How to report a bot-net

Tue Jan 19 14:08:37 PST 2010

On Jan 16, 2010, at 5:37 AM, David Wolfskill wrote:

> On Thu, Jan 14, 2010 at 03:24:08PM -0800, Guy B. Purcell wrote:
>> I have an SSH portal at home that gets a remarkable amount of traffic--almost all of which is brute-force attacks either from individuals or from bot-net(s). 
> 
> As do I, though usually I wouldn't call the amount of activity all that
> remarkable -- not until the number of probes/day gets measured in the
> thousands, I suppose. :-}

It varies from a "norm" of around 350/day to almost an order of magnitude more than that, which puts me squarely into the realm of thousands per day on bad days--bad enough that I stop sshd on the portal when it happens & I'm at home trying to work over the 'net :^(

>> This host is running ipfw, and I could write a script that couples
>> that with the log to block the unwanted attention (easy for the
>> individual attacks, non-trivial for the bot-nets--at least AFAICT),
>> but that just kicks the can down the road to someone else's IP
>> address.
> 
> As Louis (and others, in other lists) have pointed out, this is
> generally a fairly effective way to commit a self-inflicted DoS attack
> on yourself.  There may be circumstances where the risk is justified;
> you would likely know those circumstances (for yourself) better than
> most.

Yep--exactly what I don't want to happen--and I'm sure to forget about this exactly when I'm heading off on an excursion to someplace unusual, from which it'd likely be critical if I wanted to ssh back home (and I have in-laws in China, which has netblocks I'd be likely to blacklist).

>> I could use the log info to attempt to notify the various
>> ISPs' of the abuse, but they would just see it as a bunch of
>> individual complaints.
> 
> Perhaps.
> 
> I actually do this (generally); the boiler-plate message I send makes it
> clear that my purpose is to provide a "heads up" that there is something
> going on on the network in question that bears investigation, and that
> the information I'm providing may be helpful in providing direction to
> that investigation.

The problem with this is that each incident is seen individually by an ISP:  no matter how politely you say it, you're still saying, "hey--I'm getting brute-force-attacked by *this* IP address that's under your control; please make it stop".  They take some action (assuming they care to; I'll give 'em the benefit of the doubt that they do), eventually taking that circuit/IP offline--but the user eventually make's enough noise (or maybe just reboots their modem) & returns online--likely with a spiffy new IP address, that eventually starts knocking on my front door again.  Round & round it goes.

Others have suggested just use an alternate port for SSH.  Definitely doable & fairly trivial, but would require me to modify my behavior (i.e. remember to use "-p xxx" with every connection to my home net), and is just hiding, not a solution (as Jesse pointed out).  Eventually, bot-nets will become large enough and enough people will have hidden their networks in this way that it becomes worth the evildoers' whiles and within their power to locate the new port.

>> What I think would be better would be to...treat the whole
>> bot-net as a single-source attack & have it shut down.
> 
>> But how to go about that?  The Internet is a global confederation
>> with no real central authority over such a broad attack base (I
>> have IP addresses from China, Korea, Australia, Isreal, Brazil,
>> Italy, & the US--to name just the handful I happened to look up).
>> Who would you turn to?  If there's no authority with the ability
>> or responsibility to shut bot-nets down, what do you think could
>> be done to improve matters?
>> ...
> 
> I don't really attempt to address the issue in that way, as I don't know
> of a way to trace back where the "control point" is.

Exactly--there's no consortium/group/whatever that has the ability to ask the various country ISPs to investigate what IP addresses a particular address is making connections to--at least not one I know of.  That's the only way to locate the master(s)--find the set of IP addresses the collection as a whole is connecting to, and that requires global coordination of some sort.  The coordinator doesn't need access to ISP systems--just the authority to ask 'em for a list of connections (probably don't need actual packet snoop data--just connections) with the expectation of getting a truthful answer, and the trust of local law enforcement to deal with the problem when asked by the group (which should have sufficient evidence by then).

It'd be like a kind of global Internet grand jury :^)  Wouldn't be easy to establish, but would be doable, IMHO.

-Guy