1 |
On Thursday 04 December 2008, Steve wrote: |
2 |
> Simon wrote: |
3 |
> > Since it is very unlikely that the attacker is targeting you |
4 |
> > specifically, changing the port number (and removing root access) will |
5 |
> > very likely stop the attack forever. Though, if the attacker did |
6 |
> > target you, then you will need some more security tools (intrusion |
7 |
> > detection, etc...). |
8 |
> |
9 |
> I recognise that this doesn't seem to be a targeted attack - but it is |
10 |
> still frustrating to find that someone has evaded my IP blocking |
11 |
> strategy... even though they pose only a slightly elevated risk by |
12 |
> having done so. (Of course, I don't permit root login - that would be |
13 |
> madness... and, as far as I'm aware, no-one has guessed even a valid |
14 |
> user name... they're all obscure!) |
15 |
> |
16 |
> The thing that strikes me is that, in evading my blocking strategy, they |
17 |
> clearly identified a bot-net of compromised hosts. With this in mind, |
18 |
> ideally, I'd like to: |
19 |
> |
20 |
> 1. Automatically detect and block all future attacks on all ports from |
21 |
> all hosts which are involved in this coordinated attack. These hosts |
22 |
> can't be trusted not to be malicious. |
23 |
> 2. Somehow inform the administrator of the hosts attacking me (in a |
24 |
> respectful way) since, I presume, they are unaware that their host is |
25 |
> involved in the attack. |
26 |
> 3. Ideally, share this kind of information so that myself and others are |
27 |
> better protected from bot-net attacks in future. |
28 |
> |
29 |
> It's the sort of thing I imagine has already been done - and there's no |
30 |
> point in re-inventing the wheel. |
31 |
|
32 |
I recall something similar whereby the attacked machines would automatically |
33 |
launch an attack on the botnet/spammer to effect a DoS. Then the spammers |
34 |
complained and the guys who had written the software were forced by the |
35 |
police to recall it . . . sometimes I wonder. Anyway, I'm a bit thin on |
36 |
details - this was all the rage about 4-5 years ago as a legit way to defend |
37 |
yourself against spam. |
38 |
|
39 |
What I think is required is a script which will identify the compromised |
40 |
machine and promptly reformat its MSWindows OS - problem solved. Of course |
41 |
how you keep tabs on this tool not being misused is another thing. |
42 |
-- |
43 |
Regards, |
44 |
Mick |