Brute-force attacks might be worth reporting

The latest trend of online attacks seems to be of the brute-force type: countless zombie machines, exploited without the knowledge of their owners, performing repeated username-password guesses at various SSH daemons. One of our machines has been experiencing these types of attack since November 19th, with an intensity of one attempt per minute. Originally each attacker would try a combination of plausible username-passwords until their IP would be blocked. Now, a little smarter, each IP tries a combination once. This is done to avoid being detected and blocked quickly.

Of course, there is nothing wrong in running a defence mechanism. I run Fail2Ban and DenyHosts to slow down, deter, and even stop attacks; however, defensive scripts or firewalls are not the answer to keeping your machine safe. One common way to reduce the chance of a break-in can be achieved by disabling any service that's not needed (like ftp) or insecure (for example, telnet). Another, is to select who can connect to the server--maybe only trusting a few IPs. Keeping an eye out for the relevant security bulletins that warn of the release of patches or updates can save a lot of hassle down the road. Arguably, the most important thing might always have been a hard-to-guess password. Anyone who disables telnet, but has their SSH password set to '123' defeats the point in encrypting anything.

The concept of a good password was obviously missed by many, if the plethora of infected machines poking at my network door are any indication. Sometimes it's funny to watch: the machines try all sorts of administrator names combinations, switch to a Disciple-list (Luke, John, etc.), then try all sorts from all over the world with Japanese and Spanish names being among the most favourite. Between each wave of attack I've received, the numbers of the conspiring machines grows: this system obviously works well.

With the assumption that the machines doing these attacks belong to well-meaning but unaware owners, I set out to see the kind of response I would receive from the various ISPs when reporting the incident. I wondered if this could be stopped or people simply made more aware. Because of the number of IPs, I selected just those from North American (Canada, United States), one from Taiwan, several from Korea and the rest from Europe. The attacks are coming, of course, from all over the world, but the wealthier nations seem to have a broader level of infection.

My e-mail to each ISP was a simple forward of Fail2Ban's report, which included all the logs relevant to that particular IP. I sent this to whichever abuse department with a brief request to please review the logs attached.

In North America I contacted Verizon, BellSouth, Rogers and AT&T. All replied with their automatic replies and several days after the report, the machines still appear in my logs, unaffected.

In Europe I contacted the respective Abuse departments, particularly with Telecom Italia (Italy's leading provider) all of which remained unanswered--not even an automated reply--and which continue, without any hesitation, to knock on my door. Only ISPs from Spain replied, asked for more information and tackled the issue. France had nothing to say but did what it had to do. Ireland's only attacking machine stopped shortly after I sent out my e-mail, but had nothing to say. England's never replied either but some of the affected machines have disappeared from my logs. Only one German ISP replied (in German) leaving me to guess they will maybe do something about it.

In Taiwan, I contacted the abuse department of Hinet.net. Aside from repeated SSH attacks, several of their IPs are constantly attempting to relay mail from our mail server--it's been nearly two years of repeated attempts. E-mails sent to their abuse mailbox eventually bounced back as the recipient doesn't exist. Inquiring with their support people has an automated reply stating they're grateful of the report and they'll be right on it. Nothing has changed, proving this to be the unfortunate standard-issue behaviour of some ISP owners within the Asia-Pacific IP ranges.

I also contacted the owner of one machine that belonged to a university professor involved in... computer security. The professor in question never replied to my e-mail either, but his machine immediately after dropped from my logs. Perhaps too embarassing to have a BA warn a PhD.

There are also a surprising number of what appear to be abandoned machines, with no contact info or the contact info has expired. Who runs these machines? Who pays for their connection? Contacting them proved to be completely pointless and blocking their static IP the only course of action one could take. Many Eastern Block countries, especially Poland, seem to be plagued with exploited boxes apparently managed by no-one.

Regardless of how this turned out, I was more surprised that action was taken considering I expected none. I understand that taking down one machine when there are a thousand more is like trying to douse California's fires with a bottle of water, but some degree of satisfaction still remains.

It's strange that ISPs or backbones don't monitor these machines and drop them from the ether. I know it's a lot of work, but these same machines that engage in SSH attacks could easily be used to send out spam or host any type of malware that a gullible user may fall prey of. While poking at my SSH isn't a crime, paying attention to which machines are being used by the spamming and malware community could seriously put a dent in their operations and, ultimately, their profits.

The attacks are now dying down, with only about ten to twenty attempts per hour as opposed to the fifty to sixty previous. I did not contact enough ISPs to be the cause of this. Perhaps others have reported these attacks and action was taken by the IP's owners. Or, more likely, the attackers are going back into a state of hibernation, eager to set up their newly captured, waiting for bans to unwrap for the next round.