« Using jQuery/AJAX/PHP to Display Data From a Shoutcast Server
Display Shoutcast Listeners by Country »


Nov

28

Whacking Spambots With Extreme Prejudice

Category: Workshop |

A while back, I noticed a few spambots liked to make the rounds of all the FTP servers in our area, mindlessly trying to connect as ADMINISTRATOR with a few dozen passwords.  I’d just chuckle and murmur, “Good luck with that,” seeing as the FTP server at work doesn’t even HAVE an account for administrator.  (Well, yeah, it’s got an administrator account, but not named “Administrator,” and with a sufficiently byzantine password that a dictionary attack isn’t going to help.)

After a while, the bot would give up and go back to rattling the doorknobs down the street.  I use a homebrew FTP server I coded myself using an ActiveX control to provide FTP, SFTP and FTPS functionality, and I impishly added a “hack counter” to keep a running total of how many such attempts had been made.

About a month ago the FTP server started mysteriously falling over dead on a daily basis, so I took a peek into the logs, and found some crazy Chinese botnet was crawling all over it, trying more sophisticated attacks, some of which were running afoul of some weaknesses in my code.

That didn’t take long to fix, but a look at the logs informed me that my strategy of benign indifference wasn’t going to cut it anymore.  They weren’t just trying the administrator account, they were trying all kinds of fairly reasonable-sounding usernames, too.

Well, that’s no good.  That actually had a slight chance of working.  And there were the devil’s own lot of them too, thousands a day trying to break in. So I decided I had to get more proactive.

I added some code to ban the IP of anyone who failed login more than ten times, with an instant ban for anyone trying to log in as WEBADMIN, ADMINISTRATOR, or ROOT.

So now I look in the logs and see things like this:

11/28/08 10:45:22 >> 22 ROOT 113.11.200.17 Disconnected
11/28/08 10:45:21 >> *** 113.11.200.17 BANNED ***
11/28/08 10:45:22 >> *** 113.11.200.17 BLOCKED ***

That “BLOCKED” is them getting bounced on their next attempt to connect. I found that merely preventing authentication from succeeding wasn’t good enough… the bots just stubbornly keep plugging away hoping to hit paydirt… because what is time to a bot?

So when they’re banned, there’s code in the CONNECT event to bounce them right away. They go to connect after their ban and all they get is a boot to the head.

Now I get maybe two or three attempts a day, and they usually get banned right away. The FTP server stays up, and I learned a valuable lesson.




You must be logged in to post a comment.

Comments

  • ADS

  • ADS