«

»

Nov
14

A lot is written about the dangers of the Internet. Exaggerations, rumours, believes and opinions are often voiced through second-hand knowledge. Here is an account of recent events that caught my attention.

I am operating a hosted virtual server that is permanently and directly connected to the Internet, 24×7. This system is fully exposed to everything the net is throwing at it, protection lies within my own hands. I felt that our virtual life might be getting worse when recently I experienced the *first* and only system failure – in seven years. The server’s operating system kernel failed to respond after what turned out to be a prolonged network attack. One of the security layers, the software in charge of protecting web access, Novells Apparmor could not cope anymore with the large amount of violations created by the attack from a botnet.

A botnet is a collection of computers whose software flaws have been exploited to install hidden, malicious programs which are then remotely controlled for the purpose of anonymously attacking other computers. The term “zombie” has been coined to highlight the fact that the systems in a botnet operate without awareness of its rightful owner.

Network attacks are as old as the Internet itself. Changing however is the scale: What have been occasional probes executed from single individual computers have turned into massive, automated sweeps executed from competing botnets, involving hundreds of attacking systems. These systems continuously and methodically “pound” everything they can find. Botnets are resilient and hard to eradicate as they continuously try to infect more systems.

An exemplary botnet attack is to probe a vast amount of username and password combinations against servers that provide remote access, trying to force its way in. In my case, secure shell (SSH) is used to manage the virtual server, which is easily detectable by scanning the server for open ‘ports’. Afterwards, a dictionary of well-known user and password combinations is distributed to the botnet members for execution. Below is a log excerpt that shows how such an methodical testing of SSH usernames and passwords starts alphabetically from ‘a’.

User not known to the underlying authentication module for illegal user a from 85-10-204-194.clients.your-server.de : 1 Time(s)
User not known to the underlying authentication module for illegal user aaa from xs.5460.net : 1 Time(s)
User not known to the underlying authentication module for illegal user aaron from xs.5460.net : 1 Time(s)
User not known to the underlying authentication module for illegal user ab from 211.147.221.42 : 1 Time(s)
User not known to the underlying authentication module for illegal user abakus from 85-10-204-194.clients.your-server.de : 1 Time(s)

Note the variation in the “from” host names, indicating where these probes originate. The botnet’s control program spreads the attacks over as many systems as possible; typically I see only one probe per “zombie”. This indicates the botnet consists of hundreds of systems, and a lot of their host names suggest that they are owned by home users who are connected via their ISP.

How often, How much?

ssh dictionary attack

A botnet is continuously working through its dictionary, probing for a working username and password.

In the picture above, I visualized the botnet SSH login probes in Nagios to learn more about probe rates, the frequency and the periods of execution. So far I saw login probe rates are between 20 and 70 probes per hour, sometimes continuously executed for a week, totaling around 10.000 access attempts until the dictionary finally reaches ‘z’.

User not known to the underlying authentication module for illegal user vscan from gsv114.internetdsl.tpnet.pl : 1 Time(s)
User not known to the underlying authentication module for illegal user yvette from gergovie.advantages.fr : 1 Time(s)
User not known to the underlying authentication module for illegal user zabbix from 58.63.241.209 : 1 Time(s)
User not known to the underlying authentication module for illegal user zhang from 69.162.119.162 : 1 Time(s)

Sometimes I have a few quiet days before the next onslaught comes in, other times I suspect multiple botnets are hitting when I see a new list starting with ‘a’ while another list is already executing, probing the same non-existing accounts over again.

Summary

What is annoying is the anonymous execution, the automation and the amount of attacks we are exposed to today. Receiving an unwelcome visit from a botnet is a regularity, similar to search engines crawling of sites. While most of them are just plain dumb probing, the increased frequency and sheer numbers of these attacks promise success simply by exploiting the fact that Internet became a mainstream commodity used by millions. For most of us, the technology became so overly complex that it is hard to operate it safely.

Online probing for vulnerabilities and holes became indeed a day to day affair, being the new normality rather then being an exception. Something we need to live with and prepare for, very much like bad weather in real live.

While in 99.99% these attacks fail, a single, unnoticed mistake on the server, coupled with bad luck of timing could lead to nasty results very quickly. Even minor mistakes that are not critical by themselves could compound easily into opening up a ‘hole’. If successfully exploited, we are likely becoming part of a botnet – and another “zombie” in an army of drones. That is, unless we are a “special” target of value to be exploited even more, as many corporate IT systems are.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>