More Than 40% of Global Log-in Attempts Are Malicious

More than 40% of global log-in attempts are malicious thanks to bot-driven credential stuffing attacks, according to the latest report from Akamai. From a report: The cloud delivery provider's latest State of the Internet/Security report for Q4 2017 comprised analysis from over 7.3 trillion bot requests per month. It claimed that such requests account for over 30% of all web traffic across its platform per day, excluding video streaming. However, malicious activity has seen a sharp increase, as cyber-criminals look to switch botnets from DDoS attacks to using stolen credentials to try to access online accounts. Of the 17 billion login requests Akamai tracked in November and December, over two-fifths (43%) were used for credential abuse. The figure rose to a staggering 82% for the hospitality industry.

I'm sorry

I keep losing my post-it notes.

Re:I'm sorry

There are plenty of progs like lastpass that have been around for YEARS that can help you out.

Re:I'm sorry

Any idea where I can get an APK of that? Your link sure doesn't have it, and I refuse to use the android app store.
 
Also, these figures don't paint the full picture. One brute force attack can account for multiple lifetime logins for a single application. We should be measuring by frequency of attack, per application - or find another metric that tells a more wholesome story.

Re:I'm sorry

[mark-t]

There's nothing wrong with using post-it notes or a journal to remember passwords that appears entirely human readable, but one should write down all passwords using a code that they invent themselves. There are practically unlimited variations on the kinds of codes can be employed, and so while a code may be extremely easy to remember, it can still be virtually impossible for anyone to actually guess simply because of the size of the space of possible code combinations (don't believe me? try and enumerate them). In practice, it is not significantly different than bruteforcing a password from scratch. It is probably cheaper and easier to use the $5 wrench method of password discovery.

This mechanism of hiding passwords in plain sight is, IME, 100% foolproof.

Re:I'm sorry

[DontBeAMoran]

Post-it notes cannot be hacked via the internet.

Re:I'm sorry

...not yet

Misleading

These figures don't paint the full picture. One brute force attack can account for multiple lifetime logins for a single application. We should be measuring by frequency of attack, per application - or find another metric that tells a more wholesome story.

Re:Misleading

[HexaByte]

This is why I love the Cloud so much! Let put everything in the Cloud, and nothing in safe private networks behind good firewalls.

99% on my vm

[imidan]

I have a VM with a hosting service where I run Ubuntu to host some things like svn and other small services. According to the ssh logs, where bots are trying to log in constantly, and the apache logs, where bots are constantly trying to access admin pages for services I don't run, I'd say that more than 99% of login attempts are malicious on that host. That's without advertising the IP or hostname anywhere; the bots just found it over time. I do run fail2ban, so they eventually get blocked, but there's an endless supply of them.

Re:99% on my vm

Just set it so a failed login blocks additional logins from that IP for 30 seconds.

Re:99% on my vm

I have almost exactly the same going. A VM, nothing published, I use it for my own personal use. I do the same with fail2ban and it's just endless, there is no stopping or even slowing them down.

But when looking at it this way, the only legit login to my personal VM is me, so 99.999999% of all login attempts are malicious to me. I can see where globally more than 40% are malicious for most other servers.

Re:99% on my vm

[OrangeTide]

I got sick of the spam in my ssh and http logs and also installed fail2ban. It doesn't totally make the problem go away, but it did cut way down on my log file growth rate. I also found increasing the duration of the ban and lowering the number of failed attempts helps, and using a white list for known system admin.

The servers that I have on Comcast IP block get hit harder than the ones I have on Hurricane Electric (co-location business), so it seems likely that these bots/zombies are scanning some ranges of IPs more frequently.

The login attempts I see on my systems aren't even close to what is needed to get in. So in a way I'm saving these

PS - I use to TARPIT or DROP them. but now I REJECT. TARPIT is too mean, and DROP tends to attack more probing or at least more retry attempts.

Re:99% on my vm

[rickb928]

Same problem . My mail server sees over 99% of logins as malicious, and fail2ban is very busy. Some of the credentials move from IP to IP within milliseconds, not simultaneous attacks, but sequential from one host to another. My web server logs 8 WordPress login attempts per hour from a specific country, changing every few days. They are fairly clever with the credential tries, but I use a surprising admin login name which I thought would be discreetly obvious, and so far not. General web server attacks are easily 99% of hits.

There was once a statistic kept by some security outfit measuring how long an unprotected Linux host could survive on the Internet without being compromised, and I last remember it being 9 seconds. I suspect today that number is dependent more on the host's performance in running the exploits than it is how long it takes to whack on the IP address. Somewhere something is attacking your IP, right now, whether you know it or not, either directly or being handled at the gateway/router/firewall point. All the time. Every day.

They ought to be called out and dealt with, but true IP bans would render some countries without service.

Re:99% on my vm

...99.999999% of all login attempts are malicious...

100,000,000 attempts? Were you getting brute forced?

Re:99% on my vm

[eth1]

Well, any personal use device is going to have a small number of legitimate logins, so of course it will be utterly swamped by malicious ones in comparison. I see the same thing, but I don't allow passwords for SSH (must have RSA key), and my firewall limits things down to the few places I normally log in from. Everything else is tunneled over SSH.

Re:99% on my vm

Fail2ban's great, but it doesn't help when a botnet decides to try your server from thousands of hosts (slowly, as to not cause load increase). If you know noone's ever going to log in from overseas, you're best off blocking all of the region IPs permanently. You'll still get occasional infected hosts in your country connecting unless you whitelist only your own machines.

Re:99% on my vm

[Frederic54]

Same thing at home on my Tomato router... even if I change the SSH port to some random number, quickly there is dozens of try per day, from bots, strangely enough about all the IP addresses comes from USA.

Re:99% on my vm

[imidan]

I used to have a fail2ban config that would block IPs based on their requesting certain things over http... phpmyadmin, wordpress, a few other things. I had a hard drive failure and lost that stuff, and I haven't yet bothered to rebuild. Since I don't run any of those items, there doesn't seem to be a great risk in ignoring the requests, although it does pollute the logs.

Re:99% on my vm

[imidan]

I should probably change to key authentication for ssh, because although I travel a fair amount, I'm typically using my own laptop to connect. I've resisted whitelisting because of travel. I guess another option would be to get a VPN service and then whitelist my home IPs and the VPN, and just always use the VPN while traveling.

Re:99% on my vm

[edtice1559]

The rate of malicious logins is likely a constant so the ratio is entirely affected by the rate of real logins. Popular services with a lot of real logins have lower rations. But every IP is probably seeing a constant stream.

Re: 99% on my vm

[jabuzz]

I run login nodes for an HPC system at work and it is just like my personal severs frankly. Fail2ban cuts it down a lot, but I now rate limit the number of new SSH connections from an IP address at the firewall.

Re:99% on my vm

I had this friend long ago, who would complain to me about all the stuff wrong with her computer. Pop ups, toolbar things, you name it. She was infected by pretty much everything possible. Then one time something just took out the computer to where it wouldn't boot anymore. She had me over there to do a re install of Windows XP so she could get back to action. Well this person also didn't use a router, instead plugging her computer directly into the ISP modem. Long story short, I could install XP on it, without network connected, but the PC had a strange hw issue. The network card worked on fresh install, but USB didn't work at all without getting an update from windows update. A USB driver that I couldn't find a download of either. The PC would be hijacked within seconds of getting an IP from the modem. I had to bring her entire pc to my house to do the install there, behind the 'safety' of a router.

Re: 99% on my vm

Change ports if you can! That will bring it to zero. I talk by experience.

Well, duh...

[bradley13]

Create a new AWS account, and create a new AWS instance. Allow normal login (not just SSH), and don't do any sort of IP restriction. Watch your logs. Your instance will be noticed very quickly, and will be flooded by bots attempting to brute-force a login. FWIW, the bots are all from Eastern Europe and Asia, or at least they were the last time I tried this (a few years ago). It's pretty crazy.

I don't know about other cloud services, but I wonder about AWS policies. You can set a warning when your monthly spend exceeds a threshold, but you cannot actually set a hard spending limit. This means that, if someone manages to hack into one of your servers (or, better, into your account), they can use as many resources as they want, until you notice and stop them. If you don't notice, they can run up massive bills, which AWS will want you to pay. Seems like a good racket, no wonder those bots are lurking...

Re:Well, duh...

Allow normal login...

Yeah, and use as password root, admin or 123456. Don't even consider using certificates!

Test it yourself: leave a $100 bill at the busy street bus stop on saturday night. It's crazy it dissapears within minutes!

Re:Well, duh...

AWS usually forgives such instances though, atleast the first couple of times.

Re:Well, duh...

[rickb928]

Pretty much Eastern Europe, Poland has been hitting me lately, but I'm sure these are compromised or rented hosts. Asian hosts are so bad I've got permabans on most of the .cn allocations, since I have virtually no legitimate China demand. EU hosts are random. US hosts are surprisingly infrequent, and the rest of the world seems to not even try much, 2% maybe.

I once permabanned .ru, .by, .cz, .ee, .ht, .mk, .pl, .rs, .si, .sk, and .ua. I turn these off occasionally to see what is actively obnoxious and update if needed.

That high?

[Obfuscant]

I should send these guys my log files. I'm sitting here watching a site in China trying to ssh connect to just one of mine every few minutes, even though it has always gotten a connection refused response. I have other sites where the logs are almost nothing but failed login attempts from the same site, with an hourly DHCP lease renewal thrown in just to break the monotony.

I'd say more like 99% of attempts are malicious.

Re:That high?

[rickb928]

Yup. I wrote a script to spot those slow attackers trying to stay under the threshold and hit me every 30 seconds or so. Some did it for months, 24x7. Sort of like the old war dialers, trying not to trigger a response.

These are annoying, but also predictably using dictionary and alphabetic attacks. I'm not worried, of these attackers, 1% ever guess a nonobvious login name, much less password, and I've toyed with fiddling with scripts and trying to encourage attacks on nonexistent credentials just to keep them off track, but trying to outguess these guys is risky.

Re:That high?

As a first line of filtering I outright block china Russia and a smattering of others using a process similar to this

https://neverendingsecurity.wordpress.com/2015/04/13/iptables-blacklist-script/

I then have fail2ban layered on top

My iptable log is full of connection that are dropped with fail2ban catching most of the rest...

My other logs are kinda sorta mostly clean at night... Mostly...

Seems unlikely

[Presence+Eternal]

I don't know how the number could possibly be that low. A bot can iterate through many accounts per second. Oh, sure, timeouts, but any competent bot must surely try to log into many different places while waiting for timers to count down on the ones it has already tried.

Re:Seems unlikely

[Aighearach]

In that situation it is actually very very hard to hold as many idle connections as you could create. Even if you build a custom linux kernel to handle that many, it won't be reliable. Intermediate routers will also turn out to have per-host cache tables, and they'll start silently dropping your connections if you have that many.

In reality I can just look at my logs and see the pattern; each IP only does a few tries per minute, and usually appears to be part of a cluster of IPs that schedule attempts together.

Excess attempts get the IP firewalled rather quickly using a wide variety of automated tools. Rather few of the attackers actually get IP-banned this way, though. Check that log, too! Instead, they try to stay just under the limits. In the past that was different. ~2000 it was more normal to see a big blast from a single IP until it got banned, and then a rotation to a new IP. Black hats take better care of their zombies these days.

Re:Seems unlikely

Roughly 40% of my attempts to enter your anus with my donger fails. I don't know if it's because I have a massive member, or it's because you have a tight virgin poophole. I'm guessing it's the first. Your ass is a loose as a clowns pocket.

Grow up you obsessed loon... apk

See subject & I see you're still butthurt I cornered you for your bs lie you can't backup https://it.slashdot.org/comments.pl?sid=11776765&cid=56174209/ & now you're attempting to impersonate me too you obsessed lunatic!

* I loved how you had to EVADE backing up your bullshit that "2 billion people depend on your 'work'" bullshit & your "work" is trolling (no, they do NOT depend on your trolling as it's not an actual useful program like mine that even /.ers use & like)!

HOWEVER, I must admit - I truly DO depend on YOU - how? I depend on YOU to always make ME look GOOD & yourself like the lying bullshitter you proved you are, lol!

APK

P.S.=> GROW UP... apk

Believable...

[rnturn]

I see all sort of attempts to login through my firewall---even attempts via telnet, of all things.

Re:Believable...

What tools can you use to tell? My firewall/router doesn't list attempts. :(

Distinct Or Not

Typically a user will make 1-3 login attempts per log in (>1 only if they have trouble typing) where as malicious login attempts would be much greater when trying to brute force/ use password lists. So is this 40% distinct IP attempts? If not I would expected a much higher percentage.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Use nonstandard ports, tada!

[i_ate_god]

I turned on all email notifications for fail2ban and I was receiving some 3 to 4000 emails a day.

Then I moved my imap, smtp, and ssh servers over to non-standard ports, and I receive maybe an email a week from fail2ban.

Re:Use nonstandard ports, tada!

Don't those ports require being listed in your mx records, though? I guess this might filter out most of the noise.

Re: Use nonstandard ports, tada!

[jabuzz]

I moved SSH to a none standard port made no fricking difference.

Re:Use nonstandard ports, tada!

moving your smtp to a different port ? that is roughly as good as turning it off altogether.

I have two issues with this ...

Of the 17 billion login requests Akamai tracked in November and December, over two-fifths (43%) were used for credential abuse.

And who the fuck gave Akamai permission to track this? The users sure as hell didn't -- which is why the Akamai stuff is on my blocklists in my browsers.

And 40%? That sounds like an incredibly low number, since by now the only reasonable conclusion is the interwebs are populated with millions of assholes all trying to break into things.

The hackers you can't really stop, but the entire business model of analytics companies should be made illegal by having real functioning privacy laws which say "no, we don't give a fuck about your business model, tracking people isn't something we're going to accept".

You might get that someplace sane, but the US will never do that -- passing laws which curtail the assholes who run corporations would be an unforgivable sin in the oligarchy.

The Internet is like the environment

[Big+Bipper]

We walk around all day in an environment filled with various organisms and diseases that are all trying to feed on us. That's why we have skin ( think firewall ), and an immune system, as well as other defenses. All computing systems should be built such that they could survive and do their jobs safely while directly connected to the Internet. Even though we put them behind firewalls, we should understand that it's a jungle out there. Build them to trust only them selves, and then have a backup defense.

Re:The Internet is like the environment

[Dutch+Gun]

Obligatory XKCD. I think Steve Gibson called this "Internet background radiation," which always seemed like a fairly good way to describe the constant noise of scanners and probes that anyone can see attacking *every* system on the net, non-stop.

APK is an obsessed loon

Is there anyone on /. that APK doesn't start a war with? What a fucking tool.

The guy has a lot of energy, I wish he'd spend it on something constructive instead of being crazy.

ZIP

Re:APK is an obsessed loon

You always start trouble with him. It's evident in the link he posted. He does a constructive program. His attackers are webmasters losing google ad money I suspect.

Re:APK is an obsessed loon

so far the only person he's not tried to start a war with is himself.

Re:APK is an obsessed loon

Apk doesn't start wars with you unidentifiable anonymous trolls. You do. He finishes them and you too https://it.slashdot.org/comments.pl?sid=11776765&cid=56174209/

got it wrong

[arsenix]

I think this headline should have been:

"Only 40% of Global Log-in Attempts Are Malicious"

Restrict SSH by IP

[bradley13]

If you want some peace (and peace of mind), restrict SSH logins by IP range. Even if your address is dynamic, your ISP only has a certain range of addresses. Find out what that range is, and set your server to only accept login attempts from those addresses. With AWS, this is part of the security setting outside the VM. Your hosting service may differ, of course...

APK is an AC obsessed loon

Is there any time on /. that APK doesn't post as Anonymous Coward to feign support for himself. What a fucking looser.

That guy has such a bad personality that no one wants to defend him, I wish he'd take that excess energy and work on improving his personality.

ZIP

Re:APK is an AC obsessed loon

Hypocrite you post anonymous coward and you bitch about it? You start trouble with him here impersonating him also and it's obvious you started with him in the link he posted also where he caught you lying.

Also in the real world non-standard ports work

[raymorris]

Restricting by IP range is a great idea - as long as you'll still have a way in when your ISP suddenly gives you a completely different range.

Also, in theory, attackers could try all ports, so it doesn't matter which port you use. In the real world, most attackers use the standard ports, so choosing a random port below 1024 greatly reduces the number of attacks. That doesn't work against theoretical attackers, but it works against most real ones.

Re:Also in the real world non-standard ports work

[ilsaloving]

Is port knocking still a thing?

I have data for about 20â... of porn sites

[raymorris]

Once upon a time close to 50â... of adult sites which had logins used my login system I designed. These days it's probably down to 20â... or so, but still a lot of sites. What exactly would you like to know?

Bottom line is this - sites are attacked all day every day.

It is. Kinda a hassle

[raymorris]

People still use it. It's effective, despite the fact that theory says attackers *could* try combinations of ports. Personally, I don't use it. Non-standard ports get most of the benefit - reduced attack attempts, and either way it still needs to be secure after an attacker connects to the port.