[NBLUG/talk] Multiple IP address / brute force attack
gandalf at sonic.net
gandalf at sonic.net
Tue Apr 29 13:18:28 PDT 2008
I'm sad to admit I had a breech on a server at sonic this weekend. Yeah, I know. I wouldn't even post here, but something interesting came to light because of it. The script kiddies were only in for a few seconds, but they did their damage. Things are back up for the most part now and the fortress is a little stronger.
Anyway what was particularly interesting is that the attack started on port 110 pop3. The attack was a slow one. They were probing every minute or so on our main ip address, but this server has 28 or so ports (humm, shouldn't it have 31?). So where one probe per minute isn't very noticeable the server was instead getting probed 28 times per minute as they were obviously probing a range of IPs. Because 110 was not specifically bound to the main IP this caused legitimate pop3 traffic to fail.
What this means to me is that if you have a range of IPs on your server and actually configure them to work, it's a little like hanging out a big net with bells on it. I've now got limits set in the firewall on 110 and SSH, but those rates are even more effective as they don't care what IP the connection is coming on.
Comments, laughter, ideas?
"There probably isn't any meaning in life. Perhaps you can find something interesting to do while you are alive." - Orochimaru (Naruto)
More information about the talk
mailing list