Interestingly, someone has just tried to DoS (perform a Denial of Service -attack) this server. As far as I know, this was the first time my Internet presence has come under a real attack. Everything before this has been normal backgroung noise.
The attack itself was pretty lame. Just a single host (so this wasn't a distributed DoS) in France pushing out 100mbit/s worth of tiny UDP-packets and it lasted for less than 20 minutes. You can see the packet rate from the attached graph.
Here's what our netflow-analyzer had to say about the attack:
Date Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows 2009-10-07 11:16:11 UDP 22.214.171.124:0 -> 126.96.36.199:0 7.0 M 9.3 G 176
In other words, 188.8.131.52 (ns38798.ovh.net) sent me 7 million UDP packets.
And what about the effects of the attack? The websites were a bit sluggish, as the link was saturated, but other than that I didn't notice anything else worth mentioning.
I had my "old" HTC Touch HD out for sale at a Finnish auction site called huuto.net recently. It's now sold and shipped to the new owner, but I did receive a couple of interesting offers on it. These guys have apparently been roaming around on other online auction sites as well, so this is by no means a unique story, but I thought I'd share it publicly anyway.
The story begins on July 26th when I put the phone on aution...
Pages: 1· 2
Yesterday (April 23rd), just after 18:00 Finnish time, I noticed a few reports on IRC channels regarding a large increase in the amout of spam. I then checked the statistics of our customer spamfilter (I work for an ISP, remember?), and sure enough, a flood of spam was coming in. In a matter of minutes, the amout of spam had increased by a factor of 4 with spikes going twice as high. To give you an idea of the figures, the number of emails blocked on average was about 2,5 times as much as it was just before McColo was blocked from the internet. Five hours later the flood came to a sudden halt. It stopped just as abruptly as it begun.
We didn't look that closely on what was the content of these messages, but apparently most of them were faked Western Union recruitment emails. They were aimed at Europe, so that might explain why SpamCop didn't see any increase in spam volume. I haven't found as detailed realtime statistics on other sources, so I can't really say how widespread this incident was outside Finland. Also, I haven't seen any reports of it on the NANOG mailinglist, so quite likely it's been a usual day on the other side of the Atlantic.
The day before yesterday, Marshal8e6 released a report on their botnet analysis, including some numbers on spambot capabilities. So just a day after a botnet research lab reports on their spambot findings, we see a sudden shitstorm hitting our filters. Coincidence? I don't think so.
It's nothing new that there are several botnets scouring the Internet for poorly protected SSH servers. Their members are mostly compromized hosts, such as home computers hijacked with trojans and worms. Some "real" servers end up on these botnets as well. Sometimes hired for the purpose, sometimes cracked by the same backdoors as the home computers, or simply compromized via the services they run, usually vulnerable dynamic websites.
These botnets scan vast IP-address ranges trying to find hosts which are running SSH server software on the default port (tcp 22). When they find one, they start trying to log in using brute force. Usually the method of choice is to login as root and use a dictionary for guessing the password. Sometimes they try to login as other users, such as test, staff or use someones first name as the login.
There sure are a lot of nice open source web-gadgets and programs out there, but keeping up with the updates can be a pain in the ass. Especially when the updates include important security fixes. At the moment I'm actively using six different PHP-based programs on this server and only one of them hasn't been updated during the last three months. None of the updates even included cool new features (ok, there were some, but nothing drastic), but were mostly fixing some vulnerabilities in the code.
What I would like to see in these programs, is a way to automatically receive notifications of updates and to perform these minor upgrades via some kind of a wizard. SourceForge and the lot do provide email notifications of these new versions, but not all coders use them. Therefore I still need to visit several sites regularly to keep up to date. Why can't I just schedule a daily cron-job, or something, which then notifies me of the changes? I know I could hack that together myself with some shell-scripting, but still I'd like to see the developers of the programs themselves provide this service. After all, all I can do is to monitor the websites, which certainly can and will change over time, which again requires updates to the scripts on my end.
|<< <||> >>|