[CentOS] Re: Email dictionary attacks and firewall

Wed Aug 16 19:14:22 UTC 2006
Chris Mauritz <chrism at imntv.com>

John Hinton wrote:
> Scott Silva wrote:
>> rado spake the following on 8/16/2006 3:49 AM:
>>  
>>> On Wed, 2006-08-16 at 05:49 -0400, John Hinton wrote:
>>>    
>>>> I keep seeing 'Joe Average compromised computer on broadband' being 
>>>> used to do email dictionary attacks on our systems. Seems I always 
>>>> have several domains going through these. One in particular has 
>>>> been in the 'a-' list for weeks with about 20,000 attempts per day 
>>>> from various systems. Yeah, I do have a system which blocks email 
>>>> from these systems for a period of time after 3 bad email address 
>>>> attempts.... throttling...
>>>>
>>>> Anyway, this brought to mind.... Joe Average! Joe Average buys a 
>>>> broadband connection, has someone hook up his computer.. talks to 
>>>> tech support about everything and eventually, an AV subscription 
>>>> dies or something and Joe just doesn't care or doesn't know how to 
>>>> deal with that. Meanwhile Joe's computer gets a virus allowing some 
>>>> baddy to start sending email. Joe notices his computer is getting a 
>>>> little slow.. but it's not bad enough to worry about.
>>>>
>>>> So, this made me start wondering about how to do something that 
>>>> makes Joe's computer so slow that he finally gives up and calls in 
>>>> tech support to fix the damned thing.
>>>>
>>>> I wonder if there is a way that a firewall rule could be written, 
>>>> that would let a trickle of the connection from Joe through, so as 
>>>> his dictionary attack gets backed up with a huge number of 
>>>> connections which are trickling through at such a slow rate, with 
>>>> maybe just enough delay built in to make it keep trying.... 
>>>> Basically making Joe's compromised computer useless.. and maybe 
>>>> he'd at least turn it off if it didn't lock up all by itself....
>>>>
>>>> It is so very sad that some providers don't monitor their own 
>>>> people. I see where comcast has now slid down to number 8 after 
>>>> holding the number one spot as the biggest spammer network for a 
>>>> very long time. Good for them! It seems the undisputed king of this 
>>>> world now is verizonbusiness.com.... bad bad very bad....
>>>>
>>>> Sorry.. yeah.. a bit off topic......
>>>>
>>>> John Hinton
>>>>       
>> Better would be a rule to forward their connection to a honeypot / 
>> tarpit box
>> that would do what you want ... tie up their connection for a while.
>>   
> Yeah... but even Johnny apparently gets hacked. ;)
>
> The fear of retribution or a war is always an important consideration. 
> It seems that no matter how big you are, someone can always overload 
> your bandwidth. Maybe not if you're google. But even then, a mass 
> attack from multiple networks, something I have experienced.. over 
> 1000 machines hitting an intensive php script once per second... and a 
> crawl develops, either due to bandwidth or serverload.
>
> Oh, well... I like to get my log reports to see whose doing what.. 
> it's just that these dictionary scripts through so much garbage in 
> among the good information.. and I'm getting about 30 megs of logwatch 
> reports per day... Not complaining about logwatch, as I know how to 
> turn it down and things off.. They just mess up my reports, just like 
> spam messes up an inbox.

Yep, the start reality is that some of these blackhat botnets are pretty 
extensive.  And if you rub them the wrong way they can take down even 
distributed and otherwise fault tolerant networks.  I wish there was 
more attention paid to getting those clowns under control instead of 
suing teenagers for sharing music and movie files....sigh.

Cheers,