Distributed Brute Force Attack on FTP

Posted on March 1, 2012
Filed Under Denial of Service Attacks | Leave a Comment

We’ve been tracking and countering a quite severe Distributed Brute Force Attack targeting the FTP services on all of our servers since 17:52 yesterday (29th February 2012).

The attack takes the form of multiple attempts to access various usernames but always beginning with the name component of the domain name (yes it is targeting individual sites on servers but not all of the sites on any single server, in a sense it has specific targeting), such as username = “domain” where the site domain is “domain.com”.

There has been a wide range of countries involved but Brazil and Portugal feature very significantly in the list. The Distributed Brute Force attack has so far emanated from 188 different IP addresses. The attacks hit at a seemingly sensible rate of once every 1 to 2 minutes from each IP address, but the math will indicate the severity over shorter spaces of time.

The list of IP addresses so far involved are as follows:

Mitigating the attack is down to monitoring incoming FTP connections and filtering multiple connections together with highlighting failed connections. On dedicated servers where we know there are only specific FTP users which have static/fixed IP addresses, port 21 is closed and those IP addresses only are allowed through the firewall on port 21. At its peak (late evening GMT) on the 29th February 2012 all FTP servers were shut down for a short period whilst we collected all IP addresses involved.

DoS-Deflate blocks numbers not IP addresses

Posted on August 5, 2008
Filed Under Denial of Service Attacks, Server Security, Web Hosting | Leave a Comment

We’ve seen a large number of problems with the impementation of the highly acclaimed (D)DoS-Deflate script which on occasions reads the netstat command incorrectly and subsequently blocks a single number instead of the IP address which exceeds the number of connections into the server on which it is installed. Please see http://deflate.medialayer.com/ to obtain the script and installation instructions.

This is purely down to the netstat command that DOS-Deflate uses, it does not account for some elements of the strings returned, particularly when the string ‘::ffff:’ that is added to http (port 80) connections.

To overcome this error a rewrite of the netstat command in the ddos.sh file (located in /usr/local/ddos directory if you installed in the default fashion). Line 117 reads…

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr > $BAD_IP_LIST

this should be rewritten to read as follows…

netstat -ntu | grep ':' | awk '{print $5}' | sed 's/::ffff://' | cut -f1 -d ':' | sort | uniq -c | sort -nr > $BAD_IP_LIST

NOTE: this command should be written on a single line, you should also check each character as selecting and copying can sometimes lead to different characters being pasted!

We use the sed command to replace the ‘::ffff:’ with nothing (an empty string), thus removing it.

A slight improvement to a widely used and highly acclaimed script :-)




website promotion