| 1 |
On Thursday 04 December 2008, Steve wrote: |
| 2 |
> Simon wrote: |
| 3 |
> > Since it is very unlikely that the attacker is targeting you |
| 4 |
> > specifically, changing the port number (and removing root access) will |
| 5 |
> > very likely stop the attack forever. Though, if the attacker did |
| 6 |
> > target you, then you will need some more security tools (intrusion |
| 7 |
> > detection, etc...). |
| 8 |
> |
| 9 |
> I recognise that this doesn't seem to be a targeted attack - but it is |
| 10 |
> still frustrating to find that someone has evaded my IP blocking |
| 11 |
> strategy... even though they pose only a slightly elevated risk by |
| 12 |
> having done so. (Of course, I don't permit root login - that would be |
| 13 |
> madness... and, as far as I'm aware, no-one has guessed even a valid |
| 14 |
> user name... they're all obscure!) |
| 15 |
> |
| 16 |
> The thing that strikes me is that, in evading my blocking strategy, they |
| 17 |
> clearly identified a bot-net of compromised hosts. With this in mind, |
| 18 |
> ideally, I'd like to: |
| 19 |
> |
| 20 |
> 1. Automatically detect and block all future attacks on all ports from |
| 21 |
> all hosts which are involved in this coordinated attack. These hosts |
| 22 |
> can't be trusted not to be malicious. |
| 23 |
> 2. Somehow inform the administrator of the hosts attacking me (in a |
| 24 |
> respectful way) since, I presume, they are unaware that their host is |
| 25 |
> involved in the attack. |
| 26 |
> 3. Ideally, share this kind of information so that myself and others are |
| 27 |
> better protected from bot-net attacks in future. |
| 28 |
> |
| 29 |
> It's the sort of thing I imagine has already been done - and there's no |
| 30 |
> point in re-inventing the wheel. |
| 31 |
|
| 32 |
I recall something similar whereby the attacked machines would automatically |
| 33 |
launch an attack on the botnet/spammer to effect a DoS. Then the spammers |
| 34 |
complained and the guys who had written the software were forced by the |
| 35 |
police to recall it . . . sometimes I wonder. Anyway, I'm a bit thin on |
| 36 |
details - this was all the rage about 4-5 years ago as a legit way to defend |
| 37 |
yourself against spam. |
| 38 |
|
| 39 |
What I think is required is a script which will identify the compromised |
| 40 |
machine and promptly reformat its MSWindows OS - problem solved. Of course |
| 41 |
how you keep tabs on this tool not being misused is another thing. |
| 42 |
-- |
| 43 |
Regards, |
| 44 |
Mick |
Archives