Strange attack pattern?
 

I'm running a Slackware server, more for testing and self-education so no critical data is stored on it, although it is functional IRL. I've written my own firewall, and log monitoring script. Nothing fancy, but with a homebrew DIY feel to it.

Now obviously I see all kinds of 'attacks' coming in, and I have adjusted my firewall accordingly. I think the setup is pretty secure ATM, and I'm not worried.

But still, I have trouble explaining certain kinds of attacks. It may be that the attacker is expecting another OS, so that these attacks shouldn't concern me. But still, I am curious.


Pattern:
Within the course of a minute or two, multiple (20~30) unique IP's send many requests to an unused port on my machine. A typical entry looks like this:
Jan 18 08:09:04 MachineName kernel: LOG PATTERN IN=eth2 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SR
C=XXX.XXX.XXX.XXX DST=YYY.YYY.YYY.YYY LEN=61 TOS=0x00 PREC=0x00 TTL=48 ID=36573 PROTO=UDP SPT=7345 DPT=16137 LEN=41

In this particular attempt (to do what?) 25 unique IP's all do many requests (what?) from DTP 16137. And that is the pattern. I have this happen to me more often, always somewhere between 20 and 30 unique IP's all requesting some high up port UDP style and never taking more that 2 minutes from start to finish so to speak.
As a funny aside, all unique IP's seemingly attempt a number of times in multiples of 9. And this is regardless of how the firewall threads them.




I really fail to see what kind of attack this is. I'm used to port scans, messenger spam, brute force on FTP and SSH, php vulnerability exploits, ping sweeps and the likes. I understand those, and I know how to handle them.

From a security perspective, I drop whole ranges of IP's categorically so of the above attempts only about 1/2 get through. Of this remainder all of them are dropped after a short while by the rate limiter. And the automagic blacklister does the rest.



___

I need either a reality check or some clarification? What am I dealing with here? The only thing I can imagine that this is, is someone spoofing IP's and coming in from different directions so to speak to probe my defense mechanisms? But that would require a human analyzing the outcome. I don't believe that. I think it's something scripted, but to what end?

Is someone kind enough to enlighten me on this?



[edit]I talked to some people IRL that I consider more knowledgeable than myself on security and networking, and they held this resembled a DDoS attack. But... ehm... 25 IP's doing a total of ~300 attempts in two minutes is a pretty weak DDoS, is it? Maybe a test run? I dunno...[/edit]

If some malicious bot sees an ftp server all bets ae off. You're going to get secure ftp requests, ftp logins and plain brute force 'kill the machine' attacks. Many of the secure ftp requests will originate/terminate at high ports. I just checked my logs and the last was going for 56960.

Beyond that any public facing interface is going to see it's share of the ubiquitous SQL injection attempts. This is the pay dirt of mayhem in the wild at the moment.

You familiar with snort or any other intrusion detection system? Properly configured they'll cough up signatures and tell you in plain English what exactly each attempt is trying to do.

Yeah, I get those. And although I can't see everything in my logs, still they follow a certain pattern. The system is setup to recognize them and drop them. Most of them are really not worth looking into, except for debugging or solving the occasional false negative.

Hmmm, I'm not running SQL. But then, I don't run MSN either and I get messenger spam on that port. Probably is just random. It's only the logic of my setup that logs them before it drops them that allows me to even see they are happening. Still, they follow a recognizable attack pattern. Same with the FTP brute force attacks.

That is a better idea, yeah. I hadn't thought I needed snort or something similar, but I'll install it anyway. See what that comes up with.



It's just, it's the pattern of these attacks I think is weird. It's one of the reasons I keep security thresholds as low as they are now. Lower than is convenient for legitimate users prone to typo's. I've been reading about the different kinds of attacks that a server may expect to endure, and I just don't see what this is. Maybe posting a screenshot will show what I mean:
http://i44.tinypic.com/2j3seo3.jpg
See? I can zoom in with my filter, showing all these attacks came in during a two minute interval. It's happened a couple of times before too. Always this pattern. Always multiple IP's, always a weird unused high up port.

I am sure if this is scripted that more people have seen something like this. Any idea what it is trying to do?

___
PS 'HOSTILE_COUTRY DROP' means the source IP is categorically dropped by range. 'BLACKLISTED' means the source IP triggered the blacklister. As you can see, it doesn't take a whole lot ;-)

<quote>I am sure if this is scripted that more people have seen something like this. Any idea what it is trying to do?</quote>

Yeah, gunk up your system or outright take it over. :D

I'd post my IDS logs but it'd be a pain to clean out the IPs. But I get 1,000 SQL injection attacks a day and I do not run SQL either. I see attacks against flaws that don't exist on my systems or have long been patched. Doesn't matter, any public facing interface is gonna hear about it. The script kiddies at play, it's almost all automated.

If you see a sudden spike then no doubt some kiddie left his ftp sniffer going overnight, it flagged you, and now you're in the pool of IPs he's unleashing his next free crackware download upon. Pain in the but but I manually filter out the ones that don't go away on their own.

I, for one, welcome our mysterious crackware wielding overlords...



Ah well, at least the security system got a good test drive again.

It is fun. You should look into the honeyd project. Most distros have it packaged and easily installable. You might also want to read "steal this book," whatever the current version. I understand that's the goobermint's security spook bible.

Hey, thanx! That seems like a good waste of a rainy evening (beats watching television in any case)

Hey,

isc.sans.org's diary has been tracking distributed brute force attempts. I think this is what you're seeing.

I'm trying to find a link (will edit this post when I find the URL).

EDIT -

Here it is: http://isc.sans.org/diary.html?storyid=5114

Here are other links: http://www.google.com/search?hl=en&a...i=&safe=images

A recent poster noted an increase in distributed attacks against ssh. Using different IP's and not repeating them or increasing the time between attempts, it might fool fail2ban which is triggered on repetition.

Just comparing one of the ssh_attackers lists with my own logs gave plenty of hits. Indeed, they are flying below the radar. There seems to be mucho interest in port 22 and 443, while I use neither; I got a bit tired of an average of 400 attacks/day on ssh a long time ago. I moved the port up, and the login logs are quiet now Clarice...


Still they keep coming in. I can honestly say each and every attempt at port 22 is either hostile or my own self forgetting to set the -p flag. Signal on that port is just logged and dropped.

Since my last log reset about a month ago it gives 118 unique IP's doing a grand total of 229 attempts on port 22. And of those unique IP's about 12 correspond with the ssh_attackers list found in one of the above links. That may be relatively few, but considering there's nothing listening on this port, it's just the background noise of the internet. I'll have a look, see if they are still interested in my list of IP's.

Although the attacks that I posted about above didn't target port 22 or 443, the pattern seems similar enough. Maybe it's something else trying a similar method. Port 16137, for all I know it's a network port of some app that is in use.




___


It's not a problem to me, what will be a problem is when one of these kids learns to read and finds an explanation of the -p flag deep down in the nmap man page. Hmmmmm, I always assumed nmap triggers the rate limiter, but yesterday I found there are tools that scan without triggering the rate limiter. That, too, is a problem, eventually.... but I believe snort will detect them (untested).


Ah well, on the one hand I'm not using single metric security. Should be safe for now. On the other hand, I am glad I brought it up. Thanks for your insights!

Hey /dev/me, (great handle by the way =) ) Like I said once any machine is exposed to the wilds all manner of inappropriate mayhem ensues. It doesn't matter port 22 isn't in use, the script kiddies will hit it simply because the IP is there and has (any) services available. (open ports)

99% of them don't know what man nmap is, they just download, point and click. There are of course pro black hats, responsible for a vast amount of garbage, and they are hitting you too, though for the most part all this stuff is automated.

It really takes a sick pup to lay hands on a system. They'd have to have good reason, such as trade secrets or potential personal information. Other than that what the bots are after is an unpatched system to add to the numbers.

Not much you can do about it. I remember a few years ago some kid on the local trunk was flooding the segment with ARP packets, millions of them over about a week. The ISP finally caught the perp and shut him down.

But in that interim there was a DoS going on, of which the kiddie himself was entirely unaware. Most of those sad sacks have no clue what they are doing. I, for one, find it comforting that no one is trying to crack my systems hands-on. The automated stuff can get you, but it's usually easily fixed and preventable from there on out.

Good luck and have fun. Of the two, I'd definitely suggest studying snort before getting involved in honey pots. (though the latter is infinitely more fun, and can actually be a security measure. read up on security + honey pot)

Thanks! Although in retrospect it should have been /dev/me@, as it is obviously a symlink :D

Yeah, but from the other side... I had my WiFi security off because I was testing a buggy beta driver on a netbook. I found my neighbors started stealing my internet (using an OSX no less, and they apparently have two)... and I felt it was infinitely more fun to set up an 'upside down ternet' than to re-enable WiFi security . Yeah, that was fun for a couple of weeks, until I found a wardriver LIVE on the system a while ago. I was too much yellow chicken to walk outside and beat the crap out of him, just ran some scans and disabled wireless on the router. A minute later, I heard an engine start and a car drove off. Black Hats...


Yeah I'll do that. It's just, I've written my own firewall, logmonitor, blacklister and whitelister and they work together pretty well. I'm first looking into how I can introduce snort into this mix without breaking anything before I do anything else.

I run smoothwall firewalls everywhere. I must have deployed a hundred of them by now. One time I came across a nifty thing to do to people freeloading on your wifi; restrict them so no matter what they try they get redirected to a single site. They can't get off that site to save their lives.

The site the tutorial used was "kittenwar!." What a hoot!

http://kittenwar.com/

The discussion:

http://community.smoothwall.org/foru...ilit=kittenwar

Here's another (internal to these forums) link as to what I was stating earlier:

http://www.linuxquestions.org/questi...ed+brute+force

I read through those links, thanks unixfool. I see nobody suggesting moving ssh off the standard port. I always do, and never see so much as a peep of unwanted traffic trying to access ssh.

I set perimeters to drop 22 without logging, but other measures show I'm not being hit on 22 at all, forget about 'flooded.' I'd expect these attacks automatically sniff 22 first, and only poke the IPs that responded.

Ergo with probably 99% of this crap being automated, 99% of it never comes to my attention.

Wish I could say the same for ftp. =(