Distributed Brute Force Attack on FTP

Posted on March 1, 2012
Filed Under Denial of Service Attacks | Leave a Comment

We’ve been tracking and countering a quite severe Distributed Brute Force Attack targeting the FTP services on all of our servers since 17:52 yesterday (29th February 2012).

The attack takes the form of multiple attempts to access various usernames but always beginning with the name component of the domain name (yes it is targeting individual sites on servers but not all of the sites on any single server, in a sense it has specific targeting), such as username = “domain” where the site domain is “domain.com”.

There has been a wide range of countries involved but Brazil and Portugal feature very significantly in the list. The Distributed Brute Force attack has so far emanated from 188 different IP addresses. The attacks hit at a seemingly sensible rate of once every 1 to 2 minutes from each IP address, but the math will indicate the severity over shorter spaces of time.

The list of IP addresses so far involved are as follows:

Mitigating the attack is down to monitoring incoming FTP connections and filtering multiple connections together with highlighting failed connections. On dedicated servers where we know there are only specific FTP users which have static/fixed IP addresses, port 21 is closed and those IP addresses only are allowed through the firewall on port 21. At its peak (late evening GMT) on the 29th February 2012 all FTP servers were shut down for a short period whilst we collected all IP addresses involved.




website promotion