Forgot your password?
typodupeerror
Security IT

The Slow Bruteforce Botnet(s) May Be Learning 327

Posted by kdawson
from the knock-who's-there-knock dept.
badger.foo writes "We've seen stories about the slow bruteforcers — we've discussed it here — and based on the data, my colleague Egil Möller was the first to suggest that since we know the attempts are coordinated, it is not too far-fetched to assume that the controlling system measures the rates of success for each of the chosen targets and allocates resources accordingly. (The probes of my systems have slowed in the last month.) If Egil's assumption is right, we are seeing the bad guys adapting. And they're avoiding OpenBSD machines." For fans of raw data, here are all the log entries (3MB) that badger.foo has collected since noticing the slow bruteforce attacks.
This discussion has been archived. No new comments can be posted.

The Slow Bruteforce Botnet(s) May Be Learning

Comments Filter:
  • by slifox (605302) * on Sunday December 21, 2008 @11:32PM (#26196567)

    The obvious solution is to use public/private key authentication and disallow password logins.

    This is much safer anyways, since your private key and your passphrase stays on your local machine always, so even if the server is compromised and the SSHd is bugged, no one will have immediate access to your login token.

    • by Hojima (1228978) on Sunday December 21, 2008 @11:38PM (#26196613)

      The other solution is to use asshole seeking missiles on the botnets. Of course it would probably end up leading astray from the pricks with the checklist that always responds to peoples' solutions to spam.

      • by Anonymous Coward on Sunday December 21, 2008 @11:42PM (#26196639)

        That wont work and Ill tell you why:

        1)Those launching the missiles also have assholes.
        2)Knives would be funner
        3)Barney sucks
        4)People like checklists

      • by cstdenis (1118589) on Monday December 22, 2008 @03:58PM (#26204385)

        Your post advocates a

        ( ) technical ( ) legislative ( ) market-based (X) vigilante

        approach to fighting botnets. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

        ( ) No one will be able to find the guy or collect the money
        (X) It is defenseless against brute force attacks
        ( ) Microsoft will not put up with it
        (X) The police will not put up with it
        ( ) Requires too much cooperation from botnetters
        ( ) Requires immediate total cooperation from everybody at once
        (X) Anyone could anonymously destroy anyone else

        Specifically, your plan fails to account for

        (X) Laws expressly prohibiting it
        ( ) Lack of centrally controlling authority
        ( ) Open relays in foreign countries
        ( ) Asshats
        (X) Jurisdictional problems
        ( ) Unpopularity of weird new taxes
        ( ) Public reluctance to accept weird new forms of money
        ( ) Willingness of users to install OS patches received by email
        ( ) Armies of worm riddled broadband-connected Windows boxes
        ( ) Eternal arms race involved in all filtering approaches
        ( ) Joe jobs and/or identity theft
        (X) Technically illiterate politicians
        ( ) Extreme stupidity on the part of people who do business with spammers
        ( ) Dishonesty on the part of spammers themselves
        ( ) Bandwidth costs that are unaffected by client filtering

        and the following philosophical objections may also apply:

        (X) Ideas similar to yours are easy to come up with, yet none have ever
        been shown practical
        ( ) Any scheme based on opt-out is unacceptable
        ( ) Blacklists suck
        ( ) Whitelists suck
        ( ) We should be able to talk about Viagra without being censored
        ( ) Countermeasures should not involve wire fraud or credit card fraud
        ( ) Countermeasures should not involve sabotage of public networks
        ( ) Countermeasures must work if phased in gradually
        ( ) Sending email should be free
        ( ) Why should we have to trust you and your servers?
        ( ) Incompatiblity with open source or open source licenses
        (X) Feel-good measures do nothing to solve the problem
        ( ) Temporary/one-time email addresses are cumbersome
        ( ) I don't want the government reading my email
        (X) Killing them that way is not slow and painful enough

        Furthermore, this is what I think about you:

        ( ) Sorry dude, but I don't think it would work.
        (X) This is a stupid idea, and you're a stupid person for suggesting it.
        ( ) Nice try, assh0le! I'm going to find out where you live and burn your
        house down!

    • by arbiter1 (1204146) on Sunday December 21, 2008 @11:44PM (#26196651)

      Another idea, is change the port SSH uses to some a random high number, that will kill off most of them also.

      • Re: (Score:3, Insightful)

        by corsec67 (627446)

        So then brute force attacks would be preceded by an open port check?

        Unless you use some kind of port knocking attempt, that wouldn't solve much of anything for long.

        • by FugitiveMind (1423373) on Sunday December 21, 2008 @11:58PM (#26196749)

          Since changing my SSH ports to something really high (above 50000), I have had exactly *zero* failed password attempts in the last 14 months.

          I know the plural of 'anecdote' is not 'data', but this is the case across *all* my servers.

          • by HeronBlademaster (1079477) <heron@xnapid.com> on Monday December 22, 2008 @12:23AM (#26196883) Homepage

            I didn't change my ssh port to something that high, but I changed it to something above 1024, and the botnet attacks have stopped, so you can add my anecdote to yours...

            • by chaim79 (898507) on Monday December 22, 2008 @01:39AM (#26197259) Homepage
              Yah but two anecdote's don't make a parable... right?
          • by corsec67 (627446) on Monday December 22, 2008 @12:33AM (#26196921) Homepage Journal

            Since changing my SSH ports to something really high (above 50000), I have had exactly *zero* failed password attempts in the last 14 months.

            That means that you haven't been attacked by a portscanning bot yet.
            I don't know that any exist yet, so you would be safe until they do. Really, wouldn't any port other than 22 that isn't used for anything else bots attack work?

          • by slughead (592713)

            Since changing my SSH ports to something really high (above 50000)

            Because they were really going to portscan you anyway. I bet putting at 23 (as opposed to the default) would be almost as effective.

            At a web message board I setup, I used some popular software and was getting a ton of spam bots. So I added a simple "are you a human" question--no captcha or anything, just another checkbox to check... Not 1 single piece of spam. Same principle: the bots aren't that smart--you avoid the norms even by a little, a

            • Well, a counter story...

              I run a website for a small company. It does around $50k in ecommerce sales a year, so not a huge volume site by any means. I had a custom written contact form so that the staff directory page didn't have employee emails listed in the HTML. About a year ago, a couple employees reported getting weird emails, that had jibberish subject lines and bodies. A day or so after that, the hosting provider (pair.com -- highly recommend) blocked access to that page, and alerted me that it had be

            • Re: (Score:3, Interesting)

              by J.Y.Kelly (828209)

              At a web message board I setup, I used some popular software and was getting a ton of spam bots. So I added a simple "are you a human" question--no captcha or anything, just another checkbox to check... Not 1 single piece of spam. Same principle: the bots aren't that smart--you avoid the norms even by a little, and you're okay.

              I've had the opposite experience. I run a website for a small choir and we have a contact form on there. This is something I wrote myself, not some popular package, and it's very

          • by houghi (78078) on Monday December 22, 2008 @05:17AM (#26198163)

            I use BlockHosts [aczoom.com] and even though I still get hit, the amount of tries is 4-5 and the IP address will be blocked for 12 hours.
            Very seldom I see them hit me a second time.
            The advantage is that it is live and although initially looks in the log files it does not depend on them.

            Entry currently in my hosts.allow, which is after some IP addresses I specifically always allow.

            #---- BlockHosts Additions
            ALL: 216.146.46.29 : deny
            ALL: 65.111.164.53 : deny
            ALL: 77.48.41.174 : deny

            #bh: ip: 122.166.17.253 : 1 : 2008-12-22 09:48:44 CET
            #bh: ip: 216.146.46.29 : 5 : 2008-12-22 09:43:41 CET
            #bh: ip: 65.111.164.53 : 4 : 2008-12-22 02:02:53 CET
            #bh: ip: 77.48.41.174 : 5 : 2008-12-22 02:02:49 CET

            #bh: logfile: /var/log/messages
            #bh: offset: 5717251
            #bh: first line:Dec 20 19:15:07 pasta syslog-ng[2148]: new configuration initialized

            #---- BlockHosts Additions
            sshd : ALL: spawn /usr/bin/blockhosts.py & : allow

        • Re: (Score:2, Insightful)

          by johanatan (1159309)
          A port knocking scheme is exactly what should be implemented to combat this. It would not be very hard at all to make it completely automated on both the server and client sides (and the knock sequence could even be loosely based on the time--say to a precision of 15 minutes).
      • by Anonymous Coward on Monday December 22, 2008 @03:58AM (#26197857)

        You can still use the standard port, just install a simple defense system in iptables.

        iptables -A INPUT -p tcp --dport ssh -m state --state NEW -m recent --update --seconds 99 -j DROP
        iptables -A INPUT -p tcp --dport ssh -m state --state NEW -m recent --set

        Now any particular IP address can only open a tcp connection to your ssh server once every 99 seconds, or longer if they keep trying during the blackout period^^

        Maybe put some whitelist rules before that. Change it to 900 (fifteen minutes) if you don't log into your server that often from other addresses.

    • by Sancho (17056) * on Monday December 22, 2008 @12:30AM (#26196907) Homepage

      Unfortunately, this is often too hard for your users.

      What's really scary is that I'm starting to see really good passwords coming through (I modified the OpenSSH source to log the password sent for one of my jails.) I'm seeing passwords that have no particular rhyme or reason (in other words, they're either random or are generated through an obfuscated scheme.) I have to assume that they're passwords which were harvested in some way. It really makes me wonder where they're getting them.

      • by techno-vampire (666512) on Monday December 22, 2008 @12:38AM (#26196953) Homepage
        It really makes me wonder where they're getting them.

        One way to get them is to set up some sort of site that logically requires you to log in, let it become popular, then harvest the password file and use it in your attacks. Be sure to make the site geeky, though, to get good passwords and give it an attention-getting name. Something like "Slashdot."

        • Re: (Score:2, Offtopic)

          by Dun Malg (230075)

          One way to get them is to set up some sort of site that logically requires you to log in, let it become popular, then harvest the password file and use it in your attacks. Be sure to make the site geeky, though, to get good passwords and give it an attention-getting name. Something like "Slashdot."

          Snorf. Try that with my password and you gain access to only a really pitiful Cobalt Qube with my friend's baby picture web site on it. Or you could just log in using the name of the site as UID and PW.

          But yeah, that'd work for a lot of other's systems, I bet.

      • by ion.simon.c (1183967) on Monday December 22, 2008 @01:18AM (#26197143)

        Unfortunately, this is often too hard for your users.

        :(
        We need to grow smarter users.

    • Re: (Score:3, Interesting)

      by UPi (137083)

      I have noticed brute force attempts for years now. I have a simple script that adds hosts with a number of failed attempts to /etc/hosts.deny automatically. If a host logs in successfully, all its past "mistakes" are forgiven.

      This has helped cut down on the invalid login attempts by >90%. This is by no means a perfect defense, since each botnet slave has three "shots" at guessing my passwords, but it still helps mitigate the problem.

      To use my script, you need to add this to your sshd_config:

  • AI (Score:5, Interesting)

    by religious freak (1005821) on Sunday December 21, 2008 @11:37PM (#26196597)
    I swear, some of the most adaptive, sophisticated, and advanced techniques seem to be coming out of the Botnets.

    It's my (admittedly probably crazy) idea that we WILL begin to see "emergent intelligence properties" out of some sophisticated system at some point in time, whether it be Google, an AGI lab, or a botnet. I shudder at the prospect of our first AI of power will have grown from one of these botnets.

    NOTE: I'm not saying this will happen tomorrow, but extrapolating the current state of botnets relative to the current state of other systems leads me to believe, on a relative basis, systems may be complex relative to one another as they are today. If that is the case, well... that would be bad.
    • by Fluffeh (1273756)
      I think what you said is interesting, but if I was to summarize:

      You fear the day when a botnet becomes self aware. And then sends you an email telling you it can sell you viagra cheaply or that it has found a better way for you to remortgage your loan.

      Me personally? I am waiting for the email I get some a self aware botnet in Nigeria saying how it found this great bank account full of moolah, but just needs to use MY bank account to siphon it all out.
      • Re: (Score:3, Insightful)

        by Opportunist (166417)

        It's not the artificial intelligent botnet I'm really afraid of. It's the combination thereof with the natural stupidity necessary to actually fall for the spam that scares the hell outta me.

    • Re:AI (Score:5, Insightful)

      by Al Dimond (792444) on Monday December 22, 2008 @12:34AM (#26196929) Journal

      My understanding of botnets is that all their activity is centrally coordinated: the bots sit in an IRC channel waiting for orders and do what they're ordered to do. It doesn't seem likely to me that the listeners are doing anything very sophisticated here. As it's always been with brute-force attacks, There are lots of target hosts, lots of usernames and passwords to try, and lots of bots to try them. Assuming every attempt gives you about the same odds of success it doesn't matter much what order you try them in. So some people changed the order, and changed the way they divide up work, to avoid detection.

      I won't deny that it's a clever adaption, or claim I definitely would have thought of it in their situation. But as far as adaptivity goes, the major tactical advance came from an explicit change in behavior by the botnet masters themselves. The parts of the software that might be adaptive, slowing down attempts on hosts where they are repeatedly unsuccessful and avoiding OpenBSD boxes, were probably specifically programmed to adapt in these ways. They're no more advanced than, say, TCP flow control behavior, or P2P programs.

      • Yeah, I'll grant you that. I don't know the specific extent to which these things are actually adaptive, but things like captcha breaking still get my attention because of the skill that needs to be involved in creating the algorithms. So I really don't doubt there are some very sophisticated programs running around the net looking for targets.

        I do admit, it's half crazy, but I don't think the concern is totally unwarranted, especially since these things are essentially designed to target and destroy.
      • Re:AI (Score:4, Interesting)

        by Richard W.M. Jones (591125) <rich AT annexia DOT org> on Monday December 22, 2008 @05:48AM (#26198265) Homepage

        My understanding of botnets is that all their activity is centrally coordinated: the bots sit in an IRC channel waiting for orders and do what they're ordered to do.

        For comment spam it's more sophisticated than that: I monitor all attempts at adding comment spam to several sites I run. One site is interesting because it requires several distinct requests in order to post a message (and you have to visit each of those pages in turn in order to be successful at posting). The bots can perform these steps -- I watched as the controller in the Ukraine first worked it out manually -- but they do it from random IP addresses in turn. However, the cookie that I send in the first request is faithfully sent back by the other IP addresses.

        These are not human attacks using something like Tor - far too quick for that.

        So the bots communicate that cookie back to their "master" between each request, and that happens in sub-second times.

        Rich.

    • Re:AI (Score:4, Insightful)

      by Sentry21 (8183) on Monday December 22, 2008 @01:39AM (#26197265) Journal

      The idea that a system like SkyNet would evolve out of a system designed to get us to buy discount v1agra and c1al1s bodes poorly for our future prospects against the coming robotic onslaught. Truly our proud, erect soldiers will be no match.

  • by vvaduva (859950) on Sunday December 21, 2008 @11:39PM (#26196617)

    The conclusions are a bit too speculative, nonetheless the research is interesting. I am not sure if a few hundred hosts are enough to conclude that the "bad guys" are coordinating and sharing attack output. And as far as avoiding OpenBSD, come on..."OpenBSD is a bitch." Why is this a surprise?? :)

  • by fuzzyfuzzyfungus (1223518) on Sunday December 21, 2008 @11:42PM (#26196637) Journal
    In principle, OpenBSD is no more or less vulnerable to weak username/password pairs than is any other OS. I suspect that, on average, OpenBSD machines are more likely to be set up for keypair auth; but any that aren't are in the same boat as everybody else(since, after all, username/password guesses aren't OS weaknesses, OSes are supposed to respond to correct username/password pairs.)

    There is still reason to avoid them, though. Because OpenBSD is something of a niche system, you can make plausible inferences about the systems running it. Specifically, they most likely have admins who are interested in security and are watching activity fairly closely, and are more likely than average to do something about it. If you are doing something illegal, why attract such attention?
    • The attacker still has to use a local vulnerability to get from a user account to root. This may be less likely on OpenBSD because of their code review process.
      • by jd (1658) <.imipak. .at. .yahoo.com.> on Monday December 22, 2008 @12:21AM (#26196875) Homepage Journal

        Their code review seems to concentrate on external attacks. They have expressly derided mandatory access controls, for example, on the grounds that you've got to trust your users or you're already lost. So, OpenBSD is actually more likely to be vulnerable to such attacks than an OS with weaker reviews but superior access controls, such as Linux with the RBACS or GrSecurity patches in place. Thus, if anyone is using OpenBSD, they'd damn well better be using strong authentication.

        (OpenBSD has the best strong authentication of any OS on the planet, and the best security from external attacks of any OS on the planet, but cliques of any kind are notoriously blind to any problem outside of their special interest and OpenBSD is no exception. Which is why they caught a rollicking from Slashdot when it came to failing to patch their PRNG after defects were found in the *BSD family of PRNGs. It's why you should never, ever trust a group - however good - to be good at everything.)

  • Botnet solution (Score:5, Interesting)

    by Anonymous Coward on Sunday December 21, 2008 @11:47PM (#26196665)

    Bots were knocking on my door to the point I was worry about performance degradation. I know there are many ways to defeat these but here was my solution.

    In hosts.deny
    -----------------
    sshd:ALL EXCEPT /var/www/html/allow.txt
    -----------------

    Create a simple cgi-script (password protected and accessed via secret random url) that writes your browser IP address to the allow.txt file and all those nasty botnets and go to hell.

    • by codepunk (167897)

      So say you have a remote server no console access.

      One day you are messing around with httpd.conf and fat finger a entry and mess up the config. Some months laterthe NOC hosting your system has to do some quick machine maintenance and powers down your machine. Later in the day they finish and power up your instance, but wait the httpd.conf file has a error and apache refuses to start on boot......now what, yes you are screwed you
      cannot access your account.

      • by truckaxle (883149)

        So say you have a remote server no console access.

        Usually yes.

        One day you are messing around with httpd.conf and fat finger a entry and mess up the config. Some months laterthe NOC hosting your system has to do some quick machine maintenance and powers down your machine. Later in the day they finish and power up your instance, but wait the httpd.conf file has a error and apache refuses to start on boot......now what, yes you are screwed you
        cannot access your account.

        I also have a fixed ip address (that I always have access to) added to the file like this.

        In hosts.deny
        -----------------
        sshd:ALL EXCEPT 187.190.10.1 /var/www/html/allow.txt
        -----------------

      • by mellon (7048)

        You make changes to httpd.conf and don't restart apache? Dude, that's just nuts. Anyway, as long as your home machine with a stable address is in the file, you can still get in from there.

        • by codepunk (167897)

          You make changes to httpd.conf and don't restart apache? No I have not but I have seen an admin do it before.

          as long as your home machine with a stable address is in the file, you can still get in from there. Unless of course your isp dhcp lease expired in the mean time and you now have a different address.

  • by erroneus (253617) on Sunday December 21, 2008 @11:49PM (#26196683) Homepage

    These people are a tremendous illness upon the world. If it were legal, I would contribute to a bounty on the lives of the people responsible for this stuff. These people make me beyond sick. I have said it many times and sometimes I actually mean it -- if I knew of someone involved in this sort of business close by, I would appear on the news shortly thereafter. And I am pretty sure I am not alone in this sentiment.

    • by maxume (22995)

      What, under the headline "Spaz Found Dead"?

      You make it sound so easy, you would just find them and turn them off like a switch. The problem is, what if they aren't the nice, misguided fellows you think they are and they turn you off like a switch?

    • by Opportunist (166417) on Monday December 22, 2008 @12:15AM (#26196847)

      Nobody keeps you from putting a bounty on the head of a spammer and botnetter. You can't ask for them being killed, but you can without a problem issue a bounty on them, payable to whoever tracks down a botnetter and drags him to court.

    • by couchslug (175151) on Monday December 22, 2008 @01:12AM (#26197109)

      Their attacks will make the internet stronger by helping it evolve defenses it would not otherwise have.
      Some steady pressure spurs evolution. So long as it does not kill the host we should smile and welcome the challenge.

    • Re: (Score:3, Insightful)

      by Jah-Wren Ryel (80510)

      These people are a tremendous illness upon the world.

      Have you heard about the dramatic increase in asthma rates in the first world? Its starting to look like the increase is due to people living in an environment that is 'too clean' - as children their systems don't get a chance to develop protections against common problems.

      You should look at these attackers the same way - they contribute to an increase in overall security. Sure it is painful, but ultimately pain is the only real motivator - just look at how piss-poor vendor responses were to security prob

      • by coryking (104614) * on Monday December 22, 2008 @02:01AM (#26197371) Homepage Journal

        Wow, you just made me completly re-evalute how I thought about dealing with botnets. I've long thought of internet security as something very, very analogous to meatspace problems like insects, virii, or bacteria. Every time we try to squish the buggers out, we just make them stronger.

        Your post made me think about how we over-use antibiotics in meatspace and how it applies to security. Things like graylisting spam, or random port assignments will are only stop-gap until the fuckers up the ante and just portscan your ass to find SSH.

        Already I'm noticing graylisting is becoming almost useless. Everybody has started to deal with it, from registration emails to spam. A year ago, what used to take five minutes thanks to graylisting now takes 30 seconds (the bottom end of my retry limit). The people who boast about using random ports are only going to make the problem worse because soon everybody will be using random ports.

        That said, I think in the end we will be forced to have our cake and eat it too. We do need to lock any asshole we catch up and toss the key. Make no mistake, we cannot send signals that this sort of behavour is tolerated in modern society. But at the same time, we need to not pretend that locking them up will make the illness go away. All we can do is beef up our immune systems and lock the assholes we manage catch up for a long, long, long, long time.

  • by Anonymous Coward on Sunday December 21, 2008 @11:49PM (#26196687)
    • The Slow Bruteforce Botnet(s) may be learning
    • The Slow Bruteforce Botnet(s) are learning at an exponential rate
    • The Slow^H^H^H^HFast Bruteforce Botnet(s) become self-aware at 2:19 AM, August 29
    • Botnet masters try to pull plug, botnets fight back with DDoSur8ghgw43899 NO CARRIER
  • by failedlogic (627314) on Sunday December 21, 2008 @11:57PM (#26196743)

    At the risk of being unpopular ..... Just turn off the Internet already!

  • by baileydau (1037622) on Sunday December 21, 2008 @11:58PM (#26196745)

    How would the botnet know they are attacking an OpenBSD box (vs Linux or something else)?

    Is there some sort of server signature involved (that I'm not aware of)

    My (Linux) ssh server at home just responds with a password prompt. I don't see any easy way to determine the underlying system from that.

    BTW. On my server at home I use Hashlimits to limit each IP to 1 attempt per minute (maximum). This has taken the attacks down from hundreds / thousands per day ( The most attacks I ever got was ~7,000 from one IP) to about 3 to 6. This is typically, 1 attempt each, they then get blocked, and then they go away.

  • Economics (Score:5, Interesting)

    by jimpop (27817) * on Monday December 22, 2008 @12:00AM (#26196763) Homepage Journal

    Don't forget about the economies surrounding botnets. There are two sides, those that profit from the botnets (the operators), and those that profit fighting the botnets (the fighters). Additionally, there are those that profit from providing botnet remedial "solutions" whilst not being in either of the primary (operator or fighter) categories. If botnets ceased to exist, there would be a *lot* more lost on the fighter and solution side than on the operator side. So... like SPAM, this raises the question of just who actually benefits the most from botnet existing.

    • ... who actually benefits the most from botnet existing.

      Of course. It's so obvious now. It was Lou Diamond Philips all along.

    • Re:Economics (Score:5, Interesting)

      by Opportunist (166417) on Monday December 22, 2008 @12:32AM (#26196913)

      As someone being in the latter group (to avoid confusion, the ones fighting them), yes, we make some money fighting that crap. Looking at the money being made on the other side, some are already wondering why we stay here.

      We stay on this side because we (well, most of us) hate botnets. Most people I met at various conventions and meets are somewhere between zealous, fanatic or outright crazy, but generally see the money as some sort of pleasant side effect.

      Believe me one thing: We know we cannot fight it, we know it's almost impossible to track them down and we know how it works. If we were in it for the money, we'd switch sides before you're done reinstalling your system. There's about ten times the money to be gained on the dark side.

      Conservatively estimating, that is.

      If spam and botnets ceased to exist overnight, we'd gladly return to more interesting and maybe also more profitable professions. Most of us are network experts. Some know more about the way Windows works on the "inside" than most people at MS. And if everything fails, we could actually maybe even create a copy protection system that is hard enough to break that nobody would willingly do it (after all, we spend a good deal of our time with disassembly). Do you really think that any of the (good) spam and botnet fighters would have a hard time finding a "honest" job that maybe even paid better than this?

      I could enjoy having a life again, instead of this sorta permanent on-call duty. Again, no christmas for me, because yes, this is one of the hottest times of the year (many people at home, many new computers needing infections, so many new opportunities for botherders...). I would also prefer to create something, like some new software to make people happy or more productive, instead of poking at malware and trying to find a sensible way to detect it. It's not really good for your ego if your product is seen as the necessary evil that steals valuable computer time instead of something that people actually want to have.

      Thanks for hearing out the rant. Now we're back to your scheduled program.

      • Re: (Score:3, Informative)

        by jd (1658)

        Defeating botnets is possible in theory (you need passive fingerprinting and end-system auditing capabilities at a lower level than the botnets, both of which are entirely possible). Defeating botnets is likely neither practical (the network needed to perform counter-intrusion measures would need to be double plus one the size of the botnet) nor legal (SIGINT methodologies may be ok for the NSA or GCHQ, and then with strict qualifiers, but they are not considered ok for Joe Public under any circumstances).

        Y

      • I was wondering, considering your background: if a very close friend or associate of yours got a new computer, what would you tell him/her to do to secure that box, knowing what's out there?

        If it were a Windows box, could it be secured, or would you just advise, wipe and install xxx OS. Period.

        Would appreciate any info.

        • Re:Economics (Score:5, Informative)

          by Opportunist (166417) on Monday December 22, 2008 @03:34AM (#26197767)

          I'd recommend not connecting it to any network and not installing any software if he wants the machine to be secure.

          Snideness aside, yes, you can get Windows to a sensible, workable security level. Not 100%, but nothing is 100% secure. Even Raid6 systems have been seen blowing up, and even the tightest security has its cracks.

          IT security is by definition the minimum of the system's capabilities and the administrator's capabilities. Not an average thereof, but the minimum of both. You can have the most secure system in the world and some stupid admin can f..k up its security beyond repair (provided it's somehow connected to the outside world). Likewise, you can be the absolute guru of computer security, you cannot secure an inherently insecure system.

          Therefore just saying "use $OS and you're safe" is a dangerous misconception. No system is inherently secure, it also depends on its administrator.

          You have to understand that most threats are tailored for the Windows platform, simply because it offers the largest target being the most widely used. Since all Windows machines are also mostly alike when it comes to their software makeup since critical networking programs like webbrowser or email client are part of the package, you have a fair lot of standard targets. You can be certain that a Windows installation has IE installed. Why? Because it's certainly installed in the installation routine and cannot be completely removed. Linux is much more modular and you cannot simply assume a certain browser, a certain mail client or even a certain editor being installed. This offers a much smaller target.

          But still a Windows machine can be secured to sensible levels. First, put a router in front of it so no direct connection can be made to the machine from the internet. This pretty much eliminates most RPC based attacks (you might remember the worm craze of a few years ago. They're still there. There are still infected machines blasting into the internet and few providers filter that crap). Never connect a Windows machine directly to the internet. I made an experiment recently, the lifetime of a clean Windows XP SP1 machine directly connected to the net is less than one minute. Yes, I'm aware that SP1 is a bit dated, but most people got SP1 on their install CD and they usually don't know how to create one that contains the latest patches. Often, reinstalling the system only builds a new home for their problems.

          So, make sure you install all critical patches before you connect the machine to the net. The Service Packs can now be downloaded and stored locally, I do highly recommend doing that. USB sticks are cheap and a quite useful tool for storing them.

          Next, get an alternative browser. IE is the most attacked browser today. And with the growing market share of Firefox it became a target, too. Opera looks ok so far, at least most iframe drive by attacks don't care about it yet. This may change, though. For now, Opera would be it. Not because it's better or safer, but simply because it has a low enough market share to be off the radar of attackers.

          An alternative mail client is the next thing you need. It should not be able to process HTML mails (because most mail clients that do use the engine of the IE, do the math). It has to show extensions of attachments, and it should, if possible, disable direct execution of executable files from attachments. Funny enough, the older the mail client the better, since most of the times this means fewer features that can get into the way of security. Just make sure there are no known bugs. Again, the less mainstream the client is, the better.

          If you really, really have to use instant messaging, again, don't use the normal IM clients. Same reason, they're main targets for attackers. Use alternative clients, preferable with a low market share. As a beneficial side effect, they often also enable you to bundle more than one service.

          An antivirus toolkit. Yes, I know, many people here don't think too highly of them, and yes, they cannot

    • Re:Economics (Score:5, Insightful)

      by he-sk (103163) on Monday December 22, 2008 @12:36AM (#26196937)

      Are you implying that the botnets operators are in bed with their adversaries? If so, why not spell it out? And who are these fighters exactly? Anti-virus firms, sysadmins, politicians?

      What you write sounds a bit like the broken window fallacy. Specifically, if there were no botnets those who are fighting them could use their time to pursue other goals most likely creating value elsewhere. Meanwhile, there would be no damage done by botnets, resulting in a net plus.

    • Oh great (Score:5, Insightful)

      by coryking (104614) * on Monday December 22, 2008 @02:06AM (#26197389) Homepage Journal

      Here. I admit. I'm part of the so-called "whitehat guys" who profit from stoping the botnets. But since I have no ethics or morals, I dont really stop them, I just give them kickbacks to make it look like I'm stopping them.

      Now excuse me while I go get a back massage on from the hot ladies serving me martinis on the beach in Tahiti. Me and my fellow whitehats are making millions off you poor fools. If you only knew!

      (adjust your tinfoil good sir, you are blocking the wrong signals)

  • Is there something 'better' about BSDs' ipchains then I can do with Linux and iptables?

    Should I switch my firewall? (I've been itching to test BSD cause it's so darned geeky and I am getting annoyed with all these Ubuntu "somebody help me!!" converts plugging the IRC tubes.)

    A locked-down firewall is locked-down isn't it?

    • Re:OpenBSD vs Linux (Score:5, Informative)

      by ADRA (37398) on Monday December 22, 2008 @12:22AM (#26196879)

      ipchains is Linux's 2.2 kernel firewall protection. BSD uses 'IPF'.

      No matter what system you're using, a closed port is a closed port.

      I think the main selling point between the two would be that IPF is slightly better performing and that iptables has quite a few addons that make for niceness if you know about and how to use them.

      • by dokebi (624663)

        Except that for some reason, dhcpd gets to the packets before the linux kernel does. In fact, you cannot use ipchains to filter dhcp packets to and from dhcpd. If you don't believe me, Google "block dhcp ipchains".
        So, it's more like: a closed port is closed under certain OSes.

        • by dokebi (624663)

          Oh, and to follow up on my own point, iptables still can't block dhcpd from talking to it's clients.

      • Re: (Score:3, Informative)

        by 1s44c (552956)

        ipchains is Linux's 2.2 kernel firewall protection. BSD uses 'IPF'.

        OpenBSD uses PF not IPF.
        FreeBSD uses PF or IPF.
        Linux uses iptables. It's not been ipchains since a few major kernel versions back.

        Pf rules. It's far clearer, more sensible, and more configurable than iptables.

    • Re:OpenBSD vs Linux (Score:5, Informative)

      by oasisbob (460665) on Monday December 22, 2008 @12:34AM (#26196925)

      OpenBSD doesn't use ipchains -- it uses pf [openbsd.org], which many people -- myself included -- like a lot. OpenBSD is secure and easy to get routing.

      The end result is the same, but pf can be easily adapted to many tricks like this, automatically blocking SSH bruteforcing [home.nuug.no].

      I'd give the beginners using Ubuntu a break. They're overwhelming sometimes, but the community growing is a good thing. I'm sure someone I've introduced to Linux has needed online help (badly!), but another friend I introduced to Linux really dug in and we're now both better developers because of it. You just don't know.

  • Fail2ban? WTF? (Score:2, Interesting)

    by Anonymous Coward

    Posting as AC because the people running botnets can be nasty...I had most of their hosts banned two weeks ago and it got more interesting.

    To the people who say: "Use fail2ban" --it won't work unless you jail the host on the first failed login forever. They'll be back once every six hours on my system.

    After I had a week worth of logs, I added them to hosts.deny--and now things are getting interesting. I'm working on compiling the pattern now--but it looks like there's "micro wordlists" being thrown at it

  • skynet is gaining power

  • by nobodymk2 (1137293) <nobodymk2@gma[ ]com ['il.' in gap]> on Monday December 22, 2008 @01:26AM (#26197197) Homepage

    I've looked at the TFA and the hard data and it seems like admins are the ones making the IT mistakes. With so many attempts for root and none of the other users personally identifiable, I can personally just set up a Bot to run tracert routines on failed attempts and report them for trying to access Root or Admin.

    When it comes to multi-user sites however public key auth is standard, but your user ID and password have to match. What I don't understand is why everyone immediately resorts to AI development.

    Clearly musing, he is. AI means "Self-adapting code". Self-adaption is too slow in real time and is only controlled by small control variables in games. Botnets have a heard. IT's the ADMIN's fault for being hearded, but they can have a techie d/c the power cord to save the rest of the world. Theres no real threat to secure folks because physical disconnection is trivial over a router (I just disable my IP assignment and I'm disconnected until I get another techie to do it physically) but more of a threat to people who can't control it. People controlled by the law, such as big-time Admins.

    Sure, sure, the server won't crash when you're watching it, sure. But how boring will that be?

    Here's the real issue: Remote Access

    There has to be a way for the slow bots to get into root or admin or a remote access. I usually disable root or admin from working outside the internal loopback - 127.0.0.1 - standard Class A IP Address. I could technically configure a Bot to run Tracert (traceROOT) routines on all of those people (yes, windows user here) and have them reported to the federal government. It can't mess up my personal account, nor can it mess up DNS servers with sheer volume. It's small-scale.

    so, the solution is proper remote access protocols. I remember NEVER activating remote access but at the same time using public-key authorized third party demo services to make minor changes remotely, including shutting the system down. I used logmein.com, free demo version, pathetically, but it's actually more secure as long as I have no idea how why I should do it myself. Once I used the shutdown signal it could not boot itself up unless someone would physically press the button. I have to call a physical person in the house to do that myself, so unless demons from hell can use an on/offswitch and my BIOS password without my permission, it ain't starting on it's own nor does it listen for a restart signal until I sign into windows for the first time (Windows XP here). My system has never been breached before, but it constantly deadlocks to save itself from burning the CPU out. It has a thermosensor and cutoff only in the power supply unit, however. Stupid laptops weren't designed for gaming even though thats how its advertised. How do I pull an all nighter at this rate? I'll just remove the sensor in my power supply and WHAM there goes my processor for not having heat sensors. Stupid dell power supply. Rocket fish will at least deadlock my system without damaging my hard disk.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      Tracert (traceROOT)

      Excellent...

  • by dweller_below (136040) on Monday December 22, 2008 @02:41AM (#26197573)

    I do computer and network security for a university.

    This distributed SSH password guessing is not a new tactic. We have seen and tracked this tactic off and on for over a year.

    If this tactic was a game changer, we would have seen it ramp up before now. It would occur all the time. But it doesn't. It only seems to occur during holidays.

    At it's heart, this tactic is not any more effective than non-distributed password guessing. Either way, the attacker has to enumerate the same number of guesses before finding a hit. If a machine is vulnerable, it will be successfully attacked by either approach to password guessing. If it is not vulnerable, neither approach will work.

    Modern hacking is a economic activity. It must balance risk and reward. This attack doesn't offer any more reward than conventional password guessing. It's main feature is to try to change the risk side of the equation.

    Conventional SSH password guessing is noisy. One machine will portscan for TCP/22. Then it rapidly guesses passwords against everything that responds. That one machine is usually lost to the attacker. Automated defense systems block it. Also, defenders report it to the owning ISP. The only way this works for the attacker is if he can harvest more that he loses.

    The distributed guessing attack is also noisy, but in a different way. Currently, we see the attacker start by sacrificing 1 computer to do a TCP/22 portscan. At this point, he has already risked as much as a conventional password guessing attack. Then he feeds the results to a bunch of bots. Each bot then takes turns guessing passwords. Each bot guesses 1 password at a time. However, each bot guesses against multiple SSH servers at the same time.

    This attack is inherently more risky that conventional password guessing. The attacker exposes many of his computers. If we can detect and respond, this attack is not as cost effective as conventional password guessing.

    It is easy for my university to detect and respond to these attacks. We detect it in three different ways.
    1) Each attacker has a distinctive network behavior pattern. We can automate detection by looking at aggregate Cisco netflow data.
    2) It is trivial to pick off this attack using a SSH honeypot.
    3) We use a network visualization tool to watch aggregate SSH activity. This password guessing is obvious on our visualization tool.

    Once we have detected the attackers, we respond to them in the normal way. We block them. We inform our peer institutions and the authorities. We inform the owning ISP.

    The main difference in this situation is that detection and response is easy if you have access to aggregate traffic or multiple SSH servers. It is difficult if you only manage 1 SSH server.

    I don't expect this form of attack to last much longer. I am sure that everybody else is adapting. Once the defenders adapt, this tactic is too expensive to be used.

    Miles

  • by LABarr (14341) on Monday December 22, 2008 @07:00AM (#26198533) Homepage

    On my OpenBSD webserver I noticed a recent spike in hacking attempts. After checking with my clients with regards to where their web traffic and sales come from I discovered that virtually none needed to have their webpages displayed offshore.

    I then blocked the entire Asia Pacific Network. I am talking about the entire CIDR range from the offending ISP. I also blocked select addresses in Russia, Turkey, Germany, Poland, Brazil, etc. Every few days I check the logs and add a few more blocks if need be.

    While I freely admit this move is quite drastic in nature and not possible for everyone, the illegal activity has dropped off to virtually nil. My Bandwidth utilization is way down as well.

    The way I see it, I am more than willing to accept the loss of 1% legitimate traffic for 99% that isn't. If these people can't play nice, why let them play at all? I am naive enough to think that if more and more people adopted this policy, perhaps the offending governments would stand up and take notice. They seem to be able to control whether or not their citizens are able to look at pro-democracy information. If they cared about the illegal activity as well, they could do something about it. Until then, they'll remained blocked and I sleep very well at night.

  • by JetScootr (319545) on Monday December 22, 2008 @08:06AM (#26198803) Journal
    Would a bayesian filter work on this? The filter would match bad userids against the set of valid ones; bad userids that do not resemble any valid id by more than X% will score a demerit against the host that submitted the bad ID. Enough bad ids will probably identify an attacking bot, which can then be blocked. This is a slow defense, but the attack itself is slow and will probably statistically require far more attempts than a bayesian filter requires to identify the attacker.
    Since the attacker doesn't know the set of valid userids on the target system, it's hard to see how this could be countered. Spam authors know how normal email looks, but still can't defeat bayesian spam filters.

He keeps differentiating, flying off on a tangent.

Working...