How to report a bot-net

Thu Jan 14 16:13:18 PST 2010

On Jan 14, 2010, at 3:24 PM, Guy B. Purcell wrote:

> Hi All,
> 
> Been too long since we had real posts here & this is an interesting problem, so I'm hoping for some good discussion, if not resolution.
> 
> I have an SSH portal at home that gets a remarkable amount of traffic--almost all of which is brute-force attacks either from individuals or from bot-net(s).  Here's an example individual (I'm showing logged timestamp, source IP address, and username attempted):
> 
<snip>
> This host is running ipfw, and I could write a script that couples that with the log to block the unwanted attention (easy for the individual attacks, non-trivial for the bot-nets--at least AFAICT), but that just kicks the can down the road to someone else's IP address.  I could use the log info to attempt to notify the various ISPs' of the abuse, but they would just see it as a bunch of individual complaints.  What I think would be better would be to use blocking & notification tactics (as automated as possible; I believe David kicked off a small discussion thread here about that) for the individual attackers, but to be able to treat the whole bot-net as a single-source attack & have it shut down.
> 
> But how to go about that?  The Internet is a global confederation with no real central authority over such a broad attack base (I have IP addresses from China, Korea, Australia, Isreal, Brazil, Italy, & the US--to name just the handful I happened to look up).  Who would you turn to?  If there's no authority with the ability or responsibility to shut bot-nets down, what do you think could be done to improve matters?
> 
I get these all the time.  I mostly don't pay attention to it.  I have SSH configured so that passwords don't provide access, only ssh public keys work.  If I had more time, I would probably write a script that would add hosts to a block table (ipfw), and once a large number of IPs in a netblock were there, I would add the netblock.  Of course, the thing to weigh here is whether your blocking IPs that will later turn around and be legit traffic.  For your home system, this probably isn't an issue, although if you travel and need (remote) access to this system, you may find yourself blocked by your own cleverness.
--
Louis Kowolowski                                louisk at cryptomonkeys.org
Cryptomonkeys:                      http://www.cryptomonkeys.org/~louisk

Making life more interesting for people since 1977