Monday, May 12, 2008

botnet foo

so there's an interesting thread on the incidents mailing list talking about bruteforce ssh attacks...

yea yea, old news...

but what's interesting isn't the brute ssh stuff, but the level of sophistication and coordination in the botnet itself. i'd only recently heard of denyhosts, which is a blacklist of known-hostile IP addresses that attack ssh servers. if a new IP fails logins to an ssh server, it gets added to the list...

it seems that this botnet is actively trying to get around this defense mechanism by coordinating attacks so that different login attempts come from different IP addresses. so you'll see an attempt pattern like this:

x.x.x.x: user=alice
y.y.y.y: user=bob
z.z.z.z: user=charlie

the really nifty bit is that state is apparently maintained as the botnet iterates through the dictionary of users... one admin reported that if you blacklist ssh from all but a few /8's, the attacks will cease for a while, but eventually one will come from the whitelisted IP address block and will be the next alphabetical username...

i really need to get a gig as an engineer at an ISP so i can spend some time writing code to identify and disrupt botnets... more needs to be done in that area... but yet again, there is this whole debate about the ethics of dismantling botnets... i haven't thought about it enough yet, but there are clearly important points on both sides of the issue. but lets cut through all of that high-brow legalese and ethical stuff (i'd rather go listen to Jennifer Granick talk about this stuff at bh/dc this year instead of flaming over it anyway;) and cut right to something more grounded...

comcast is talking about bandwidth caps and charges for overusage... so, tell me, what is going to happen when your grandmas bot infested box is spewing spam and she gets a big old bill from comcast...?

No comments: