Slow bruteforce attacks with Botnets

Monday, December 22, 2008

Botnets are being used for spam, pharming, spreading malware and even DDOS. one more use of botnet but not really exploited is bruteforcing login's. Just like big companies like NSA and FBI use large host of connected computers to break encryption, cyber criminals have slowly started to use botnets to launch bruteforcing attacks. the attacks are done from multiple machines over a specific period of time. Like machine in chicago with try a user/pass and then after a few minutes a machine from london will try some other user/password combination. This slow bruteforce helps to evade detection by IDS's and any threshold you might have configured on your SIM Tools.

Current brute force logins are a problem with linux systems running SSH Server and if they are specifically exposed over the network. The best thing admin's can do is change the ssh port to something different from 22 because in such kind of mass attack defaults are used and 22 port is default for SSH. Using tools like DenySSH or a tool that blocks IP addresses after n failed attempts in a period of time is not going to work because the attacks are distributed and from multiple locations and IP's. There will be more things to do like tweak your detection based on attacked IP/ port/ username and reduce threashold like if using 600 seconds make it 150 seconds or 120seconds.

While discussing about recent ongoing attacks, I have always said if you master the art of pattern detection you can stop or block most of the attacks originating and this is where you need to study the network traffic / logs, create a pattern and respond immediately.


  © Blogger templates Newspaper by 2008

Back to TOP