Strange attack pattern?
I'm running a Slackware server, more for testing and self-education so no critical data is stored on it, although it is functional IRL. I've written my own firewall, and log monitoring script. Nothing fancy, but with a homebrew DIY feel to it.
Now obviously I see all kinds of 'attacks' coming in, and I have adjusted my firewall accordingly. I think the setup is pretty secure ATM, and I'm not worried. But still, I have trouble explaining certain kinds of attacks. It may be that the attacker is expecting another OS, so that these attacks shouldn't concern me. But still, I am curious. Pattern: Within the course of a minute or two, multiple (20~30) unique IP's send many requests to an unused port on my machine. A typical entry looks like this: Jan 18 08:09:04 MachineName kernel: LOG PATTERN IN=eth2 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SR C=XXX.XXX.XXX.XXX DST=YYY.YYY.YYY.YYY LEN=61 TOS=0x00 PREC=0x00 TTL=48 ID=36573 PROTO=UDP SPT=7345 DPT=16137 LEN=41 In this particular attempt (to do what?) 25 unique IP's all do many requests (what?) from DTP 16137. And that is the pattern. I have this happen to me more often, always somewhere between 20 and 30 unique IP's all requesting some high up port UDP style and never taking more that 2 minutes from start to finish so to speak. As a funny aside, all unique IP's seemingly attempt a number of times in multiples of 9. And this is regardless of how the firewall threads them. I really fail to see what kind of attack this is. I'm used to port scans, messenger spam, brute force on FTP and SSH, php vulnerability exploits, ping sweeps and the likes. I understand those, and I know how to handle them. From a security perspective, I drop whole ranges of IP's categorically so of the above attempts only about 1/2 get through. Of this remainder all of them are dropped after a short while by the rate limiter. And the automagic blacklister does the rest. ___ I need either a reality check or some clarification? What am I dealing with here? The only thing I can imagine that this is, is someone spoofing IP's and coming in from different directions so to speak to probe my defense mechanisms? But that would require a human analyzing the outcome. I don't believe that. I think it's something scripted, but to what end? Is someone kind enough to enlighten me on this? [edit]I talked to some people IRL that I consider more knowledgeable than myself on security and networking, and they held this resembled a DDoS attack. But... ehm... 25 IP's doing a total of ~300 attempts in two minutes is a pretty weak DDoS, is it? Maybe a test run? I dunno...[/edit] |
If some malicious bot sees an ftp server all bets ae off. You're going to get secure ftp requests, ftp logins and plain brute force 'kill the machine' attacks. Many of the secure ftp requests will originate/terminate at high ports. I just checked my logs and the last was going for 56960.
Beyond that any public facing interface is going to see it's share of the ubiquitous SQL injection attempts. This is the pay dirt of mayhem in the wild at the moment. You familiar with snort or any other intrusion detection system? Properly configured they'll cough up signatures and tell you in plain English what exactly each attempt is trying to do. |
Quote:
Quote:
Quote:
It's just, it's the pattern of these attacks I think is weird. It's one of the reasons I keep security thresholds as low as they are now. Lower than is convenient for legitimate users prone to typo's. I've been reading about the different kinds of attacks that a server may expect to endure, and I just don't see what this is. Maybe posting a screenshot will show what I mean: http://i44.tinypic.com/2j3seo3.jpg See? I can zoom in with my filter, showing all these attacks came in during a two minute interval. It's happened a couple of times before too. Always this pattern. Always multiple IP's, always a weird unused high up port. I am sure if this is scripted that more people have seen something like this. Any idea what it is trying to do? ___ PS 'HOSTILE_COUTRY DROP' means the source IP is categorically dropped by range. 'BLACKLISTED' means the source IP triggered the blacklister. As you can see, it doesn't take a whole lot ;-) |
<quote>I am sure if this is scripted that more people have seen something like this. Any idea what it is trying to do?</quote>
Yeah, gunk up your system or outright take it over. :D I'd post my IDS logs but it'd be a pain to clean out the IPs. But I get 1,000 SQL injection attacks a day and I do not run SQL either. I see attacks against flaws that don't exist on my systems or have long been patched. Doesn't matter, any public facing interface is gonna hear about it. The script kiddies at play, it's almost all automated. If you see a sudden spike then no doubt some kiddie left his ftp sniffer going overnight, it flagged you, and now you're in the pool of IPs he's unleashing his next free crackware download upon. Pain in the but but I manually filter out the ones that don't go away on their own. |
Quote:
Ah well, at least the security system got a good test drive again. |
It is fun. You should look into the honeyd project. Most distros have it packaged and easily installable. You might also want to read "steal this book," whatever the current version. I understand that's the goobermint's security spook bible.
|
Quote:
|
Quote:
isc.sans.org's diary has been tracking distributed brute force attempts. I think this is what you're seeing. I'm trying to find a link (will edit this post when I find the URL). EDIT - Here it is: http://isc.sans.org/diary.html?storyid=5114 Here are other links: http://www.google.com/search?hl=en&a...i=&safe=images |
A recent poster noted an increase in distributed attacks against ssh. Using different IP's and not repeating them or increasing the time between attempts, it might fool fail2ban which is triggered on repetition.
|
Just comparing one of the ssh_attackers lists with my own logs gave plenty of hits. Indeed, they are flying below the radar. There seems to be mucho interest in port 22 and 443, while I use neither; I got a bit tired of an average of 400 attacks/day on ssh a long time ago. I moved the port up, and the login logs are quiet now Clarice...
Still they keep coming in. I can honestly say each and every attempt at port 22 is either hostile or my own self forgetting to set the -p flag. Signal on that port is just logged and dropped. Since my last log reset about a month ago it gives 118 unique IP's doing a grand total of 229 attempts on port 22. And of those unique IP's about 12 correspond with the ssh_attackers list found in one of the above links. That may be relatively few, but considering there's nothing listening on this port, it's just the background noise of the internet. I'll have a look, see if they are still interested in my list of IP's. Although the attacks that I posted about above didn't target port 22 or 443, the pattern seems similar enough. Maybe it's something else trying a similar method. Port 16137, for all I know it's a network port of some app that is in use. ___ It's not a problem to me, what will be a problem is when one of these kids learns to read and finds an explanation of the -p flag deep down in the nmap man page. Hmmmmm, I always assumed nmap triggers the rate limiter, but yesterday I found there are tools that scan without triggering the rate limiter. That, too, is a problem, eventually.... but I believe snort will detect them (untested). Ah well, on the one hand I'm not using single metric security. Should be safe for now. On the other hand, I am glad I brought it up. Thanks for your insights! |
Hey /dev/me, (great handle by the way =) ) Like I said once any machine is exposed to the wilds all manner of inappropriate mayhem ensues. It doesn't matter port 22 isn't in use, the script kiddies will hit it simply because the IP is there and has (any) services available. (open ports)
99% of them don't know what man nmap is, they just download, point and click. There are of course pro black hats, responsible for a vast amount of garbage, and they are hitting you too, though for the most part all this stuff is automated. It really takes a sick pup to lay hands on a system. They'd have to have good reason, such as trade secrets or potential personal information. Other than that what the bots are after is an unpatched system to add to the numbers. Not much you can do about it. I remember a few years ago some kid on the local trunk was flooding the segment with ARP packets, millions of them over about a week. The ISP finally caught the perp and shut him down. But in that interim there was a DoS going on, of which the kiddie himself was entirely unaware. Most of those sad sacks have no clue what they are doing. I, for one, find it comforting that no one is trying to crack my systems hands-on. The automated stuff can get you, but it's usually easily fixed and preventable from there on out. Good luck and have fun. Of the two, I'd definitely suggest studying snort before getting involved in honey pots. (though the latter is infinitely more fun, and can actually be a security measure. read up on security + honey pot) |
Quote:
Quote:
Quote:
|
I run smoothwall firewalls everywhere. I must have deployed a hundred of them by now. One time I came across a nifty thing to do to people freeloading on your wifi; restrict them so no matter what they try they get redirected to a single site. They can't get off that site to save their lives.
The site the tutorial used was "kittenwar!." What a hoot! http://kittenwar.com/ The discussion: http://community.smoothwall.org/foru...ilit=kittenwar |
Here's another (internal to these forums) link as to what I was stating earlier:
http://www.linuxquestions.org/questi...ed+brute+force |
I read through those links, thanks unixfool. I see nobody suggesting moving ssh off the standard port. I always do, and never see so much as a peep of unwanted traffic trying to access ssh.
I set perimeters to drop 22 without logging, but other measures show I'm not being hit on 22 at all, forget about 'flooded.' I'd expect these attacks automatically sniff 22 first, and only poke the IPs that responded. Ergo with probably 99% of this crap being automated, 99% of it never comes to my attention. Wish I could say the same for ftp. =( |
All times are GMT -5. The time now is 07:48 PM. |