The Slow Bruteforce Botnet(s) May Be Learning

badger.foo writes "We've seen stories about the slow bruteforcers — we've discussed it here — and based on the data, my colleague Egil Möller was the first to suggest that since we know the attempts are coordinated, it is not too far-fetched to assume that the controlling system measures the rates of success for each of the chosen targets and allocates resources accordingly. (The probes of my systems have slowed in the last month.) If Egil's assumption is right, we are seeing the bad guys adapting. And they're avoiding OpenBSD machines." For fans of raw data, here are all the log entries (3MB) that badger.foo has collected since noticing the slow bruteforce attacks.

Solution: Public Key Auth

[slifox]

The obvious solution is to use public/private key authentication and disallow password logins.

This is much safer anyways, since your private key and your passphrase stays on your local machine always, so even if the server is compromised and the SSHd is bugged, no one will have immediate access to your login token.

Re:Solution: Public Key Auth

[Hojima]

The other solution is to use asshole seeking missiles on the botnets. Of course it would probably end up leading astray from the pricks with the checklist that always responds to peoples' solutions to spam.

Re:Solution: Public Key Auth

That wont work and Ill tell you why:

1)Those launching the missiles also have assholes.
2)Knives would be funner
3)Barney sucks
4)People like checklists

Re:Solution: Public Key Auth

[arbiter1]

Another idea, is change the port SSH uses to some a random high number, that will kill off most of them also.

Re:Solution: Public Key Auth

[FugitiveMind]

Since changing my SSH ports to something really high (above 50000), I have had exactly *zero* failed password attempts in the last 14 months.

I know the plural of 'anecdote' is not 'data', but this is the case across *all* my servers.

Re:Solution: Public Key Auth

[HeronBlademaster]

I didn't change my ssh port to something that high, but I changed it to something above 1024, and the botnet attacks have stopped, so you can add my anecdote to yours...

Re:Solution: Public Key Auth

[techno-vampire]

It really makes me wonder where they're getting them.

One way to get them is to set up some sort of site that logically requires you to log in, let it become popular, then harvest the password file and use it in your attacks. Be sure to make the site geeky, though, to get good passwords and give it an attention-getting name. Something like "Slashdot."

Re:Solution: Public Key Auth

[chaim79]

Yah but two anecdote's don't make a parable... right?

Re:Solution: Public Key Auth

[ion.simon.c]

You seem to be a chatbot. I'm not sure how you got onto slashdot, but welcome!

Re:Solution: Public Key Auth

[X0563511]

This is all simply because they don't need to bother looking for you, there are plenty of others on 22. As well, if you know enough to change the port, you probably are resistant to brute-force attacks.

In short, you are not the intended target anyways.

Now, if everyone started doing it, they would do what they needed to hit the low-hanging-fruit again. Once again - you are not the intended target.

Botnet solution

Bots were knocking on my door to the point I was worry about performance degradation. I know there are many ways to defeat these but here was my solution.

In hosts.deny
-----------------
sshd:ALL EXCEPT /var/www/html/allow.txt
-----------------

Create a simple cgi-script (password protected and accessed via secret random url) that writes your browser IP address to the allow.txt file and all those nasty botnets and go to hell.

Next Slashdot headlines...

• The Slow Bruteforce Botnet(s) may be learning
• The Slow Bruteforce Botnet(s) are learning at an exponential rate
• The Slow^H^H^H^HFast Bruteforce Botnet(s) become self-aware at 2:19 AM, August 29
• Botnet masters try to pull plug, botnets fight back with DDoSur8ghgw43899 NO CARRIER

Economics

[jimpop]

Don't forget about the economies surrounding botnets. There are two sides, those that profit from the botnets (the operators), and those that profit fighting the botnets (the fighters). Additionally, there are those that profit from providing botnet remedial "solutions" whilst not being in either of the primary (operator or fighter) categories. If botnets ceased to exist, there would be a *lot* more lost on the fighter and solution side than on the operator side. So... like SPAM, this raises the question of just who actually benefits the most from botnet existing.

Re:Economics

[Opportunist]

As someone being in the latter group (to avoid confusion, the ones fighting them), yes, we make some money fighting that crap. Looking at the money being made on the other side, some are already wondering why we stay here.

We stay on this side because we (well, most of us) hate botnets. Most people I met at various conventions and meets are somewhere between zealous, fanatic or outright crazy, but generally see the money as some sort of pleasant side effect.

Believe me one thing: We know we cannot fight it, we know it's almost impossible to track them down and we know how it works. If we were in it for the money, we'd switch sides before you're done reinstalling your system. There's about ten times the money to be gained on the dark side.

Conservatively estimating, that is.

If spam and botnets ceased to exist overnight, we'd gladly return to more interesting and maybe also more profitable professions. Most of us are network experts. Some know more about the way Windows works on the "inside" than most people at MS. And if everything fails, we could actually maybe even create a copy protection system that is hard enough to break that nobody would willingly do it (after all, we spend a good deal of our time with disassembly). Do you really think that any of the (good) spam and botnet fighters would have a hard time finding a "honest" job that maybe even paid better than this?

I could enjoy having a life again, instead of this sorta permanent on-call duty. Again, no christmas for me, because yes, this is one of the hottest times of the year (many people at home, many new computers needing infections, so many new opportunities for botherders...). I would also prefer to create something, like some new software to make people happy or more productive, instead of poking at malware and trying to find a sensible way to detect it. It's not really good for your ego if your product is seen as the necessary evil that steals valuable computer time instead of something that people actually want to have.

Thanks for hearing out the rant. Now we're back to your scheduled program.

Re:Economics

[Opportunist]

I'd recommend not connecting it to any network and not installing any software if he wants the machine to be secure.

Snideness aside, yes, you can get Windows to a sensible, workable security level. Not 100%, but nothing is 100% secure. Even Raid6 systems have been seen blowing up, and even the tightest security has its cracks.

IT security is by definition the minimum of the system's capabilities and the administrator's capabilities. Not an average thereof, but the minimum of both. You can have the most secure system in the world and some stupid admin can f..k up its security beyond repair (provided it's somehow connected to the outside world). Likewise, you can be the absolute guru of computer security, you cannot secure an inherently insecure system.

Therefore just saying "use $OS and you're safe" is a dangerous misconception. No system is inherently secure, it also depends on its administrator.

You have to understand that most threats are tailored for the Windows platform, simply because it offers the largest target being the most widely used. Since all Windows machines are also mostly alike when it comes to their software makeup since critical networking programs like webbrowser or email client are part of the package, you have a fair lot of standard targets. You can be certain that a Windows installation has IE installed. Why? Because it's certainly installed in the installation routine and cannot be completely removed. Linux is much more modular and you cannot simply assume a certain browser, a certain mail client or even a certain editor being installed. This offers a much smaller target.

But still a Windows machine can be secured to sensible levels. First, put a router in front of it so no direct connection can be made to the machine from the internet. This pretty much eliminates most RPC based attacks (you might remember the worm craze of a few years ago. They're still there. There are still infected machines blasting into the internet and few providers filter that crap). Never connect a Windows machine directly to the internet. I made an experiment recently, the lifetime of a clean Windows XP SP1 machine directly connected to the net is less than one minute. Yes, I'm aware that SP1 is a bit dated, but most people got SP1 on their install CD and they usually don't know how to create one that contains the latest patches. Often, reinstalling the system only builds a new home for their problems.

So, make sure you install all critical patches before you connect the machine to the net. The Service Packs can now be downloaded and stored locally, I do highly recommend doing that. USB sticks are cheap and a quite useful tool for storing them.

Next, get an alternative browser. IE is the most attacked browser today. And with the growing market share of Firefox it became a target, too. Opera looks ok so far, at least most iframe drive by attacks don't care about it yet. This may change, though. For now, Opera would be it. Not because it's better or safer, but simply because it has a low enough market share to be off the radar of attackers.

An alternative mail client is the next thing you need. It should not be able to process HTML mails (because most mail clients that do use the engine of the IE, do the math). It has to show extensions of attachments, and it should, if possible, disable direct execution of executable files from attachments. Funny enough, the older the mail client the better, since most of the times this means fewer features that can get into the way of security. Just make sure there are no known bugs. Again, the less mainstream the client is, the better.

If you really, really have to use instant messaging, again, don't use the normal IM clients. Same reason, they're main targets for attackers. Use alternative clients, preferable with a low market share. As a beneficial side effect, they often also enable you to bundle more than one service.

An antivirus toolkit. Yes, I know, many people here don't think too highly of them, and yes, they cannot

Re:How do the botnets know it's OpenBSD?

[Sycraft-fu]

You can infer a lot about the OS from the way it crafts it's packets. Nmap does a rather good job with host identification. I don't know all the things it does, but more or less it's a case of "Find an open port, send is various kinds of packets, see how it reacts."

Re:AI

[Fluffeh]

Because computers are widely known for their common sense?

It's like saying to a robot "Can you watch this lamb in the oven?" and they do. They bloody watch it burning for three hours.

Ahh thank you Red Dwarf, even historically, you were so accurate of the future...

This is not a game changing tactic.

[dweller_below]

I do computer and network security for a university.

This distributed SSH password guessing is not a new tactic. We have seen and tracked this tactic off and on for over a year.

If this tactic was a game changer, we would have seen it ramp up before now. It would occur all the time. But it doesn't. It only seems to occur during holidays.

At it's heart, this tactic is not any more effective than non-distributed password guessing. Either way, the attacker has to enumerate the same number of guesses before finding a hit. If a machine is vulnerable, it will be successfully attacked by either approach to password guessing. If it is not vulnerable, neither approach will work.

Modern hacking is a economic activity. It must balance risk and reward. This attack doesn't offer any more reward than conventional password guessing. It's main feature is to try to change the risk side of the equation.

Conventional SSH password guessing is noisy. One machine will portscan for TCP/22. Then it rapidly guesses passwords against everything that responds. That one machine is usually lost to the attacker. Automated defense systems block it. Also, defenders report it to the owning ISP. The only way this works for the attacker is if he can harvest more that he loses.

The distributed guessing attack is also noisy, but in a different way. Currently, we see the attacker start by sacrificing 1 computer to do a TCP/22 portscan. At this point, he has already risked as much as a conventional password guessing attack. Then he feeds the results to a bunch of bots. Each bot then takes turns guessing passwords. Each bot guesses 1 password at a time. However, each bot guesses against multiple SSH servers at the same time.

This attack is inherently more risky that conventional password guessing. The attacker exposes many of his computers. If we can detect and respond, this attack is not as cost effective as conventional password guessing.

It is easy for my university to detect and respond to these attacks. We detect it in three different ways.
1) Each attacker has a distinctive network behavior pattern. We can automate detection by looking at aggregate Cisco netflow data.
2) It is trivial to pick off this attack using a SSH honeypot.
3) We use a network visualization tool to watch aggregate SSH activity. This password guessing is obvious on our visualization tool.

Once we have detected the attackers, we respond to them in the normal way. We block them. We inform our peer institutions and the authorities. We inform the owning ISP.

The main difference in this situation is that detection and response is easy if you have access to aggregate traffic or multiple SSH servers. It is difficult if you only manage 1 SSH server.

I don't expect this form of attack to last much longer. I am sure that everybody else is adapting. Once the defenders adapt, this tactic is too expensive to be used.

Miles

Re:This is not a game changing tactic.

[dweller_below]

We like our visualizers. Our router guy has created 2. They are both GPL. We use them every day. I suppose you could consider them late Beta.

The IPVisualizer:
https://it.wiki.usu.edu/IPVisualizer
gives us a real-time overview of our entire IP address space. It is particularly good for revealing reconnaissance attacks.

The Organic IP Visualizer:
https://it.wiki.usu.edu/OIP
provides a focused view of the activity of a subset of our network.

Miles