.
3) We use a network visualization tool to watch aggregate SSH activity. This password guessing is obvious on our visualization tool.
Once we have detected the attackers, we respond to them in the normal way. We block them. We inform our peer institutions and the authorities. We inform the owning ISP.
The main difference in this situation is that detection and response is easy if you have access to aggregate traffic or multiple SSH servers. It is difficult if you only manage 1 SSH server.
I don't expect this form of attack to last much longer. I am sure that everybody else is adapting. Once the defenders adapt, this tactic is too expensive to be used.
Miles
(this is my first post here, BTW--been lurking for years.)
Welcome to Slashdot.
Here's your first project: Build a fembot, preferably one that looks like Kristanna Loken or Summer Glau.
Alternatively, you can instead teach us how to get and keep girlfriends.
It's nothing special. Just get someone's password, then dump it into the list. These seemingly random login attempts likely come from logins that were found in other attacks. Get a winner, keep it. Then add it to a list of thousands more and you'll have a high chance of hitting the logins of those people who use the same name:pass over all their accounts. ...and that's why you don't make your bank password the same as your slashdot password.
ssh has alternatives to passwords. Use them. If you can't disable password-based authentication, set your password to a random 128 character string ( head /dev/urandom | sha512sum, for example- though while you can definitely type this easily, some "password checkers" say that this is not secure and reject it ). You don't need to write this password down, as long as you've set up your key.
-- 'The' Lord and Master Bitman On High, Master Of All
On my OpenBSD webserver I noticed a recent spike in hacking attempts. After checking with my clients with regards to where their web traffic and sales come from I discovered that virtually none needed to have their webpages displayed offshore.
I then blocked the entire Asia Pacific Network. I am talking about the entire CIDR range from the offending ISP. I also blocked select addresses in Russia, Turkey, Germany, Poland, Brazil, etc. Every few days I check the logs and add a few more blocks if need be.
While I freely admit this move is quite drastic in nature and not possible for everyone, the illegal activity has dropped off to virtually nil. My Bandwidth utilization is way down as well.
The way I see it, I am more than willing to accept the loss of 1% legitimate traffic for 99% that isn't. If these people can't play nice, why let them play at all? I am naive enough to think that if more and more people adopted this policy, perhaps the offending governments would stand up and take notice. They seem to be able to control whether or not their citizens are able to look at pro-democracy information. If they cared about the illegal activity as well, they could do something about it. Until then, they'll remained blocked and I sleep very well at night.
Would a bayesian filter work on this? The filter would match bad userids against the set of valid ones; bad userids that do not resemble any valid id by more than X% will score a demerit against the host that submitted the bad ID. Enough bad ids will probably identify an attacking bot, which can then be blocked. This is a slow defense, but the attack itself is slow and will probably statistically require far more attempts than a bayesian filter requires to identify the attacker.
Since the attacker doesn't know the set of valid userids on the target system, it's hard to see how this could be countered. Spam authors know how normal email looks, but still can't defeat bayesian spam filters.
Pavlov wouldn't be so famous if he'd used a can opener instead of a bell.
In principle, OpenBSD is no more or less vulnerable to weak username/password pairs than is any other OS. I suspect that, on average, OpenBSD machines are more likely to be set up for keypair auth; but any that aren't are in the same boat as everybody else(since, after all, username/password guesses aren't OS weaknesses, OSes are supposed to respond to correct username/password pairs.) There is still reason to avoid them, though. Because OpenBSD is something of a niche system, you can make plausible inferences about the systems running it. Specifically, they most likely have admins who are interested in security and are watching activity fairly closely, and are more likely than average to do something about it. If you are doing something illegal, why attract such attention?
And yet there is still the most obvious reason they avoid OpenBSD systems. Pr0n. Yeah, that's right, I mean c'mon, OpenBSD didn't exactly make a name for itself with it's killer video codec support and HD streaming capability.
What the hell is the point in cracking your OpenBSD file server only to find a shitload of PGP archives...Boooring.
I have long ago changed the way I log in into my servers; my open port (nonstandard) points to sshd that uses keys and lets you login into a xen honeypot; only when two successful logins from predetermined IP addresses succeed at the same time, then a sshd port to the actual virtual server that I am trying to protect is opened (again allows only logins using keys) and it does this with a delay of 15 seconds, keeping the port open for 60 seconds, then closes it.
Was not so hard to implement. Can be easily made much more complicated while retaining end user transparency.
Of course, should someone get my private keys and pass phrases, and the local scripts - it becomes easy to gain access. But these keys are on 3 systems (local and the two mentioned above) and I made sure that the pass phrases for the keys I did not write down anywhere in compliance with all the self imposed security policy requirements.
The problem is that I can not log in anymore, and have lost access to all my special pron! Any idea, what gives?
Haven't seen anyone mention this but... how about patching sshd so that an attacker can't tell the difference between a connection failing because of a bad userid or because of a bad password/key? Let them sit and spin (a tarpit?) trying to break into that "amanda" account they think I have - or blow out their database thinking every host has every possible userid in the book.
I think creating a spammable contact form is kind of a right-of-passage for web developers. Everybodies first will eventually get used for spamming. Hell, I'm just as guilty of putting out a contact form that was susceptible to header injection.
You only make that mistake once though and the lessons you learn from it teach you all kinds of lessons about cleaning up tainted user input.
Maybe "contact form header injection" is kind of like the chicken pox. Most of us get infected when we were "kid developers" and never get it again.
If you have the keywords "email" and "form" and probably "addresses", I bet you got hit with a script. I see those to on my contact forms. I suspect these bots are capable of trolling through google search results and then basically launching automated probes against the targets.
The keys to securing your contact form (or a "email a friend" form) is to sanitize anything that will wind up in the mail headers. The easiest way to hack your form is to simply add a CRLF to any bits the spammer thinks goes into the header. If the mail library you use is stupid (2004 versions of PHP, I'm looking at you), it will gladly allow it and let the spammer add headers of their own (like a list of CC:'d addresses).
Sanitizing for those are a bit easy -- dont let the user control your subject line and validate email addresses (using a well known API, not your own!). Strip out anything that doesn't belong (CRLF's for example, anything that would separate multiple email addresses, etc). Ideally your library would do this for you, but not all do (cough, 2004 PHP)
The hard bit is to keep spammers from using your "email a friend" form to send out brute-force spam. You can't ban IP's after all, they use their botnet. Thankfully, I've never really seen this happen. I think it is because doing this is just too slow and thanks to botnets, they can get random, legit IP's much easier.
The thing is, your method of "block the IP address" only works because the botnet is allocating maybe a hundred of their computers to the cause. I've seen this too even with comment spammers - they use only a handful of their IP space.
If these people wanted to, a spammer could just use their entire botnet and round-robin using each IP address once. On a 100k botnet, it would be pointless to even try to block the IP's. For starters you couldn't safely discern which are attacks and which are valid.
The problem really is there are a lot of obsolte ideas floating around till. Namely that blocking IP's are an effective tool to combat any kind of network abuse. Or that IP's even have any meaning at all--IP addresses are random and an attacker can and does hop from hundreds or thousands of them during their "work". You simply cannot stop attackers by just banning IP addresses or you'll wind up banning half the internet.
It is best for all of us to start treating IP addresses as opaque, meaningless things and find better ways to deal with abuse. The IP address as a security tool has gone the way of the dodo.
I could be talking out of my ass too though. I'm not all that familiar with the guts of the modern botnet and maybe I'm discounting the cost incurred when a botnet owner "reveals" what they own. I am assuming they could care less if grandma's machine gets exposed as part of the bot. After all, in the end isn't it grandma's box knocking on your SSH door?
Just wait until the botnet guys hack up the miniscule $185,000 USD required to purchase .corn and you fall for it too. Or you wont (like most of us) but at the cost of spending more time during your day manually parsing URL's to watch for paypal.com instead of paypal.c0m or paypal.corn. Good times. Good times.
The Buy-your-own-TLD crowd is probably funded by the botnet lobby (who is funded by the modern day mob)
Watching comment spammers in a tail -f'd access_log is a sight to behold.
They always fuck up though. Sure they might feed you a cookie you gave one of their brother computers, but the User-Agents are almost never 100% the same. Plus a lot of them do a bad job of screen-scraping and will usually POST to a slightly mis-formed URL. Of course, they'll also POST instead of GET (like the form says) or GET instead of POST. Watch for that.
Since you can't bind to the IP address (proxy and AOL), I you can weed some of these assholes out by binding the cookie to the User-Agent. You can also slow the assholes down by putting a one-time token on each form... if you see that token twice, they are using a "stale" form. Spammers already figured this out though, but it can help mitigate other attacks like XSS attacks.
Good times. Good times.
But seriously, if any of you have a forum, I highly recommend you sit down and "tail -f" your access log and watch these assholes. It is a sight to see.
I wasn't talking about the product to use to do it, but a detection approach that isn't present in any product I know of.
I described how to detect a specific kind of behavior that would be unique to the attack and the attacker, and to which attackers can not mount a meaningful countermeasure. Implementing the filter requires statistical analysis of not just incoming data, but also resident data (the userid list).
Pavlov wouldn't be so famous if he'd used a can opener instead of a bell.
Use IPTables to redirect port 22 to www.fbi.gov
Hello friend,
You seem to be disadvantaged at the moment in not having a lifetime partner. Please click here to find hot singles in your area:
http://tinyurl.com/6y7jgl
John was a good boy, but decided to deliver papers every day. His water bottle covered the monster in goat cheese, dripping feta all over the refrigerator. Entranced by the spoon, susan covered the salad with some plastic wrap, then turned over the next page of the book.
[this botnet parody message was brought to you by the letter 'Y']
Ask me about repetitive DNA
Problem is, if you block IPs for attempting bad usernames and one of the botnet zombies gets a chance to connect a second or third time, then the botnet will start targeting that username (since it "knows" it's valid). A better approach would be to _randomly_ block IPs that attempt bad usernames, but after enough sampling, the botnet could determine which username attempts never get blocked immediately and would focus on those. Best approach of all would be to give out no information regarding validity of usernames, and just ban on failed attempts regardless of UID, sharing the ban list with other servers to help mitigate the distributed IPs. If a legit user is trying to ssh in, and gets banned, they should have your phone number / email address.
I saw this stuff ramp up on my systems earlier this year, but it dropped off before the Dec 2nd /. article. Now I've just got the standard brute forcers using one IP address for several hundred attempts (presumambly hundreds; they never get too far). My guess at the time was that they had compromised all the machines they needed or had gotten too many of their zombies targeted by others and where waiting until the zombies got a new DHCP lease.
It scared me at first because I thought: wow, fail2ban and denyhosts can't handle this (denyhosts.net syncing isn't open source), but then I looked at it from a sniper analogy (sorry, been playing too many army games lately):
We can't tell where the enemy is, and every once in a while, they let loose with a machine gun blast, so we'd just snipe that one guy (throw up a firewall, maybe report to authorities) and wait again. Now, they're shooting one machine gun round every hour, but they have enough people that it's like one gunner who moves around a lot. So, now our snipers can mow the lot of them down (assuming there are enough sysadmins that can be bothered to report zombies to ISPs). Soon they'll discover that the old method yielded a better ratio of success/casualties.
The proper links contain I think I may need to get the A5 Nerve Checked, the limbic system seems to be in a perpetual stroke but the medication is still present. I can't use love/lust/sex to calm down though since I can't maintain a relationship. House, MD is classic http://en.wikipedia.org/wiki/Hans_Asperger Aspergeric, but there's no differentiation in the APA's bible. I am my own fucking doctor, thankyou unless denied perjury.
Here. I admit. I'm part of the so-called "whitehat guys" who profit from stoping the botnets. But since I have no ethics or morals, I dont really stop them, I just give them kickbacks to make it look like I'm stopping them.
...
Don't try to squirm out of your responsibility by casting aspersions or weaseling. If any part of your so-called clean up involves letting clients continue to run MS Windows, the you *are* effectively helping to spread the botnets you claim to be cleaning up.
Responsible employers don't let staff install MS crap on a server or anything else plugged into the LAN or Wifi.
Beta is broken and the link to classic doesn't work. Stop wasting our time or there won't be anybody left here.
Something that always evolves
Now, how the hell do you punctuate that?
How many more years will slashdot have an off-by-one error on your Score in your profile?
Behavioral and statistical analysis has been coupled with Intrusion Detection Systems (IDS) do exist. They are known as Anomaly-Based IDS. What I described is a Signature-Based IDS, which is much more common than the Anomaly-Based type. I suspect the reason for the prevalence of Signature-Based is they are easier to design, and require much fewer resources.
In my personal experience, Signature-Based Prevention systems are quite effective against this type of attack. Which is why I pointed it out in the first place. If you have a failed SSH login signature, which hits a certain threshold, that is certainly suspicious behavior. I think it is a moot point to even check whether the userid is in the passwd file. Because, from my point of view, there is no difference between an attacker failing a login from an invalid userid or a login as root, backup, or user666 for that matter. Any way you look at the situation, it is still an attack, and one that can be dropped.
/^([Ss]ame [Bb]at (time, |channel.)){2}$/
I've tested some portknocking tools and if you want a somewhat secure server i'd say that portknocking is the way to go.
If you don't want portknocking there are several program such as denyhosts that looks thru your logs and add hosts that fail to login X number of times to the /etc/hosts.deny.
Neat thing with denyhosts is that you can tweak it as you see fit. And that there is a global list of IP's that are known for being bruteforcing hosts.
If you want a totaly secure server, you pull the ethernet cable. ;)
Otherwise, Read The Fine Manual and learn some
It might be worth blocking ALL of eastern europe/russia/china/asia for ALL ports, but port 80 if you run a webserver.
I doubt you have friends there or that you will go there your self.
Are there any easy to use IP generators/lists based on geo that can output it for any purpose?
Liberty freedom are no1, not dicks in suits.
The filter I propose isn't based on "submitted userid == any valid userid" but "submitted userid (is X% similar to) any valid userid". X would be a tunable value. In spam email filters, this usually works out to "if incoming email (is less than 20% similar to) previously accepted emails" or some such. It turns out that spam emails, even if containing dictionary words, still don't resemble human communications when bayesian statistics are applied to it.
Since the attacker doesn't know what userids are valid, the chance of any guessed userid being more than a few percentage points similar to a valid userid is vanishingly small.
Try it - pick a thousand "valid userids" out of the dictionary. Now pick a thousand more, omitting variations like "library - librarian". How many attempts will have more than a few characters in (almost) the same position and (almost) the same order as the "valid userids"?
The reason to use the userid list is because it is invisible to the attacker. The only result the attacker sees is suddenly one of the bots is blocked from the target host. No reason why, and no indication which of the last 20 or 100 or so userid attempts were "way off" and thus contributed to the decision to block.
A valid login attempt with a typo in the userid will be right in all but 1 or 2 characters nearly all the time. The bruteforce attacker will be wrong by more than 1 or 2 characters nearly all the time. Statistically, that's significant.
Since the block doesn't happen because of a single match or failure to match the list, the attacker learns nothing. The attacker doesn't even know the bayesian testing is occurring, thus the attacker would have no knowledge of which its attempted userids was valid or close to valid. It doesn't matter even if the attacker knows this filter is in place. Blocking the entire botnet will be a function:
Block = (v/b)*p
Where v == count of valid userids
b == count of hosts in the botnet,
p == average number of attempts required to guess a password.
B == point at which entire botnet is blocked.
With strong 8 character userids and passwords, the botnet would require billions of hosts in order to breech the system before being blocked.
Pavlov wouldn't be so famous if he'd used a can opener instead of a bell.
Worlds #1 assassin, working for the worst guys, ie govts, suddenly has his personal on the side self defense course website/server hacked.
He gets mad, finds some funny geeks (pick some actors, seth green). Then he goes out on a wild journey, finding the spam guys in far out counties, taking them out ala Bourne style.
Mix geeks and have the assassin be angelina or someone hot with a gun.
Liberty freedom are no1, not dicks in suits.
distributed defense.
Denyhosts. ( http://www.denyhosts.net/ ).
It works.