How to report a bot-net
Guy B. Purcell
guy at extragalactic.net
Thu Jan 14 15:24:08 PST 2010
Hi All,
Been too long since we had real posts here & this is an interesting problem, so I'm hoping for some good discussion, if not resolution.
I have an SSH portal at home that gets a remarkable amount of traffic--almost all of which is brute-force attacks either from individuals or from bot-net(s). Here's an example individual (I'm showing logged timestamp, source IP address, and username attempted):
Jan 7 12:30:01 89.140.94.122 ke
Jan 7 12:30:03 89.140.94.122 ke
Jan 7 12:30:05 89.140.94.122 ke
Jan 7 12:30:07 89.140.94.122 ke
Jan 7 12:30:10 89.140.94.122 ke
Jan 7 12:30:12 89.140.94.122 ke
Jan 7 12:30:14 89.140.94.122 ke
Jan 7 12:30:16 89.140.94.122 kg
Jan 7 12:30:18 89.140.94.122 kg
Jan 7 12:30:20 89.140.94.122 kg
Jan 7 12:30:23 89.140.94.122 kg
Jan 7 12:30:25 89.140.94.122 kg
Jan 7 12:30:27 89.140.94.122 kg
Jan 7 12:30:29 89.140.94.122 kg
Jan 7 12:30:31 89.140.94.122 kg
Jan 7 12:30:33 89.140.94.122 kg
Jan 7 12:30:36 89.140.94.122 kg
Jan 7 12:30:38 89.140.94.122 kg
Jan 7 12:30:40 89.140.94.122 kg
Jan 7 12:30:42 89.140.94.122 kh
Jan 7 12:30:45 89.140.94.122 kh
Jan 7 12:30:47 89.140.94.122 kh
Jan 7 12:30:50 89.140.94.122 kh
Jan 7 12:30:53 89.140.94.122 kh
Jan 7 12:30:55 89.140.94.122 kh
Here's an example bot-net:
Jan 7 13:43:01 211.115.234.143 petang
Jan 7 13:48:29 84.246.69.21 peter
Jan 7 13:53:33 90.182.211.25 petkuo
Jan 7 13:58:45 211.115.234.143 peyjiumc
Jan 7 14:04:06 217.8.61.146 pgsql
Jan 7 14:09:32 88.49.16.234 phantom
Jan 7 14:14:42 124.31.204.53 phchang
Jan 7 14:19:57 62.219.4.105 phire
Jan 7 14:25:39 84.201.180.130 phoebe
Jan 7 14:30:31 220.162.241.11 photo
Jan 7 14:41:10 121.52.215.180 phws
Jan 7 14:46:26 90.182.211.25 phy
Jan 7 14:51:39 125.5.157.51 phyllis
Jan 7 14:56:55 80.153.59.28 picture
Jan 7 15:02:04 212.243.41.9 pig
Jan 7 15:07:29 148.233.140.193 pigeon
Jan 7 15:12:39 220.162.241.11 pigg
This host is running ipfw, and I could write a script that couples that with the log to block the unwanted attention (easy for the individual attacks, non-trivial for the bot-nets--at least AFAICT), but that just kicks the can down the road to someone else's IP address. I could use the log info to attempt to notify the various ISPs' of the abuse, but they would just see it as a bunch of individual complaints. What I think would be better would be to use blocking & notification tactics (as automated as possible; I believe David kicked off a small discussion thread here about that) for the individual attackers, but to be able to treat the whole bot-net as a single-source attack & have it shut down.
But how to go about that? The Internet is a global confederation with no real central authority over such a broad attack base (I have IP addresses from China, Korea, Australia, Isreal, Brazil, Italy, & the US--to name just the handful I happened to look up). Who would you turn to? If there's no authority with the ability or responsibility to shut bot-nets down, what do you think could be done to improve matters?
-Guy
More information about the Baylisa
mailing list