Recent Russian Botnet attacks

[forrie]

My server is currently undergoing a slam of connections that, I believe, are connected to Russian botnets. Since last night, I'm logging well over 4,000 attempts to submit to what appear to be random usernames.

What I've observed is there are several IPs that connect to port 25, but seem to do nothing - it's as if they are putting out feelers to see if your system is connectible. Then, the drone/zombie bots connect and try dictionary-style attacks.

I noticed if I spend enough time filtering out the "feeler" connections, the botnet traffic slows down.

In any case, that's just my estimation of what's going on. I wonder if anyone else is seeing this and what measures you're taking to handle it other than packet filters (which is a very tedious effort).

Most of the IPs I end up blocking, which I classify as "feelers", are in or around Russian IP space (or that general region), but does appear there are several compromised hosts.

A random sampling of these bots appears to show the common ports 3389, 1025, 5000 open. 3389 seems to be a different bot.

I just find it strange that they would be targeting my puny system, which really only serves personal email. In some ways, it's hilarious. But since my system is on a larger *.edu network, they probably think it's significant (ha).

Currently, I'm using packet filters to block /24's - since I don't really care, and I know where I get email from that matters. That isn't something you'd want to do necessarily on a commercial system. Right now, I'm relying on trafshow and quick fingers to target out and block the IPs I need to. It's akin to playing a video game.

I'd appreciate some feedback and perhaps some tips about how to handle this elegantly.

Thanks!

[GraemeL]

I'd appreciate some feedback and perhaps some tips about how to handle this elegantly.

I would probably just turn down the volume on the firewall logging to a more useful level and ignore them. If you're not running services on ports, then receiving a log entry when something tries to send a SYN is just noise that you don't need. If you're using iptables, you can get a summary showing you hits on individual rules without having each hit clog up the log file. Then you scan the individual logs for services that you are running and only add firewall rules to block IPs trying things that might actually result in a compromise.

I pretty much only log two things for iptables; Cyveillance IPs, because I get a warm and fuzzy feeling when they bounce off the firewall, and SSH connections. My SSH port is protected by a port knocking setup to prevent brute forcing access, but as an extra precaution, anything that attempts to hit the blocked port three or more times in a 24 hour period gets all traffic blocked for seven days. Of course, this relies on my not being stupid enough to realize that I forgot to give the secret knock and lock myself out when I'm trying to get remote access.

Summary: Turn down the noise and focus on attacks against services that you are running.

[forrie]

I forgot to add that the attacks are coming to port 25, a service I am running on that machine.

The "damage" is minimal, really, just huge logfiles of bots trying to submit mail to unknown addresses. So I really don't need to do anything about it - though I enjoy blocking them and watching the connections fail.

[GraemeL]

I forgot to add that the attacks are coming to port 25, a service I am running on that machine.

The "damage" is minimal, really, just huge logfiles of bots trying to submit mail to unknown addresses. So I really don't need to do anything about it - though I enjoy blocking them and watching the connections fail.

Oh, in that case, it's probably Yambo Financials. They've been hitting me too. Around 99.5% of their attempts are being rejected with 5xx responses. So far, all that have gotten through have been to a single spam trap and get automagically quick reported.

[seafire]

See: http://countries.nerd.dk

Seafire