Mon, 22 Dec 2008

The Slow Bruteforce Botnet(s) May Be Learning

I noticed mass amounts of failed ssh logins on my server in November, too. It was apparent that a botnet was hitting on me, but I never put two and two together until I looked over the logs and noted the alphabetical nature of the attempts coming from different hosts. That indicated coordinated attacks - all of which have so far failed, I might add, although the bandwidth and disk time wasted in defeating them was considerable.

badger.foo writes "We've seen stories about the slow bruteforcers — we've discussed it here — and based on the data, my colleague Egil Möller was the first to suggest that since we know the attempts are coordinated, it is not too far-fetched to assume that the controlling system measures the rates of success for each of the chosen targets and allocates resources accordingly. (The probes of my systems have slowed in the last month.) If Egil's assumption is right, we are seeing the bad guys adapting. And they're avoiding OpenBSD machines." For fans of raw data, here are all the log entries (3MB) that badger.foo has collected since noticing the slow bruteforce attacks.

(link) [Slashdot]

/Technology | 0 writebacks | permanent link

---

:: Categories ::

 agriculture
asatru
copywrongs
humor
musings
politics
technology
index
haxton.org

---

:: Search ::

---

:: Blogroll ::

A Mindful Life
The Accidental Smallholder
Austro-Athenian Empire
Cauldron Born
Center for a Stateless Society
Dances with Ewes
Dispatches
egregores
Hardscrabble Creek
Honk & Helen
In Siberia
Laudator Temporis Acti
Lorrie's Livejournal
Masson's Blog
MyAppleMenu
NoNAIS
Notes on Religion
Numenous Thoughts
OrangeGuru
Overlawyered
Prophet or Madman
rogueclassicism
Sugar Mountain Farm
Thud Factor
Universe of Discourse
Wildhunt Blog
within the crainium

---

:: Archives ::

←May→

Sun	Mon	Tue	Wed	Thu	Fri	Sat
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31

---

:: Site ::

Contact Me   

MacRaven
Dave Haxton's Weblog
Musings, Reflections, Rants and Comments from a Hoosier Heathen husband, father, grandfather, farmer and software engineer. There's really only one of me ...

---

lunar phases

Unless otherwise noted, all original
work on this site is licensed under a

comment...

Notes: If you put a <mailto:> link in the URL field your address will not be mangled: this could be a bad idea as your email address could be easily harvested by bots designed for SPAM. The comments field should now format correctly for line feeds and carriage returns: when you hit the 'Enter' or 'Return' keys in your comment it should break to a new line. The text should wrap cleanly. Please let me know if it doesn't. No HTML tags will pass through - entering links seems to be the main cause of comment SPAM. Also, please be sure that Javascript is enabled in your browser before attempting to post a writeback. Sorry for any inconvenience, but this really helps cut down on the amount of comment SPAM I have to deal with.
Name:
URL:	(optional)
Title:	(optional)
Comments:
Save my Name and URL/Email for next time