Re: Tar pitting automated attacks
Jonathan Chen wrote: On Tue, Sep 07, 2004 at 09:42:16AM -0400, Mike Galvez wrote: Is there a method to make this more expensive to the attacker, such as tar-pitting? Put in a ipfw block on the netblock/country. At the very least it will make it pretty slow for the initial TCP handshake. Cheers. I don't know how this particular scanner works, but if was (to write) a scanner which is supposed to scan as many as possible hosts as quickly as possible, I would simply start sending out syn's as fast as I can or my master told me, without tracking to which hosts I sent one (just do a count upwards or something like that). Then I would simply collect those hosts that do respond with an ACK and put only them in the queue for further processing. Whether your host sends a nak or nothing is the same to me. So I don't think a block will cause any significant harm to these attacks. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Tar pitting automated attacks
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mike Hauber Sent: Wednesday, September 08, 2004 9:35 AM To: [EMAIL PROTECTED] Subject: Re: Tar pitting automated attacks I realize this is probably a dumb question (I quietly drop everything incoming unless it's keep-state, and I only allow ssh internally)... If you're needing to ssh to your machine from a limited range of IPs, then why not tell your PF to drop incoming unless it's within that range? Yes, that is how it is usually done. But the OP's goal was to tie up the attacker's resources so the attacker cannot go and bang on other people. Blocking access to the ssh port to most of the Internet actually helps the attacker, because the attacker will attempt to open a connection, and 5 minutes later when the connection open has still not completed, the attacker will mark off that IP and continue onto attacking the next person. So it comes down to what do you want - if you want to clean your logs and not be attacked, then use port filtering, otherwise if you want to waste attackers resources, make sure your ssh port is available, and use good passwords so an attack won't succeed. tarpitting is equivalent to port filtering from the attackers point of view - they know how to detect a tar pit and will move on and not get stuck in it. Ted ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Tar pitting automated attacks
On Thursday 09 September 2004 11:00 am, Ted Mittelstaedt proclaimed: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mike Hauber Sent: Wednesday, September 08, 2004 9:35 AM To: [EMAIL PROTECTED] Subject: Re: Tar pitting automated attacks I realize this is probably a dumb question (I quietly drop everything incoming unless it's keep-state, and I only allow ssh internally)... If you're needing to ssh to your machine from a limited range of IPs, then why not tell your PF to drop incoming unless it's within that range? Yes, that is how it is usually done. But the OP's goal was to tie up the attacker's resources so the attacker cannot go and bang on other people. Blocking access to the ssh port to most of the Internet actually helps the attacker, because the attacker will attempt to open a connection, and 5 minutes later when the connection open has still not completed, the attacker will mark off that IP and continue onto attacking the next person. So it comes down to what do you want - if you want to clean your logs and not be attacked, then use port filtering, otherwise if you want to waste attackers resources, make sure your ssh port is available, and use good passwords so an attack won't succeed. tarpitting is equivalent to port filtering from the attackers point of view - they know how to detect a tar pit and will move on and not get stuck in it. Ted That makes sense... I haven't gotten so much into security that I would want to invite a potential cracker. I would just assume they go and bug someone else (who knows, maybe it will result in more BSD admins. :) ) How difficult would it be to have a dummy system setup on the LAN where incoming SSH could be transparently routed to. In fact (and even the idea gives me the creeps), how difficult would it be to change root to something else, and then create a dummy root account. I mean, if one is attempting to get a cracker to waste his time, then why not wet his whistle and let him think he's actually getting somewhere? I don't know anything about this kind of thing (I'm just not devious enough, I guess). How should I go about googling this to learn more? Is there a term for it? Thx, Mike ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Tar pitting automated attacks
On Sep 9, 2004, at 11:44 AM, Mike Hauber wrote: That makes sense... I haven't gotten so much into security that I would want to invite a potential cracker. I would just assume they go and bug someone else (who knows, maybe it will result in more BSD admins. :) ) How difficult would it be to have a dummy system setup on the LAN where incoming SSH could be transparently routed to. Depending on your router, very easy. Redirect a port on the router to point to an inside computer running the service you want redirected. I used to do it all the time with my home linksys system...redirected mail to one of the computers inside and web requests to a second computer. From the outside world, they both looked like my NATed address facing the Internet. In fact (and even the idea gives me the creeps), how difficult would it be to change root to something else, and then create a dummy root account. Not hard at all...anyone with the UID of 0 on a UNIX system is root. Change the UID and you have a new root...reassign the UID of root and it will no longer have superuser privileges. However, this may break some programs or some functionality, and if the hacker had intelligence above a cucumber they would be reaching for UID 0, not necessarily just root by name. Wouldn't take them long to realize something was wrong if they got root and weren't able to do some things or see files that are supposed to be readable by UID 0... I mean, if one is attempting to get a cracker to waste his time, then why not wet his whistle and let him think he's actually getting somewhere? I don't know anything about this kind of thing (I'm just not devious enough, I guess). How should I go about googling this to learn more? Is there a term for it? Honeypot and Honeynet. :-) What may work better is a system that is in a DMZ, virtualized within something like VMWare (is Virtual PC ever used for something like this?). Honeypots are often run in environments like that for analysis and monitoring. But if you're truly paranoid, this computer would be on it's own segment on the other side of it's own firewall...i.e., you have your internet connection to your router, then to the network containing your honeypot machine and image, and then another router/firewall protecting your actual network, and never the twain' shall meet (plus monitoring software on your internal *NIX systems...like snort...to check for leaks). At least, that's how I would do it if I had limited resources but really wanted to try to lure them in. Letting ANY experimental, unpatched network image run as a honeypot inside your actual network where regular email and net traffic flow is a bad idea, and if the image is cracked, it is still possible for it to start flooding your Internet connection and may result in some overzealous admins blacklisting you or blocking off access from your IP, unless you get a second IP to the internet and use that entirely as your honeynet. -Bart ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Tar pitting automated attacks
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mike Hauber Sent: Thursday, September 09, 2004 8:44 AM To: [EMAIL PROTECTED] Subject: Re: Tar pitting automated attacks How difficult would it be to have a dummy system setup on the LAN where incoming SSH could be transparently routed to. In fact (and even the idea gives me the creeps), how difficult would it be to change root to something else, and then create a dummy root account. I mean, if one is attempting to get a cracker to waste his time, then why not wet his whistle and let him think he's actually getting somewhere? I don't know anything about this kind of thing (I'm just not devious enough, I guess). How should I go about googling this to learn more? Is there a term for it? search the term honeypot servers Ted ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Tar pitting automated attacks
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mike Galvez Sent: Tuesday, September 07, 2004 6:42 AM To: [EMAIL PROTECTED] Subject: Tar pitting automated attacks Is there a method to make this more expensive to the attacker, such as tar-pitting? No. These days attackers use distributed networks of cracked PCs to launch attacks. The vast bulk of these attacks is automated. The cracker merely feeds in a job and pushes it to his network to work away at. Most of the time the cracker spends is in adding new machines that have vulnerabilities into his distributed network of cracked PCs If you successfully erect a network block, the cracker's software will just go to the next IP in the sequence to attack. Your actually doing more damage to the cracker's distributed network by your SSH server patiently saying no, no, no, no, no, no, etc. for 20-50 thousand times, because that ties the cracked PC up for a lot longer just working away at your system. I presume of course that you aren't using guessible passwords and you have everything patched to current levels. if you want to do damage to the attacker, you need to make a good effort at reporting the source IP numbers to the netblock managers the IP is part of. Granted, 3/4 of the time the netblock managers won't do anything about it. But whenever they do, it usually takes that cracked PC out of the distributed network. That is what costs the cracker because then the cracker has to expend work replacing it with another cracked PC. But, it is a lot like trying to pick up spilled spaghetti with tweezers. There's so many cracked PC's out there that as soon as you get one taken down, there's plenty more where that came from. Now, if you REALLY want to damage the attacker, you throw the works at the IP numbers that are scanning you, and find the back door that the cracker is using on those hosts, then go in and hard-code the homepage on their web broswer to something like http://www.fuckyou.com, making sure to use one of those cracker programs that makes it impossible for them to change it back. That is usually sufficient to get the owner of the cracked PC off their lazy ass to get their machine cleaned up. Ted ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Tar pitting automated attacks
Ahh - Exactly the scenario here, except the names were different (but similar) and the source IP was: 64.124.210.23 Thanks. On Wed, 8 Sep 2004, Jonathan Chen wrote: On Tue, Sep 07, 2004 at 09:42:16AM -0400, Mike Galvez wrote: I am seeing a lot of automated attacks lately against sshd such as: [...] Sep 6 12:16:39 www sshd[29901]: Failed password for illegal user server from 159.134.244.189 port 4044 ssh2 Sep 6 12:16:41 www sshd[29902]: Failed password for illegal user adam from 159.134.244.189 port 4072 ssh2 ... etc Is there a method to make this more expensive to the attacker, such as tar-pitting? Put in a ipfw block on the netblock/country. At the very least it will make it pretty slow for the initial TCP handshake. - John Mills [EMAIL PROTECTED] ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Tar pitting automated attacks
John Mills wrote: Ahh - Exactly the scenario here, except the names were different (but similar) and the source IP was: 64.124.210.23 Thanks. On Wed, 8 Sep 2004, Jonathan Chen wrote: On Tue, Sep 07, 2004 at 09:42:16AM -0400, Mike Galvez wrote: I am seeing a lot of automated attacks lately against sshd such as: [...] Sep 6 12:16:39 www sshd[29901]: Failed password for illegal user server from 159.134.244.189 port 4044 ssh2 Sep 6 12:16:41 www sshd[29902]: Failed password for illegal user adam from 159.134.244.189 port 4072 ssh2 ... etc Is there a method to make this more expensive to the attacker, such as tar-pitting? Put in a ipfw block on the netblock/country. At the very least it will make it pretty slow for the initial TCP handshake. - John Mills [EMAIL PROTECTED] I really wish people would stop top posting. -- Best regards, Chris Flynn is dead Tron is dead long live the MCP. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Tar pitting automated attacks
On Wed, Sep 08, 2004 at 01:19:15AM -0700, Ted Mittelstaedt wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mike Galvez Sent: Tuesday, September 07, 2004 6:42 AM To: [EMAIL PROTECTED] Subject: Tar pitting automated attacks Is there a method to make this more expensive to the attacker, such as tar-pitting? No. These days attackers use distributed networks of cracked PCs to launch attacks. The vast bulk of these attacks is automated. The cracker merely feeds in a job and pushes it to his network to work away at. Most of the time the cracker spends is in adding new machines that have vulnerabilities into his distributed network of cracked PCs If you successfully erect a network block, the cracker's software will just go to the next IP in the sequence to attack. Your actually doing more damage to the cracker's distributed network by your SSH server patiently saying no, no, no, no, no, no, etc. for 20-50 thousand times, because that ties the cracked PC up for a lot longer just working away at your system. This is why I was curious about tar-pitting. The attacker is banging away at common user accounts every 3 to 5 seconds sometimes more than a thousand times. A tar pit or something like it could slow the attack to maybe four attempts in an hour as opposed to a thousand. I am still looking for my passive-aggressive solution. I presume of course that you aren't using guessible passwords and you have everything patched to current levels. if you want to do damage to the attacker, you need to make a good effort at reporting the source IP numbers to the netblock managers the IP is part of. Granted, 3/4 of the time the netblock managers won't do anything about it. Reporting these to ISPs is like shouting at the ocean. They are most likely overwhelmed, indifferent or both. But whenever they do, it usually takes that cracked PC out of the distributed network. That is what costs the cracker because then the cracker has to expend work replacing it with another cracked PC. But, it is a lot like trying to pick up spilled spaghetti with tweezers. There's so many cracked PC's out there that as soon as you get one taken down, there's plenty more where that came from. Now, if you REALLY want to damage the attacker, you throw the works at the IP numbers that are scanning you, and find the back door that the cracker is using on those hosts, then go in and hard-code the homepage on their web broswer to something like http://www.fuckyou.com, making sure to use one of those cracker programs that makes it impossible for them to change it back. That is usually sufficient to get the owner of the cracked PC off their lazy ass to get their machine cleaned up. Ted ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- Michael Galvez Information Technology Specialist University of Virginia USENIX Member ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Tar pitting automated attacks
If you have no need for remote users to ssh into your system them remove the ssh enable statement from rc.conf. If you do need ssh then change its default port to some thing else and have all authorized remote ssh users add the new port number to the remote ssh login command. This will stop all your bad ssh login attempts. Then you can have your ipfilter firewall log all the ssh attempts to the ssh default port number and then run the log through this abuse reporting application. http://freebsd.a1poweruser.com:6088/99.20-abuse_rpts_download.htm This application has been made into a FreeBSD port but it has not been officially accepted yet. This is my passive-aggressive solution to putting a stop to port scanning. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Tar pitting automated attacks
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mike Galvez Sent: Wednesday, September 08, 2004 7:55 AM To: Ted Mittelstaedt If you successfully erect a network block, the cracker's software will just go to the next IP in the sequence to attack. Your actually doing more damage to the cracker's distributed network by your SSH server patiently saying no, no, no, no, no, no, etc. for 20-50 thousand times, because that ties the cracked PC up for a lot longer just working away at your system. This is why I was curious about tar-pitting. The attacker is banging away at common user accounts every 3 to 5 seconds sometimes more than a thousand times. A tar pit or something like it could slow the attack to maybe four attempts in an hour as opposed to a thousand. No it won't because the attackers know they are unloved, and they use scanning software that will abandon the attempt after a settable timeout. Try running Nessus sometime against a tarpitted IP. Tarpits were fine against extremely unsophisticated software but the war has moved on. Ted ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Tar pitting automated attacks
On Wednesday 08 September 2004 10:54 am, Mike Galvez proclaimed: On Wed, Sep 08, 2004 at 01:19:15AM -0700, Ted Mittelstaedt wrote: -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Mike Galvez Sent: Tuesday, September 07, 2004 6:42 AM To: [EMAIL PROTECTED] Subject: Tar pitting automated attacks Is there a method to make this more expensive to the attacker, such as tar-pitting? No. These days attackers use distributed networks of cracked PCs to launch attacks. The vast bulk of these attacks is automated. The cracker merely feeds in a job and pushes it to his network to work away at. Most of the time the cracker spends is in adding new machines that have vulnerabilities into his distributed network of cracked PCs If you successfully erect a network block, the cracker's software will just go to the next IP in the sequence to attack. Your actually doing more damage to the cracker's distributed network by your SSH server patiently saying no, no, no, no, no, no, etc. for 20-50 thousand times, because that ties the cracked PC up for a lot longer just working away at your system. This is why I was curious about tar-pitting. The attacker is banging away at common user accounts every 3 to 5 seconds sometimes more than a thousand times. A tar pit or something like it could slow the attack to maybe four attempts in an hour as opposed to a thousand. I am still looking for my passive-aggressive solution. I presume of course that you aren't using guessible passwords and you have everything patched to current levels. if you want to do damage to the attacker, you need to make a good effort at reporting the source IP numbers to the netblock managers the IP is part of. Granted, 3/4 of the time the netblock managers won't do anything about it. Reporting these to ISPs is like shouting at the ocean. They are most likely overwhelmed, indifferent or both. But whenever they do, it usually takes that cracked PC out of the distributed network. That is what costs the cracker because then the cracker has to expend work replacing it with another cracked PC. But, it is a lot like trying to pick up spilled spaghetti with tweezers. There's so many cracked PC's out there that as soon as you get one taken down, there's plenty more where that came from. Now, if you REALLY want to damage the attacker, you throw the works at the IP numbers that are scanning you, and find the back door that the cracker is using on those hosts, then go in and hard-code the homepage on their web broswer to something like http://www.fuckyou.com, making sure to use one of those cracker programs that makes it impossible for them to change it back. That is usually sufficient to get the owner of the cracked PC off their lazy ass to get their machine cleaned up. Ted ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-quest ions To unsubscribe, send any mail to [EMAIL PROTECTED] I realize this is probably a dumb question (I quietly drop everything incoming unless it's keep-state, and I only allow ssh internally)... If you're needing to ssh to your machine from a limited range of IPs, then why not tell your PF to drop incoming unless it's within that range? I know it puts a limit on your options for connecting, but on the other hand it also makes an attack not worth the time and resources. (That is is the way I'm understanding it, but I'm still learning) On the other hand. I would imagine that it wouldn't be too difficult to write some code that would detect repeated, failed attempts and then quietly drop incoming for a predetermined amount of time (could be reset by dialing in, too). I wouldn't have a clue as to how to do it, but it _seems_ logical. :) Just curious, Mike ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Tar pitting automated attacks
On Tue, Sep 07, 2004 at 09:42:16AM -0400, Mike Galvez wrote: I am seeing a lot of automated attacks lately against sshd such as: [...] Sep 6 12:16:39 www sshd[29901]: Failed password for illegal user server from 159.134.244.189 port 4044 ssh2 Sep 6 12:16:41 www sshd[29902]: Failed password for illegal user adam from 159.134.244.189 port 4072 ssh2 Sep 6 12:16:42 www sshd[29903]: Failed password for illegal user alan from 159.134.244.189 port 4104 ssh2 Sep 6 12:16:43 www sshd[29904]: Failed password for illegal user frank from 159.134.244.189 port 4131 ssh2 Sep 6 12:16:44 www sshd[29905]: Failed password for illegal user george from 159.134.244.189 port 4152 ssh2 Sep 6 12:16:45 www sshd[29906]: Failed password for illegal user henry from 159.134.244.189 port 4175 ssh2 -- snip -- Some of these go on until they turn the logs over. Is there a method to make this more expensive to the attacker, such as tar-pitting? Put in a ipfw block on the netblock/country. At the very least it will make it pretty slow for the initial TCP handshake. Cheers. -- Jonathan Chen [EMAIL PROTECTED] -- Vini, vidi, velcro... I came, I saw, I stuck around ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]