The Slow Bruteforce Botnet(s) May Be Learning

badger.foo writes "We've seen stories about the slow bruteforcers — we've discussed it here — and based on the data, my colleague Egil Möller was the first to suggest that since we know the attempts are coordinated, it is not too far-fetched to assume that the controlling system measures the rates of success for each of the chosen targets and allocates resources accordingly. (The probes of my systems have slowed in the last month.) If Egil's assumption is right, we are seeing the bad guys adapting. And they're avoiding OpenBSD machines." For fans of raw data, here are all the log entries (3MB) that badger.foo has collected since noticing the slow bruteforce attacks.

Re:Solution: Public Key Auth

[corsec67]

So then brute force attacks would be preceded by an open port check?

Unless you use some kind of port knocking attempt, that wouldn't solve much of anything for long.

Re:AI

[Opportunist]

It's not the artificial intelligent botnet I'm really afraid of. It's the combination thereof with the natural stupidity necessary to actually fall for the spam that scares the hell outta me.

Re:How do the botnets know it's OpenBSD?

[MichaelSmith]

Probably it is just avoiding secure hosts, like yours. OpenBSD hosts tend to be secure because it is selected by people who put security before other requirements.

Re:AI

[Al Dimond]

My understanding of botnets is that all their activity is centrally coordinated: the bots sit in an IRC channel waiting for orders and do what they're ordered to do. It doesn't seem likely to me that the listeners are doing anything very sophisticated here. As it's always been with brute-force attacks, There are lots of target hosts, lots of usernames and passwords to try, and lots of bots to try them. Assuming every attempt gives you about the same odds of success it doesn't matter much what order you try them in. So some people changed the order, and changed the way they divide up work, to avoid detection.

I won't deny that it's a clever adaption, or claim I definitely would have thought of it in their situation. But as far as adaptivity goes, the major tactical advance came from an explicit change in behavior by the botnet masters themselves. The parts of the software that might be adaptive, slowing down attempts on hosts where they are repeatedly unsuccessful and avoiding OpenBSD boxes, were probably specifically programmed to adapt in these ways. They're no more advanced than, say, TCP flow control behavior, or P2P programs.

Re:Economics

[he-sk]

Are you implying that the botnets operators are in bed with their adversaries? If so, why not spell it out? And who are these fighters exactly? Anti-virus firms, sysadmins, politicians?

What you write sounds a bit like the broken window fallacy. Specifically, if there were no botnets those who are fighting them could use their time to pursue other goals most likely creating value elsewhere. Meanwhile, there would be no damage done by botnets, resulting in a net plus.

Re:OpenBSD vs Linux

[Anonymous Coward]

[quote]"(I've been itching to test BSD cause it's so darned geeky and I am getting annoyed with all these Ubuntu "somebody help me!!" converts plugging the IRC tubes.)[/quote]

Excellent elitist attitude you have there. I just happen to be one of those "Ubuntu 'somebody help me!!' converts". I just had a great idea that you might agree with! I think any distribution that attempts to be easy to use for the end user that hasn't used Linux before should just close up shop. It should only be used by the elite such as yourself.

I understand that many users just want quick and easy answers. But the best reward is when you can teach them to be self reliant, to be resourceful. Many of the answers they seek are already out there. As the saying goes (I think)... give a man a fish he will eat for a day. Teach him to fish he'll eat for a lifetime.

Re:AI

[Sentry21]

The idea that a system like SkyNet would evolve out of a system designed to get us to buy discount v1agra and c1al1s bodes poorly for our future prospects against the coming robotic onslaught. Truly our proud, erect soldiers will be no match.

Re:AI

[SpaceLifeForm]

Careful with the parsing.

You *are* programmed, by a more advanced form of life,
to not *want* to die.

That does not mean that you are programmed to avoid death
at the hands of a more advanced form of life.

In fact, you are programmed to die period, regardless of
your wishes, at the hands of the most simplest lifeforms.

Re:I want to see a death bounty for these people

[Jah-Wren Ryel]

These people are a tremendous illness upon the world.

Have you heard about the dramatic increase in asthma rates in the first world? Its starting to look like the increase is due to people living in an environment that is 'too clean' - as children their systems don't get a chance to develop protections against common problems.

You should look at these attackers the same way - they contribute to an increase in overall security. Sure it is painful, but ultimately pain is the only real motivator - just look at how piss-poor vendor responses were to security problems before full disclosure became them norm and threatened their bottom line.

You will absolutely never ever be able to make all attackers go away, any solution that relies on locking them up is doomed to failure, full stop. You can drive out the masses of dumb ones, but then that will only leave the small group of really smart ones behind. And at the same time you'll end up making the lives of the smart ones much easier since without widespread "illness" there will never be widespread inoculation either.

Re:I want to see a death bounty for these people

[coryking]

Wow, you just made me completly re-evalute how I thought about dealing with botnets. I've long thought of internet security as something very, very analogous to meatspace problems like insects, virii, or bacteria. Every time we try to squish the buggers out, we just make them stronger.

Your post made me think about how we over-use antibiotics in meatspace and how it applies to security. Things like graylisting spam, or random port assignments will are only stop-gap until the fuckers up the ante and just portscan your ass to find SSH.

Already I'm noticing graylisting is becoming almost useless. Everybody has started to deal with it, from registration emails to spam. A year ago, what used to take five minutes thanks to graylisting now takes 30 seconds (the bottom end of my retry limit). The people who boast about using random ports are only going to make the problem worse because soon everybody will be using random ports.

That said, I think in the end we will be forced to have our cake and eat it too. We do need to lock any asshole we catch up and toss the key. Make no mistake, we cannot send signals that this sort of behavour is tolerated in modern society. But at the same time, we need to not pretend that locking them up will make the illness go away. All we can do is beef up our immune systems and lock the assholes we manage catch up for a long, long, long, long time.

Oh great

[coryking]

Here. I admit. I'm part of the so-called "whitehat guys" who profit from stoping the botnets. But since I have no ethics or morals, I dont really stop them, I just give them kickbacks to make it look like I'm stopping them.

Now excuse me while I go get a back massage on from the hot ladies serving me martinis on the beach in Tahiti. Me and my fellow whitehats are making millions off you poor fools. If you only knew!

(adjust your tinfoil good sir, you are blocking the wrong signals)

Re:Solution: Public Key Auth

[johanatan]

A port knocking scheme is exactly what should be implemented to combat this. It would not be very hard at all to make it completely automated on both the server and client sides (and the knock sequence could even be loosely based on the time--say to a precision of 15 minutes).

Re:Solution: Public Key Auth

[xous]

This solution is practically useless as when a sufficient number of hosts use a non-standard port they will simply use port scans. As a systems administrator that has to deal with morons constantly locking themselves out of their servers due to using random ports and other silly techniques I find this to be an extremely stupid idea. -1 points for suggesting people change their ssh port to a non-standard port. There is a reason we have standards. Real solution: use Public Key Authentication or at least require strong passwords.

Lockout entire CIDR blocks of IP addresses

[LABarr]

On my OpenBSD webserver I noticed a recent spike in hacking attempts. After checking with my clients with regards to where their web traffic and sales come from I discovered that virtually none needed to have their webpages displayed offshore.

I then blocked the entire Asia Pacific Network. I am talking about the entire CIDR range from the offending ISP. I also blocked select addresses in Russia, Turkey, Germany, Poland, Brazil, etc. Every few days I check the logs and add a few more blocks if need be.

While I freely admit this move is quite drastic in nature and not possible for everyone, the illegal activity has dropped off to virtually nil. My Bandwidth utilization is way down as well.

The way I see it, I am more than willing to accept the loss of 1% legitimate traffic for 99% that isn't. If these people can't play nice, why let them play at all? I am naive enough to think that if more and more people adopted this policy, perhaps the offending governments would stand up and take notice. They seem to be able to control whether or not their citizens are able to look at pro-democracy information. If they cared about the illegal activity as well, they could do something about it. Until then, they'll remained blocked and I sleep very well at night.