Dictonary attacks

9 views
Skip to first unread message

ComKal Networks

unread,
Dec 12, 2011, 2:40:06 PM12/12/11
to 2600-Aus, aussi...@taz.net.au
I've notice an ever increasing number of dictonary attacks lately,
with the main change being they continue even though the IP(s)
have been blacklisted, and they are from static IP address's.

Dictonary attacks against things like POP servers normally stop
reasonably quickly once the attacking IP(s) is blacklisted.

Currently I have an attack from Turkey, over 3 IP address's I use
at home, and its just exceed 1 million attempts over the past 6 hours.
The IP was blacklisted on attempt number 8 (simultaneous POP
login attempts exceeded by 7/or hit on a auto BL login username)

Past experience tells me it will probably go for another 6-12 hours.
Most of them are normally from China/Romania, or Russia, years
ago I would have though they were compromised PC's but these
days it doesn't take much to notice those who are trying nolonger
seem to even attempt to go via a compromised PC/Proxy.

Are others also seeing this trend ?
If so any repeating IP attack ranges pop up or are they randoms ?

I've been running a mail server since about 1993, so I figure I've
got a good handle on trends :)

Cheers
Ian Manners
ComKal Networks Australia

Adding this email address to any database without prior permission
gives the owner permission to add YOUR sending IP and domain
to an international database of spammers.

Permission is only given to reply to this email, not to add this email
or other address details to ANY database.

Luc Richards

unread,
Dec 12, 2011, 5:35:14 PM12/12/11
to 2600-au...@googlegroups.com
I see a different shift in paradigm here. In the past it was normal for us to see zombies banging their head against our front door with numbers ramping up in the few weeks approaching Xmas; connections have dropped from over 99% to somewhere around 66%.

To help ease your DSL line, you might consider using ipt_recent and simply dropping packets that exceed a connection rate threshold. Just ensure that the threshold is 1 higher than that set on your mail servers so that it has a chance to tell the sender "450 - Slow down, residential area"

--
------------------------------------------------------------
You received this message because you are subscribed to the "2600 Australia" group.
To post, send email to: 2600-au...@googlegroups.com To subscribe, send email to: 2600-austral...@googlegroups.com
For 2600 monthly meetings, visit http://www.2600.org.au For more options, visit this group at http://groups.google.com/group/2600-australia
To unsubscribe, send email to: 2600-australi...@googlegroups.com
Disclaimer: Comments to this mailing list are owned by the poster
------------------------------------------------------------

Cee Gee

unread,
Dec 12, 2011, 11:40:25 PM12/12/11
to 2600-au...@googlegroups.com
If they've been trying for a while, maybe they are on a mission?
Create a honeypot and make the password easier - see what they get up
to or what they want?

Bomber

unread,
Dec 13, 2011, 3:11:53 AM12/13/11
to 2600-au...@googlegroups.com
Fail2ban
IPTABLES
Snort
Kippo

Standard tools i use to do away with the Dictionary/Bruteforce attempts
and also see what type of attacks are tried against my network. All
really simple and easy to setup.

I have no idea about trends but i use the free version of Splunk to
graft the first (3 attempts, after which they are dropped) to get an
idea on Location Source.

ad...@reviews.wox.org

unread,
Jan 26, 2012, 11:57:25 PM1/26/12
to 2600-au...@googlegroups.com
Cee Gee I can probably answer that for you, i've often asked the same question myself.  I have a honeypot server that has mail logs going back 13 years.. one day ill pull all the ips and just black list the lot if i can be bothered.  Trouble is in there is a handful of legitimate ones :(

Likely this by far is not a complete list, I don't even pretend to know everything, but here's what i found -

From my experience once they get in, they try to either:
1: use your email address to compromise a hosting or similar account "forgot your password?" or early stages of identity or domain theft
2: send piles of apparently pointless spam - ads for products or services lacking any actual method to actually use/buy/access the service they spam (its either blind publicity (eg i never heard of Cialis until i got 5000 spams on it) or Steganography  (what exactly are they saying to whom?)
3: Robbing you blind- send piles of phishing spam (please log onto your WoW/Banking/Facebook account using our convenient fake server)
4: commercial sabotage - mail bomb, send so much crap to various people that it rendered email address useless sales@ is a popular attack address (mines virtually unusable now,  15000 spams a week and strong spam filters and i still loose legitimate email - lucky i no longer use it) and then they get the added icing on the cake that your mail server very quickly finds its way into orbs or similar type black listed email servers.
So now your business can now no longer communicate by email with half your clients or suppliers, and whoever poor sods your server was being used to spam probably cant get any mail either cause its lost in the noise, or their mailbox is now full.
5: create hundreds of fake blog accounts on various sites like facebook, oasis, myspace, and various little guys - then fill it full of search engine tainting / SEO posts - i've traced some back to what appear to be large legitimate looking SEO consulting firms which is the really disgusting part.
6: insider trading - send millions of legitimate looking "trading tips" on stock they presumably bought up most of cheap, then sell it when price goes up.  Evil part here is - its a scam, but the end result is the price DOES go up for a while.  But in the end the stock is even more price trashed than they started.
7: Distribute email virus's/worms  (this is actually the least common oddly enough - probably because this line of attack exposes the original infection vector as someone has to manually compromise a starting server)

Bottom line, IMO electronic terrorism basically.   No good comes from it.

Worrying thing is its very widespread and seems curiously organised.  Its like they WANT people to stop using the internet. 


Reply all
Reply to author
Forward
0 new messages