Distributed Brute Force Attack on FTP

Posted on March 1, 2012
Filed Under Denial of Service Attacks | Leave a Comment

We’ve been tracking and countering a quite severe Distributed Brute Force Attack targeting the FTP services on all of our servers since 17:52 yesterday (29th February 2012).

The attack takes the form of multiple attempts to access various usernames but always beginning with the name component of the domain name (yes it is targeting individual sites on servers but not all of the sites on any single server, in a sense it has specific targeting), such as username = “domain” where the site domain is “domain.com”.

There has been a wide range of countries involved but Brazil and Portugal feature very significantly in the list. The Distributed Brute Force attack has so far emanated from 188 different IP addresses. The attacks hit at a seemingly sensible rate of once every 1 to 2 minutes from each IP address, but the math will indicate the severity over shorter spaces of time.

The list of IP addresses so far involved are as follows:

146.251.84.59
148.234.57.82
177.114.132.102
177.119.109.57
177.17.164.21
177.21.237.230
177.36.202.204
177.41.86.43
177.54.104.142
177.64.64.202
177.66.134.188
177.71.36.2
177.78.221.130
177.82.237.70
177.9.254.42
177.97.34.218
178.175.82.22
186.201.122.146
186.210.179.135
186.210.202.140
186.210.77.29
186.212.127.242
186.214.185.133
186.214.66.17
186.215.134.226
186.218.133.249
187.104.62.65
187.104.63.145
187.107.216.97
187.112.19.217
187.113.196.192
187.114.123.41
187.115.31.20
187.115.41.61
187.12.61.254
187.120.120.211
187.127.45.194
187.13.122.208
187.14.45.132
187.15.71.65
187.16.226.4
187.24.141.134
187.3.28.127
187.35.157.76
187.35.93.244
187.38.114.233
187.40.77.112
187.49.167.2
187.51.66.98
187.52.190.26
187.55.208.102
187.55.253.118
187.57.57.148
187.60.252.50
187.60.70.253
187.68.0.183
187.72.160.150
187.77.146.5
187.78.178.39
187.83.38.11
187.91.45.163
188.81.150.182
188.82.1.112
189.107.48.39
189.110.189.69
189.114.251.60
189.114.78.36
189.12.164.42
189.12.170.76
189.12.188.67
189.120.161.142
189.120.83.36
189.13.234.90
189.14.145.4
189.15.232.221
189.24.97.210
189.25.226.63
189.26.102.21
189.26.102.21
189.27.188.170
189.27.222.33
189.30.186.88
189.31.152.74
189.35.18.234
189.35.210.189
189.47.249.3
189.47.32.91
189.58.229.240
189.59.47.97
189.63.217.73
189.69.168.88
189.69.92.140
189.72.136.52
189.75.48.103
189.8.93.91
2.80.181.115
2.80.2.35
2.80.66.2
2.81.84.1
200.109.34.65
200.120.33.147
200.133.202.165
200.146.84.161
200.158.29.186
200.161.99.69
200.164.100.131
200.164.100.7
200.171.23.187
200.171.9.153
200.180.215.112
200.181.255.202
200.193.47.247
200.206.46.82
200.208.73.20
200.216.152.34
200.225.169.112
200.228.198.129
200.253.146.50
200.255.18.242
201.16.237.81
201.19.204.100
201.22.128.231
201.27.82.125
201.30.19.18
201.34.167.70
201.55.136.226
201.57.30.51
201.58.96.148
201.65.47.18
201.66.40.61
201.67.186.66
201.76.86.151
201.78.197.234
201.8.90.176
201.80.136.196
201.80.247.38
201.82.170.245
201.87.240.58
201.88.6.142
201.89.72.25
201.90.182.242
201.90.55.66
201.95.162.186
201.95.205.20
212.199.11.177
217.129.219.171
217.129.220.186
218.58.250.205
46.50.78.22
46.50.9.245
61.178.92.50
63.143.42.68
70.122.195.253
77.199.186.125
78.141.160.74
78.160.74.63
78.179.58.57
78.189.110.125
80.226.24.3
81.223.99.211
81.84.196.84
82.155.159.34
84.103.106.252
84.90.100.141
84.91.64.64
85.100.124.148
85.102.20.190
85.105.124.21
85.105.124.218
85.241.105.63
85.241.133.59
85.72.80.104
85.74.216.67
87.14.251.118
87.196.155.208
88.148.122.10
88.176.240.203
88.210.121.41
89.153.125.14
89.181.253.41
93.102.0.54
93.102.164.198
93.102.4.65
94.132.158.178
94.132.255.117
95.69.105.150
95.69.107.45
95.92.94.223

Mitigating the attack is down to monitoring incoming FTP connections and filtering multiple connections together with highlighting failed connections. On dedicated servers where we know there are only specific FTP users which have static/fixed IP addresses, port 21 is closed and those IP addresses only are allowed through the firewall on port 21. At its peak (late evening GMT) on the 29th February 2012 all FTP servers were shut down for a short period whilst we collected all IP addresses involved.

DoS-Deflate blocks numbers not IP addresses

Posted on August 5, 2008
Filed Under Denial of Service Attacks, Server Security, Web Hosting | Leave a Comment

We’ve seen a large number of problems with the impementation of the highly acclaimed (D)DoS-Deflate script which on occasions reads the netstat command incorrectly and subsequently blocks a single number instead of the IP address which exceeds the number of connections into the server on which it is installed. Please see http://deflate.medialayer.com/ to obtain the script and installation instructions.

This is purely down to the netstat command that DOS-Deflate uses, it does not account for some elements of the strings returned, particularly when the string ‘::ffff:’ that is added to http (port 80) connections.

To overcome this error a rewrite of the netstat command in the ddos.sh file (located in /usr/local/ddos directory if you installed in the default fashion). Line 117 reads…

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr > $BAD_IP_LIST

this should be rewritten to read as follows…

netstat -ntu | grep ':' | awk '{print $5}' | sed 's/::ffff://' | cut -f1 -d ':' | sort | uniq -c | sort -nr > $BAD_IP_LIST

NOTE: this command should be written on a single line, you should also check each character as selecting and copying can sometimes lead to different characters being pasted!

We use the sed command to replace the ‘::ffff:’ with nothing (an empty string), thus removing it.

A slight improvement to a widely used and highly acclaimed script :-)

Recently


Categories


Archives

website promotion