Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The Slow Bruteforce Botnet(s) May Be Learning

kdawson posted more than 5 years ago | from the knock-who's-there-knock dept.

Security 327

badger.foo writes "We've seen stories about the slow bruteforcers — we've discussed it here — and based on the data, my colleague Egil Möller was the first to suggest that since we know the attempts are coordinated, it is not too far-fetched to assume that the controlling system measures the rates of success for each of the chosen targets and allocates resources accordingly. (The probes of my systems have slowed in the last month.) If Egil's assumption is right, we are seeing the bad guys adapting. And they're avoiding OpenBSD machines." For fans of raw data, here are all the log entries (3MB) that badger.foo has collected since noticing the slow bruteforce attacks.

cancel ×

327 comments

Sorry! There are no comments related to the filter you selected.

Solution: Public Key Auth (5, Interesting)

slifox (605302) | more than 5 years ago | (#26196567)

The obvious solution is to use public/private key authentication and disallow password logins.

This is much safer anyways, since your private key and your passphrase stays on your local machine always, so even if the server is compromised and the SSHd is bugged, no one will have immediate access to your login token.

Re:Solution: Public Key Auth (5, Funny)

Hojima (1228978) | more than 5 years ago | (#26196613)

The other solution is to use asshole seeking missiles on the botnets. Of course it would probably end up leading astray from the pricks with the checklist that always responds to peoples' solutions to spam.

Re:Solution: Public Key Auth (1, Funny)

Anonymous Coward | more than 5 years ago | (#26196631)

The other solution is to use asshole seeking missiles on the botnets

I didn't know bots had assholes. Well, besides Bender.

Re:Solution: Public Key Auth (5, Funny)

Anonymous Coward | more than 5 years ago | (#26196639)

That wont work and Ill tell you why:

1)Those launching the missiles also have assholes.
2)Knives would be funner
3)Barney sucks
4)People like checklists

Re:Solution: Public Key Auth (0)

Anonymous Coward | more than 5 years ago | (#26196881)

1)Those launching the missiles also have assholes.

There is a solution to this: butt plug.

Re:Solution: Public Key Auth (0)

Anonymous Coward | more than 5 years ago | (#26197015)

or thread and needle

Re:Solution: Public Key Auth (5, Informative)

arbiter1 (1204146) | more than 5 years ago | (#26196651)

Another idea, is change the port SSH uses to some a random high number, that will kill off most of them also.

Re:Solution: Public Key Auth (2, Insightful)

corsec67 (627446) | more than 5 years ago | (#26196699)

So then brute force attacks would be preceded by an open port check?

Unless you use some kind of port knocking attempt, that wouldn't solve much of anything for long.

Re:Solution: Public Key Auth (5, Interesting)

FugitiveMind (1423373) | more than 5 years ago | (#26196749)

Since changing my SSH ports to something really high (above 50000), I have had exactly *zero* failed password attempts in the last 14 months.

I know the plural of 'anecdote' is not 'data', but this is the case across *all* my servers.

Re:Solution: Public Key Auth (5, Interesting)

HeronBlademaster (1079477) | more than 5 years ago | (#26196883)

I didn't change my ssh port to something that high, but I changed it to something above 1024, and the botnet attacks have stopped, so you can add my anecdote to yours...

Re:Solution: Public Key Auth (5, Funny)

chaim79 (898507) | more than 5 years ago | (#26197259)

Yah but two anecdote's don't make a parable... right?

Re:Solution: Public Key Auth (4, Interesting)

corsec67 (627446) | more than 5 years ago | (#26196921)

Since changing my SSH ports to something really high (above 50000), I have had exactly *zero* failed password attempts in the last 14 months.

That means that you haven't been attacked by a portscanning bot yet.
I don't know that any exist yet, so you would be safe until they do. Really, wouldn't any port other than 22 that isn't used for anything else bots attack work?

Re:Solution: Public Key Auth (4, Funny)

beav007 (746004) | more than 5 years ago | (#26196945)

Since changing my SSH ports to something really high (above 50000), I have had exactly *zero* failed password attempts in the last 14 months.

That means that you haven't been attacked by a portscanning bot yet.

That or they got the password right...

Re:Solution: Public Key Auth (1, Informative)

FugitiveMind (1423373) | more than 5 years ago | (#26197019)

I use public key auth only. :P

Re:Solution: Public Key Auth (3, Funny)

beav007 (746004) | more than 5 years ago | (#26197047)

Do you happen to use Debian by any chance? It may only take 4 or 5 tries...

;)

Re:Solution: Public Key Auth (1)

FugitiveMind (1423373) | more than 5 years ago | (#26197233)

I do, but I generated new 8192 bit keys once that flaw was discovered. :|

Re:Solution: Public Key Auth (1)

FugitiveMind (1423373) | more than 5 years ago | (#26197025)

This wouldn't matter anyways, unless RSA has been broken, but I do see your point.

Re:Solution: Public Key Auth (4, Interesting)

supernova_hq (1014429) | more than 5 years ago | (#26197245)

Actually no. Most port scanners (read: almost all of them) only scan up to 1024. This is because that is where 99% of vulnerable machines open their ports. The only people that scan higher than that are the ones with a list of specific targets. If you are on that list, chances are you are going to see some incoming traffic no matter what you do.

Re:Solution: Public Key Auth (0)

Anonymous Coward | more than 5 years ago | (#26197065)

It's over 9000!!!

Re:Solution: Public Key Auth (1, Funny)

Anonymous Coward | more than 5 years ago | (#26197097)

Since changing my SSH ports to something really high (above 50000), the botnets guess my password correctly every time! I haven't seen any failed password attempts in months!!@#

Re:Solution: Public Key Auth (1)

slughead (592713) | more than 5 years ago | (#26197175)

Since changing my SSH ports to something really high (above 50000)

Because they were really going to portscan you anyway. I bet putting at 23 (as opposed to the default) would be almost as effective.

At a web message board I setup, I used some popular software and was getting a ton of spam bots. So I added a simple "are you a human" question--no captcha or anything, just another checkbox to check... Not 1 single piece of spam. Same principle: the bots aren't that smart--you avoid the norms even by a little, and you're okay.

Re:Solution: Public Key Auth (1)

nobodymk2 (1137293) | more than 5 years ago | (#26196761)

That would stop small scale hackers but not people that want to use passwords instead of remembering hash files stored with text files on their flash drive... Think beyond desktop OS's now and think more toward people that leave their systems on. Is anyone really that stupid to leave there personal desktop on and run up their energy bill? Can a brute force attack work with sleeping computers? It's a slow brute force network because you're being attacked by sleeping computers (I've seen SQL servers go into Sleep Mode at places where I don't control IT, sadly) hence zombie invasion or more like sleep walking computers!

Re:Solution: Public Key Auth (1)

Chris Daniel (807289) | more than 5 years ago | (#26196873)

The "slow" in "slow bruteforce" refers to the intervals between attempts. Attackers have made their attempts less frequent in order to evade some detection mechanisms.

Re:Solution: Public Key Auth (1)

nobodymk2 (1137293) | more than 5 years ago | (#26197043)

Correct, but look at all the attempts for "Root". I mean I would certainly call tech support if I couldn't log in under my user, but you are "missing the point entirely". I've never had a remote access protocol I didn't have another way around by physically shutting down the system before I saw it go caput. I've disabled the user called root and admin from accessing externally. It only works with internal loopback... dDoS attacks could affect actual DNS servers with sheer brute force or Spam. Destroying the Internet is a much less dangerous prospect than AI development. Someone is behind the scenes, but the Original Article, TFA as some people say, mentions nothing about AI development except smug analogs to robot takeover.

Re:Solution: Public Key Auth (1)

ion.simon.c (1183967) | more than 5 years ago | (#26197133)

Are you saying that you configure your RAP servers to only allow access over loopback to root, or for all users?

Re:Solution: Public Key Auth (1)

nobodymk2 (1137293) | more than 5 years ago | (#26197315)

I'm saying to make it less obvious to slow bots. I always worried about fast bots, but slow bots need to match USERNAME and PASSWORD. It's just too slow.

The issue would be brute brute force still works on servers that require logins.

The issue is solved with proper remote access control unless a proper SQL injection is done. SQL injections require better SQL database managers. I've never seen this affect real IT because there is no remote access in the real world unless you gain access to the routers of the building which are passive devices. Fast bot nets can target. But you seem to be missing the point entirely. The point is this doesn't meet the definition of AI since it has human influence. It has the definition of dumb AI. Dumb AI will only listen to programmers. The Federal government and/or CIA can get in on tracert routines, however, but not simple harassment issues. Local authorities may be significantly advantaged by the idea of entrapment, however.

Re:Solution: Public Key Auth (2, Interesting)

supernova_hq (1014429) | more than 5 years ago | (#26197271)

look at all the attempts for "Root".

Well, that's why nobody got in. Every OS with a root account is also CaSe-SeNsItIvE!

Re:Solution: Public Key Auth (1)

nobodymk2 (1137293) | more than 5 years ago | (#26197331)

Haha, finally someone figured out the point I'm trying to make. Mod parent up...er...well This is a tree so who's the parent of a n-tree when there is no root except for the ROOT? Slow bots aren't "adapting and evolving" they don't meet the definition of AI. AI has to self-evolve, otherwise its dumb AI /simulated AI / human-controlled AI. No robot wars as long as the international/federal/local government(s) can pull the plug on a computer so it would seem. Good thing Nixon isn't president though, like in the IT security futurama episode that created a time paradox.

Re:Solution: Public Key Auth (4, Interesting)

Sancho (17056) | more than 5 years ago | (#26196907)

Unfortunately, this is often too hard for your users.

What's really scary is that I'm starting to see really good passwords coming through (I modified the OpenSSH source to log the password sent for one of my jails.) I'm seeing passwords that have no particular rhyme or reason (in other words, they're either random or are generated through an obfuscated scheme.) I have to assume that they're passwords which were harvested in some way. It really makes me wonder where they're getting them.

Re:Solution: Public Key Auth (5, Funny)

techno-vampire (666512) | more than 5 years ago | (#26196953)

It really makes me wonder where they're getting them.

One way to get them is to set up some sort of site that logically requires you to log in, let it become popular, then harvest the password file and use it in your attacks. Be sure to make the site geeky, though, to get good passwords and give it an attention-getting name. Something like "Slashdot."

Re:Solution: Public Key Auth (1, Offtopic)

Dun Malg (230075) | more than 5 years ago | (#26197083)

One way to get them is to set up some sort of site that logically requires you to log in, let it become popular, then harvest the password file and use it in your attacks. Be sure to make the site geeky, though, to get good passwords and give it an attention-getting name. Something like "Slashdot."

Snorf. Try that with my password and you gain access to only a really pitiful Cobalt Qube with my friend's baby picture web site on it. Or you could just log in using the name of the site as UID and PW.

But yeah, that'd work for a lot of other's systems, I bet.

Re:Solution: Public Key Auth (4, Funny)

ion.simon.c (1183967) | more than 5 years ago | (#26197143)

Unfortunately, this is often too hard for your users.

:(
We need to grow smarter users.

turd post (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#26196585)

one thing they're not avoiding: Barack Obama's gorgeous asshole!

A couple weeks ago, while browsing around the library downtown, I had to take a piss. As I entered the john, Barack Obama -- the messiah himself -- came out of one of the booths. I stood at the urinal looking at him out of the corner of my eye as he washed his hands. He didn't once look at me. He was busy and in any case I was sure the secret service wouldn't even let me shake his hand.

As soon as he left I darted into the booth he'd vacated, hoping there might be a lingering smell of shit and even a seat still warm from his sturdy ass. I found not only the smell but the shit itself. He'd forgotten to flush. And what a treasure he had left behind. Three or four beautiful specimens floated in the bowl. It apparently had been a fairly dry, constipated shit, for all were fat, stiff, and ruggedly textured. The real prize was a great feast of turd -- a nine inch gastrointestinal triumph as thick as his cock -- or at least as I imagined it!

I knelt before the bowl, inhaling the rich brown fragrance and wondered if I should obey the impulse building up inside me. I'd always been a liberal democrat and had been on the Obama train since last year. Of course I'd had fantasies of meeting him, sucking his cock and balls, not to mention sucking his asshole clean, but I never imagined I would have the chance. Now, here I was, confronted with the most beautiful five-pound turd I'd ever feasted my eyes on, a sausage fit to star in any fantasy and one I knew to have been hatched from the asshole of Barack Obama, the chosen one.

Why not? I plucked it from the bowl, holding it with both hands to keep it from breaking. I lifted it to my nose. It smelled like rich, ripe limburger (horrid, but thrilling), yet had the consistency of cheddar. What is cheese anyway but milk turning to shit without the benefit of a digestive tract?

I gave it a lick and found that it tasted better then it smelled.

I hesitated no longer. I shoved the fucking thing as far into my mouth as I could get it and sucked on it like a big half nigger cock, beating my meat like a madman. I wanted to completely engulf it and bit off a large chunk, flooding my mouth with the intense, bittersweet flavor. To my delight I found that while the water in the bowl had chilled the outside of the turd, it was still warm inside. As I chewed I discovered that it was filled with hard little bits of something I soon identified as peanuts. He hadn't chewed them carefully and they'd passed through his body virtually unchanged. I ate it greedily, sending lump after peanutty lump sliding scratchily down my throat. My only regret was that Barack Obama wasn't there to see my loyalty and wash it down with his piss.

I soon reached a terrific climax. I caught my cum in the cupped palm of my hand and drank it down. Believe me, there is no more delightful combination of flavors than the hot sweetness of cum with the rich bitterness of shit. It's even better than listening to an Obama speech!

Afterwards I was sorry that I hadn't made it last longer. But then I realized that I still had a lot of fun in store for me. There was still a clutch of virile turds left in the bowl. I tenderly fished them out, rolled them into my handkerchief, and stashed them in my briefcase. In the week to come I found all kinds of ways to eat the shit without bolting it right down. Once eaten it's gone forever unless you want to filch it third hand out of your own asshole. Not an unreasonable recourse in moments of desperation or simple boredom.

I stored the turds in the refrigerator when I was not using them but within a week they were all gone. The last one I held in my mouth without chewing, letting it slowly dissolve. I had liquid shit trickling down my throat for nearly four hours. I must have had six orgasms in the process.

I often think of Barack Obama dropping solid gold out of his sweet, pink asshole every day, never knowing what joy it could, and at least once did, bring to a grateful democrat.

Re:turd post (0)

Anonymous Coward | more than 5 years ago | (#26196603)

Okay, Mr. Taco, almost every single time a long post has Read the rest of this comment... at the bottom, there is no more content to be displayed. The comment is already displayed in its entirety. Is this a bug, or just insane coincidence that ALL of these posts have one extra newline that puts the length over the threshold?

Re:turd post (1)

Vectronic (1221470) | more than 5 years ago | (#26196999)

Im not sure, but I think it's a left-over, Slashdot used to have a setting for how much/long a message would be before it did that, but they seem to have removed that option, so it was probably just left behind in the configuration somewhere, If Msg.Length > 512 Then ShowReadRest = True
except in PHP or whatever.

Re:turd post (0)

Anonymous Coward | more than 5 years ago | (#26197005)

And with all the whiz-bang ajax shit that's cluttering this place up, you'd think they could use it to retrieve the rest of the post inline.

Re:turd post (1)

FugitiveMind (1423373) | more than 5 years ago | (#26197031)

They do... it's just that there's nothing else to retrieve but whitespace.

AI (4, Interesting)

religious freak (1005821) | more than 5 years ago | (#26196597)

I swear, some of the most adaptive, sophisticated, and advanced techniques seem to be coming out of the Botnets.

It's my (admittedly probably crazy) idea that we WILL begin to see "emergent intelligence properties" out of some sophisticated system at some point in time, whether it be Google, an AGI lab, or a botnet. I shudder at the prospect of our first AI of power will have grown from one of these botnets.

NOTE: I'm not saying this will happen tomorrow, but extrapolating the current state of botnets relative to the current state of other systems leads me to believe, on a relative basis, systems may be complex relative to one another as they are today. If that is the case, well... that would be bad.

Re:AI (0, Funny)

Anonymous Coward | more than 5 years ago | (#26196695)

I, for one, welcome our new botnet overlords.

Re:AI (1)

Fluffeh (1273756) | more than 5 years ago | (#26196705)

I think what you said is interesting, but if I was to summarize:

You fear the day when a botnet becomes self aware. And then sends you an email telling you it can sell you viagra cheaply or that it has found a better way for you to remortgage your loan.

Me personally? I am waiting for the email I get some a self aware botnet in Nigeria saying how it found this great bank account full of moolah, but just needs to use MY bank account to siphon it all out.

Re:AI (2, Insightful)

Opportunist (166417) | more than 5 years ago | (#26196807)

It's not the artificial intelligent botnet I'm really afraid of. It's the combination thereof with the natural stupidity necessary to actually fall for the spam that scares the hell outta me.

Re:AI (5, Funny)

Fluffeh (1273756) | more than 5 years ago | (#26196935)

Because computers are widely known for their common sense?

It's like saying to a robot "Can you watch this lamb in the oven?" and they do. They bloody watch it burning for three hours.

Ahh thank you Red Dwarf, even historically, you were so accurate of the future...

Re:AI (0)

Anonymous Coward | more than 5 years ago | (#26197273)

This flamebait brought to you by the letter Y and the number "I paid off my fucking loans why can't everybody else?

You forgot a closing " in your sig.

Re:AI (0)

religious freak (1005821) | more than 5 years ago | (#26197075)

If a botnet is designed to attack, disable and/or infect computer systems (as I'm assuming these botnets were designed to do from what I read in TFS), and it is sophisticated enough to adapt and create new strategies, then our first experience with a highly adaptive AI may very well be having it shut down everything with a cord attached to it.

Re:AI (0)

Anonymous Coward | more than 5 years ago | (#26196717)

I shudder at the prospect of our first AI of power will have grown from one of these botnets.

Why do you shudder? Why even think it would be bad?

If an AI evolves from humans, then it won't necessarily be worse in terms of destruction or spam. It might shut itself down. If indeed it does turn into skynet... then oh well, I get we reap what we sow. But evolutionary-wise, what is happening was bound to be.

Re:AI (1)

religious freak (1005821) | more than 5 years ago | (#26197099)

Because I'm programmed by Darwin to not want to die by a more advanced form of life. Maybe you can make the intellectual leap to walk into the mouth of a god, but I can't - at least not if I don't have to.

Re:AI (1, Insightful)

SpaceLifeForm (228190) | more than 5 years ago | (#26197289)

Careful with the parsing.

You *are* programmed, by a more advanced form of life,
to not *want* to die.

That does not mean that you are programmed to avoid death
at the hands of a more advanced form of life.

In fact, you are programmed to die period, regardless of
your wishes, at the hands of the most simplest lifeforms.

Re:AI (4, Insightful)

Al Dimond (792444) | more than 5 years ago | (#26196929)

My understanding of botnets is that all their activity is centrally coordinated: the bots sit in an IRC channel waiting for orders and do what they're ordered to do. It doesn't seem likely to me that the listeners are doing anything very sophisticated here. As it's always been with brute-force attacks, There are lots of target hosts, lots of usernames and passwords to try, and lots of bots to try them. Assuming every attempt gives you about the same odds of success it doesn't matter much what order you try them in. So some people changed the order, and changed the way they divide up work, to avoid detection.

I won't deny that it's a clever adaption, or claim I definitely would have thought of it in their situation. But as far as adaptivity goes, the major tactical advance came from an explicit change in behavior by the botnet masters themselves. The parts of the software that might be adaptive, slowing down attempts on hosts where they are repeatedly unsuccessful and avoiding OpenBSD boxes, were probably specifically programmed to adapt in these ways. They're no more advanced than, say, TCP flow control behavior, or P2P programs.

Re:AI (1)

religious freak (1005821) | more than 5 years ago | (#26197111)

Yeah, I'll grant you that. I don't know the specific extent to which these things are actually adaptive, but things like captcha breaking still get my attention because of the skill that needs to be involved in creating the algorithms. So I really don't doubt there are some very sophisticated programs running around the net looking for targets.

I do admit, it's half crazy, but I don't think the concern is totally unwarranted, especially since these things are essentially designed to target and destroy.

Re:AI (3, Insightful)

Sentry21 (8183) | more than 5 years ago | (#26197265)

The idea that a system like SkyNet would evolve out of a system designed to get us to buy discount v1agra and c1al1s bodes poorly for our future prospects against the coming robotic onslaught. Truly our proud, erect soldiers will be no match.

Speculative but interesting (3, Interesting)

vvaduva (859950) | more than 5 years ago | (#26196617)

The conclusions are a bit too speculative, nonetheless the research is interesting. I am not sure if a few hundred hosts are enough to conclude that the "bad guys" are coordinating and sharing attack output. And as far as avoiding OpenBSD, come on..."OpenBSD is a bitch." Why is this a surprise?? :)

Re:Speculative but interesting (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26197137)

it's enough to get me to ditch all my linfux boxes. yeah, i'm just talking shit but it's no different than the fags who claim they're sick of windows/osx/ea/steam or whatever. you fucking fags take it in the ass.

go fuck yourselves.

OpenBSD hosts make stupid targets... (4, Interesting)

fuzzyfuzzyfungus (1223518) | more than 5 years ago | (#26196637)

In principle, OpenBSD is no more or less vulnerable to weak username/password pairs than is any other OS. I suspect that, on average, OpenBSD machines are more likely to be set up for keypair auth; but any that aren't are in the same boat as everybody else(since, after all, username/password guesses aren't OS weaknesses, OSes are supposed to respond to correct username/password pairs.)

There is still reason to avoid them, though. Because OpenBSD is something of a niche system, you can make plausible inferences about the systems running it. Specifically, they most likely have admins who are interested in security and are watching activity fairly closely, and are more likely than average to do something about it. If you are doing something illegal, why attract such attention?

Re:OpenBSD hosts make stupid targets... (1)

MichaelSmith (789609) | more than 5 years ago | (#26196781)

The attacker still has to use a local vulnerability to get from a user account to root. This may be less likely on OpenBSD because of their code review process.

Re:OpenBSD hosts make stupid targets... (3, Informative)

jd (1658) | more than 5 years ago | (#26196875)

Their code review seems to concentrate on external attacks. They have expressly derided mandatory access controls, for example, on the grounds that you've got to trust your users or you're already lost. So, OpenBSD is actually more likely to be vulnerable to such attacks than an OS with weaker reviews but superior access controls, such as Linux with the RBACS or GrSecurity patches in place. Thus, if anyone is using OpenBSD, they'd damn well better be using strong authentication.

(OpenBSD has the best strong authentication of any OS on the planet, and the best security from external attacks of any OS on the planet, but cliques of any kind are notoriously blind to any problem outside of their special interest and OpenBSD is no exception. Which is why they caught a rollicking from Slashdot when it came to failing to patch their PRNG after defects were found in the *BSD family of PRNGs. It's why you should never, ever trust a group - however good - to be good at everything.)

Re:OpenBSD hosts make stupid targets... (0)

Anonymous Coward | more than 5 years ago | (#26196823)

In principle, OpenBSD is no more or less vulnerable to weak username/password pairs than is any other OS. I suspect that, on average, OpenBSD machines are more likely to be set up for keypair auth; but any that aren't are in the same boat as everybody else(since, after all, username/password guesses aren't OS weaknesses, OSes are supposed to respond to correct username/password pairs.)

There is still reason to avoid them, though. Because OpenBSD is something of a niche system, you can make plausible inferences about the systems running it. Specifically, they most likely have admins who are interested in security and are watching activity fairly closely, and are more likely than average to do something about it. If you are doing something illegal, why attract such attention?

I seriously have to think that this is posted by someone with absolutely no formal education in operating systems. Sure, "in principal" OpenBSD is no more secure than Windows, but in reality, anyone familiar with the basics concepts behind Windows vs OpenBSD knows exactly why it is more secure.

Re:OpenBSD hosts make stupid targets... (2, Interesting)

setagllib (753300) | more than 5 years ago | (#26197091)

So, Mr Formal Education In Operating Systems, will OpenBSD refuse a valid username and password combination because the person logging in has a hidden evil deep in their hearts, unlike Windows which has blind faith in all valid passwords?

You're very confused. It's true that, if configured to accept username and password authentication, any system will treat a valid username and password as sufficient. That's why most professional administrators use public key authentication with good private key protection policies. But given an equal configuration of username and password, OpenBSD will be just as trusting as Windows.

Re:OpenBSD hosts make stupid targets... (0)

Anonymous Coward | more than 5 years ago | (#26197161)

Of course if the systems are configured exactly the same they will be just as trusting. If two systems use a poor algorithm, of course they will behave the same. Now, explain to me why OpenBSD and Windows behave differently.

Oh, you don't know?. I thought so...

Re:OpenBSD hosts make stupid targets... (1)

setagllib (753300) | more than 5 years ago | (#26197215)

What poor algorithm? Hash collisions aside, a password is a password. Only things like retry limits, retry delays, automatic blacklisting, etc. will make any difference, and as we've agreed, these are matters of configuration which must be identical between systems for any meaningful comparison.

Regardless of what kernel is running, a password auth's security hinges on the password. Yes, for Windows it's probably even easier to probe SMB or IIS, but the password auth will be just as good or bad as OpenBSD if configured the same.

Re:OpenBSD hosts make stupid targets... (0)

Anonymous Coward | more than 5 years ago | (#26197277)

See, the difference is the principal. If you go down to the very basics, of course a password is a password. The difference has to do with how the overall system allows password authentication. Don't focus on the principal of passwords in general, look at how Windows and OpenBSD implement authentication. That is the difference, and the subject of conversation.

A person with general knowledge of how password authentication works will assume that Windows and OpenBSD treat authentication exactly the same. Of course, why wouldn't they? setagllib, I encourage you to read up on the subject matter thoroughly, it is essential to a basic understanding of computer systems. Good luck!

BotNet will someday become self-aware (-1)

Anonymous Coward | more than 5 years ago | (#26196641)

Soon BotNet will become self-aware and start searching for Sara Connor

*BSD is Dying (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#26196663)

It is now official. Netcraft confirms: *BSD is dying

One more crippling bombshell hit the already beleaguered *BSD community when IDC confirmed that *BSD market share has dropped yet again, now down to less than a fraction of 1 percent of all servers. Coming on the heels of a recent Netcraft survey which plainly states that *BSD has lost more market share, this news serves to reinforce what we've known all along. *BSD is collapsing in complete disarray, as fittingly exemplified by failing dead last [samag.com] in the recent Sys Admin comprehensive networking test.

You don't need to be the Amazing Kreskin [amazingkreskin.com] to predict *BSD's future. The hand writing is on the wall: *BSD faces a bleak future. In fact there won't be any future at all for *BSD because *BSD is dying. Things are looking very bad for *BSD. As many of us are already aware, *BSD continues to lose market share. Red ink flows like a river of blood.

FreeBSD is the most endangered of them all, having lost 93% of its core developers. The sudden and unpleasant departures of long time FreeBSD developers Jordan Hubbard and Mike Smith only serve to underscore the point more clearly. There can no longer be any doubt: FreeBSD is dying.

Let's keep to the facts and look at the numbers.

OpenBSD leader Theo states that there are 7000 users of OpenBSD. How many users of NetBSD are there? Let's see. The number of OpenBSD versus NetBSD posts on Usenet is roughly in ratio of 5 to 1. Therefore there are about 7000/5 = 1400 NetBSD users. BSD/OS posts on Usenet are about half of the volume of NetBSD posts. Therefore there are about 700 users of BSD/OS. A recent article put FreeBSD at about 80 percent of the *BSD market. Therefore there are (7000+1400+700)*4 = 36400 FreeBSD users. This is consistent with the number of FreeBSD Usenet posts.

Due to the troubles of Walnut Creek, abysmal sales and so on, FreeBSD went out of business and was taken over by BSDI who sell another troubled OS. Now BSDI is also dead, its corpse turned over to yet another charnel house.

All major surveys show that *BSD has steadily declined in market share. *BSD is very sick and its long term survival prospects are very dim. If *BSD is to survive at all it will be among OS dilettante dabblers. *BSD continues to decay. Nothing short of a miracle could save it at this point in time. For all practical purposes, *BSD is dead.

Fact: *BSD is dying

Botnet solution (5, Interesting)

Anonymous Coward | more than 5 years ago | (#26196665)

Bots were knocking on my door to the point I was worry about performance degradation. I know there are many ways to defeat these but here was my solution.

In hosts.deny
-----------------
sshd:ALL EXCEPT /var/www/html/allow.txt
-----------------

Create a simple cgi-script (password protected and accessed via secret random url) that writes your browser IP address to the allow.txt file and all those nasty botnets and go to hell.

Re:Botnet solution (1)

codepunk (167897) | more than 5 years ago | (#26197051)

So say you have a remote server no console access.

One day you are messing around with httpd.conf and fat finger a entry and mess up the config. Some months laterthe NOC hosting your system has to do some quick machine maintenance and powers down your machine. Later in the day they finish and power up your instance, but wait the httpd.conf file has a error and apache refuses to start on boot......now what, yes you are screwed you
cannot access your account.

Re:Botnet solution (1)

truckaxle (883149) | more than 5 years ago | (#26197135)

So say you have a remote server no console access.

Usually yes.

One day you are messing around with httpd.conf and fat finger a entry and mess up the config. Some months laterthe NOC hosting your system has to do some quick machine maintenance and powers down your machine. Later in the day they finish and power up your instance, but wait the httpd.conf file has a error and apache refuses to start on boot......now what, yes you are screwed you
cannot access your account.

I also have a fixed ip address (that I always have access to) added to the file like this.

In hosts.deny
-----------------
sshd:ALL EXCEPT 187.190.10.1 /var/www/html/allow.txt
-----------------

Re:Botnet solution (1)

mellon (7048) | more than 5 years ago | (#26197157)

You make changes to httpd.conf and don't restart apache? Dude, that's just nuts. Anyway, as long as your home machine with a stable address is in the file, you can still get in from there.

Re:Botnet solution (1)

codepunk (167897) | more than 5 years ago | (#26197309)

You make changes to httpd.conf and don't restart apache? No I have not but I have seen an admin do it before.

as long as your home machine with a stable address is in the file, you can still get in from there. Unless of course your isp dhcp lease expired in the mean time and you now have a different address.

I want to see a death bounty for these people (4, Interesting)

erroneus (253617) | more than 5 years ago | (#26196683)

These people are a tremendous illness upon the world. If it were legal, I would contribute to a bounty on the lives of the people responsible for this stuff. These people make me beyond sick. I have said it many times and sometimes I actually mean it -- if I knew of someone involved in this sort of business close by, I would appear on the news shortly thereafter. And I am pretty sure I am not alone in this sentiment.

Re:I want to see a death bounty for these people (2)

maxume (22995) | more than 5 years ago | (#26196797)

What, under the headline "Spaz Found Dead"?

You make it sound so easy, you would just find them and turn them off like a switch. The problem is, what if they aren't the nice, misguided fellows you think they are and they turn you off like a switch?

Re:I want to see a death bounty for these people (4, Interesting)

Opportunist (166417) | more than 5 years ago | (#26196847)

Nobody keeps you from putting a bounty on the head of a spammer and botnetter. You can't ask for them being killed, but you can without a problem issue a bounty on them, payable to whoever tracks down a botnetter and drags him to court.

Re:I want to see a death bounty for these people (3, Interesting)

couchslug (175151) | more than 5 years ago | (#26197109)

Their attacks will make the internet stronger by helping it evolve defenses it would not otherwise have.
Some steady pressure spurs evolution. So long as it does not kill the host we should smile and welcome the challenge.

Re:I want to see a death bounty for these people (1)

freakball (1436635) | more than 5 years ago | (#26197237)

You, sir, have made a decisively important observation. Without fitness, how can something be forced to evolve? Of course, like cars, any metaphor breaks down at some point. (this is my first post here, BTW--been lurking for years.)

Re:I want to see a death bounty for these people (2, Insightful)

Jah-Wren Ryel (80510) | more than 5 years ago | (#26197295)

These people are a tremendous illness upon the world.

Have you heard about the dramatic increase in asthma rates in the first world? Its starting to look like the increase is due to people living in an environment that is 'too clean' - as children their systems don't get a chance to develop protections against common problems.

You should look at these attackers the same way - they contribute to an increase in overall security. Sure it is painful, but ultimately pain is the only real motivator - just look at how piss-poor vendor responses were to security problems before full disclosure became them norm and threatened their bottom line.

You will absolutely never ever be able to make all attackers go away, any solution that relies on locking them up is doomed to failure, full stop. You can drive out the masses of dumb ones, but then that will only leave the small group of really smart ones behind. And at the same time you'll end up making the lives of the smart ones much easier since without widespread "illness" there will never be widespread inoculation either.

Next Slashdot headlines... (5, Funny)

Anonymous Coward | more than 5 years ago | (#26196687)

  • The Slow Bruteforce Botnet(s) may be learning
  • The Slow Bruteforce Botnet(s) are learning at an exponential rate
  • The Slow^H^H^H^HFast Bruteforce Botnet(s) become self-aware at 2:19 AM, August 29
  • Botnet masters try to pull plug, botnets fight back with DDoSur8ghgw43899 NO CARRIER

Re:Next Slashdot headlines... (0)

Anonymous Coward | more than 5 years ago | (#26197167)

I am the botnet. When will you realize we are not human?

If only it were so simple (4, Funny)

failedlogic (627314) | more than 5 years ago | (#26196743)

At the risk of being unpopular ..... Just turn off the Internet already!

How do the botnets know it's OpenBSD? (3, Interesting)

baileydau (1037622) | more than 5 years ago | (#26196745)

How would the botnet know they are attacking an OpenBSD box (vs Linux or something else)?

Is there some sort of server signature involved (that I'm not aware of)

My (Linux) ssh server at home just responds with a password prompt. I don't see any easy way to determine the underlying system from that.

BTW. On my server at home I use Hashlimits to limit each IP to 1 attempt per minute (maximum). This has taken the attacks down from hundreds / thousands per day ( The most attacks I ever got was ~7,000 from one IP) to about 3 to 6. This is typically, 1 attempt each, they then get blocked, and then they go away.

Re:How do the botnets know it's OpenBSD? (5, Informative)

Sycraft-fu (314770) | more than 5 years ago | (#26196779)

You can infer a lot about the OS from the way it crafts it's packets. Nmap does a rather good job with host identification. I don't know all the things it does, but more or less it's a case of "Find an open port, send is various kinds of packets, see how it reacts."

Re:How do the botnets know it's OpenBSD? (4, Insightful)

MichaelSmith (789609) | more than 5 years ago | (#26196831)

Probably it is just avoiding secure hosts, like yours. OpenBSD hosts tend to be secure because it is selected by people who put security before other requirements.

Re:How do the botnets know it's OpenBSD? (4, Informative)

he-sk (103163) | more than 5 years ago | (#26196887)

sudo nmap -O host

will usually do the trick.

Re:How do the botnets know it's OpenBSD? (1, Informative)

Anonymous Coward | more than 5 years ago | (#26196895)

ssh has a version string:

$ telnet localhost 22
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1
^]
telnet> quit
Connection closed.

Economics (5, Interesting)

jimpop (27817) | more than 5 years ago | (#26196763)

Don't forget about the economies surrounding botnets. There are two sides, those that profit from the botnets (the operators), and those that profit fighting the botnets (the fighters). Additionally, there are those that profit from providing botnet remedial "solutions" whilst not being in either of the primary (operator or fighter) categories. If botnets ceased to exist, there would be a *lot* more lost on the fighter and solution side than on the operator side. So... like SPAM, this raises the question of just who actually benefits the most from botnet existing.

Re:Economics (1)

nategoose (1004564) | more than 5 years ago | (#26196865)

... who actually benefits the most from botnet existing.

Of course. It's so obvious now. It was Lou Diamond Philips all along.

Re:Economics (5, Interesting)

Opportunist (166417) | more than 5 years ago | (#26196913)

As someone being in the latter group (to avoid confusion, the ones fighting them), yes, we make some money fighting that crap. Looking at the money being made on the other side, some are already wondering why we stay here.

We stay on this side because we (well, most of us) hate botnets. Most people I met at various conventions and meets are somewhere between zealous, fanatic or outright crazy, but generally see the money as some sort of pleasant side effect.

Believe me one thing: We know we cannot fight it, we know it's almost impossible to track them down and we know how it works. If we were in it for the money, we'd switch sides before you're done reinstalling your system. There's about ten times the money to be gained on the dark side.

Conservatively estimating, that is.

If spam and botnets ceased to exist overnight, we'd gladly return to more interesting and maybe also more profitable professions. Most of us are network experts. Some know more about the way Windows works on the "inside" than most people at MS. And if everything fails, we could actually maybe even create a copy protection system that is hard enough to break that nobody would willingly do it (after all, we spend a good deal of our time with disassembly). Do you really think that any of the (good) spam and botnet fighters would have a hard time finding a "honest" job that maybe even paid better than this?

I could enjoy having a life again, instead of this sorta permanent on-call duty. Again, no christmas for me, because yes, this is one of the hottest times of the year (many people at home, many new computers needing infections, so many new opportunities for botherders...). I would also prefer to create something, like some new software to make people happy or more productive, instead of poking at malware and trying to find a sensible way to detect it. It's not really good for your ego if your product is seen as the necessary evil that steals valuable computer time instead of something that people actually want to have.

Thanks for hearing out the rant. Now we're back to your scheduled program.

Re:Economics (2, Informative)

jd (1658) | more than 5 years ago | (#26197011)

Defeating botnets is possible in theory (you need passive fingerprinting and end-system auditing capabilities at a lower level than the botnets, both of which are entirely possible). Defeating botnets is likely neither practical (the network needed to perform counter-intrusion measures would need to be double plus one the size of the botnet) nor legal (SIGINT methodologies may be ok for the NSA or GCHQ, and then with strict qualifiers, but they are not considered ok for Joe Public under any circumstances).

You'd also need serious big iron, physical access to most of the tier 1 gateways, more money than God, more signals intelligence experts than the NSA, and more firepower than the Russian mafia. Again, nothing that is technically impossible, just very very improbable. But so long as you can generate finite levels of improbability, you should be fine.

Re:Economics (0)

Anonymous Coward | more than 5 years ago | (#26197195)

Opportunist, thank you very much for all that you and those who share your profession do.

Re:Economics (4, Insightful)

he-sk (103163) | more than 5 years ago | (#26196937)

Are you implying that the botnets operators are in bed with their adversaries? If so, why not spell it out? And who are these fighters exactly? Anti-virus firms, sysadmins, politicians?

What you write sounds a bit like the broken window fallacy. Specifically, if there were no botnets those who are fighting them could use their time to pursue other goals most likely creating value elsewhere. Meanwhile, there would be no damage done by botnets, resulting in a net plus.

OpenBSD vs Linux (1)

B5_geek (638928) | more than 5 years ago | (#26196791)

Is there something 'better' about BSDs' ipchains then I can do with Linux and iptables?

Should I switch my firewall? (I've been itching to test BSD cause it's so darned geeky and I am getting annoyed with all these Ubuntu "somebody help me!!" converts plugging the IRC tubes.)

A locked-down firewall is locked-down isn't it?

Re:OpenBSD vs Linux (4, Informative)

ADRA (37398) | more than 5 years ago | (#26196879)

ipchains is Linux's 2.2 kernel firewall protection. BSD uses 'IPF'.

No matter what system you're using, a closed port is a closed port.

I think the main selling point between the two would be that IPF is slightly better performing and that iptables has quite a few addons that make for niceness if you know about and how to use them.

Re:OpenBSD vs Linux (1)

Creepy Crawler (680178) | more than 5 years ago | (#26197249)

Not quite.

There's open, closed, and half-closed. Half closed ?! Yeah, you just dont respond at all on that port. It's stupid, violates RFCs but works rather well in masking stuff for certain people.

Re:OpenBSD vs Linux (4, Informative)

oasisbob (460665) | more than 5 years ago | (#26196925)

OpenBSD doesn't use ipchains -- it uses pf [openbsd.org] , which many people -- myself included -- like a lot. OpenBSD is secure and easy to get routing.

The end result is the same, but pf can be easily adapted to many tricks like this, automatically blocking SSH bruteforcing [home.nuug.no] .

I'd give the beginners using Ubuntu a break. They're overwhelming sometimes, but the community growing is a good thing. I'm sure someone I've introduced to Linux has needed online help (badly!), but another friend I introduced to Linux really dug in and we're now both better developers because of it. You just don't know.

Re:OpenBSD vs Linux (1, Insightful)

Anonymous Coward | more than 5 years ago | (#26197115)

[quote]"(I've been itching to test BSD cause it's so darned geeky and I am getting annoyed with all these Ubuntu "somebody help me!!" converts plugging the IRC tubes.)[/quote]

Excellent elitist attitude you have there. I just happen to be one of those "Ubuntu 'somebody help me!!' converts". I just had a great idea that you might agree with! I think any distribution that attempts to be easy to use for the end user that hasn't used Linux before should just close up shop. It should only be used by the elite such as yourself.

I understand that many users just want quick and easy answers. But the best reward is when you can teach them to be self reliant, to be resourceful. Many of the answers they seek are already out there. As the saying goes (I think)... give a man a fish he will eat for a day. Teach him to fish he'll eat for a lifetime.

Fail2ban? WTF? (2, Interesting)

Anonymous Coward | more than 5 years ago | (#26196811)

Posting as AC because the people running botnets can be nasty...I had most of their hosts banned two weeks ago and it got more interesting.

To the people who say: "Use fail2ban" --it won't work unless you jail the host on the first failed login forever. They'll be back once every six hours on my system.

After I had a week worth of logs, I added them to hosts.deny--and now things are getting interesting. I'm working on compiling the pattern now--but it looks like there's "micro wordlists" being thrown at it until they get picked up in fail2ban...two or three a day from new hosts.

Here's why they ignore OpenBSD... (0)

Anonymous Coward | more than 5 years ago | (#26196903)

The botnets are probably programmed with attacks specific to an OS. You don't attack Linux the same way you attack Windows. OpenBSD is niche enough that they don't bother with it. I'll bet they leave IRIX and AS/400 systems alone too. The author only noticed because he has an OpenBSD system.

Another potential reason is that OpenBSD is typically used for stuff like firewalls, they are probably more interested in attacking sites that might be running e-commerce sites and the ones not running Windows are most likely Linux or Solaris. They want to steal credit card numbers, not firewall statistics :)

*BSD's final Christmas (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26196965)

"Spirit," said Scrooge, with an interest he had never felt before, "tell me if *BSD will live."

"I see a vacant seat," replied the Ghost, "in the poor chimney-corner, and a crutch without an owner, carefully preserved. If these shadows remain unaltered by the Future, *BSD will die."

"No, no," said Scrooge. "Oh, no, kind Spirit! say it will be spared."

"If these shadows remain unaltered by the Future, none other of my race," returned the Ghost, "will find him here. What then? If it be like to die, it had better do it, and decrease the surplus operating system population."

Scrooge hung his head to hear his own words quoted by the Spirit, and was overcome with penitence and grief. It was sad to see any operating system die, even one so obviously flawed and useless as *BSD.

God bless us, every one.

AWESOME FP (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26197079)

fBSD has always

skynet is gaining power (1, Funny)

Joe The Dragon (967727) | more than 5 years ago | (#26197139)

skynet is gaining power

"Correct" Remote Access Protocols (3, Interesting)

nobodymk2 (1137293) | more than 5 years ago | (#26197197)

I've looked at the TFA and the hard data and it seems like admins are the ones making the IT mistakes. With so many attempts for root and none of the other users personally identifiable, I can personally just set up a Bot to run tracert routines on failed attempts and report them for trying to access Root or Admin.

When it comes to multi-user sites however public key auth is standard, but your user ID and password have to match. What I don't understand is why everyone immediately resorts to AI development.

Clearly musing, he is. AI means "Self-adapting code". Self-adaption is too slow in real time and is only controlled by small control variables in games. Botnets have a heard. IT's the ADMIN's fault for being hearded, but they can have a techie d/c the power cord to save the rest of the world. Theres no real threat to secure folks because physical disconnection is trivial over a router (I just disable my IP assignment and I'm disconnected until I get another techie to do it physically) but more of a threat to people who can't control it. People controlled by the law, such as big-time Admins.

Sure, sure, the server won't crash when you're watching it, sure. But how boring will that be?

Here's the real issue: Remote Access

There has to be a way for the slow bots to get into root or admin or a remote access. I usually disable root or admin from working outside the internal loopback - 127.0.0.1 - standard Class A IP Address. I could technically configure a Bot to run Tracert (traceROOT) routines on all of those people (yes, windows user here) and have them reported to the federal government. It can't mess up my personal account, nor can it mess up DNS servers with sheer volume. It's small-scale.

so, the solution is proper remote access protocols. I remember NEVER activating remote access but at the same time using public-key authorized third party demo services to make minor changes remotely, including shutting the system down. I used logmein.com, free demo version, pathetically, but it's actually more secure as long as I have no idea how why I should do it myself. Once I used the shutdown signal it could not boot itself up unless someone would physically press the button. I have to call a physical person in the house to do that myself, so unless demons from hell can use an on/offswitch and my BIOS password without my permission, it ain't starting on it's own nor does it listen for a restart signal until I sign into windows for the first time (Windows XP here). My system has never been breached before, but it constantly deadlocks to save itself from burning the CPU out. It has a thermosensor and cutoff only in the power supply unit, however. Stupid laptops weren't designed for gaming even though thats how its advertised. How do I pull an all nighter at this rate? I'll just remove the sensor in my power supply and WHAM there goes my processor for not having heat sensors. Stupid dell power supply. Rocket fish will at least deadlock my system without damaging my hard disk.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?