forrie Posted October 23, 2007 Share Posted October 23, 2007 My server is currently undergoing a slam of connections that, I believe, are connected to Russian botnets. Since last night, I'm logging well over 4,000 attempts to submit to what appear to be random usernames. What I've observed is there are several IPs that connect to port 25, but seem to do nothing - it's as if they are putting out feelers to see if your system is connectible. Then, the drone/zombie bots connect and try dictionary-style attacks. I noticed if I spend enough time filtering out the "feeler" connections, the botnet traffic slows down. In any case, that's just my estimation of what's going on. I wonder if anyone else is seeing this and what measures you're taking to handle it other than packet filters (which is a very tedious effort). Most of the IPs I end up blocking, which I classify as "feelers", are in or around Russian IP space (or that general region), but does appear there are several compromised hosts. A random sampling of these bots appears to show the common ports 3389, 1025, 5000 open. 3389 seems to be a different bot. I just find it strange that they would be targeting my puny system, which really only serves personal email. In some ways, it's hilarious. But since my system is on a larger *.edu network, they probably think it's significant (ha). Currently, I'm using packet filters to block /24's - since I don't really care, and I know where I get email from that matters. That isn't something you'd want to do necessarily on a commercial system. Right now, I'm relying on trafshow and quick fingers to target out and block the IPs I need to. It's akin to playing a video game. I'd appreciate some feedback and perhaps some tips about how to handle this elegantly. Thanks! Link to comment Share on other sites More sharing options...
This topic is now archived and is closed to further replies.