GoFuckYourself.com - Adult Webmaster Forum - View Single Post

Phil21 · 02-03-2002, 11:38 PM

Naw, we have our own software we made in-house that automagically kills shared accounts, that's not an issue.

I just never saw a bigass attempt like this at brute-forcing usernames/passwords before. Pennywize or anything wouldn't have helped out, since the bandwidth usage was insane just from the error codes. Yeah, false positives would probably piss the guys off when they get back from their movie after letting the thing run, but my bandwidth is still spiked to hell during the meantime.

Going to write some stuff that will watch log files intermitedly and detect this stuff in the future, and automagically have it firewalled off.

Keep in mind we're a host. We need stuff that performs quickly on loaded servers. Having something piping logfiles places is not going to work, even locally examining each and every hit would be more CPU work than I want to put on our machines. We allready have intelligent solutions for the password trading stuff, I just need to spend some time to integrate the anti-brute-force attack code into our insane billing/stats system.

Our anti password trading stuff works a lot differently than most. We don't examine every logfile we generate. We essentially have a daemon that sits on each server which looks at log file growth every 5 minutes or whatnot, if it's so many percent out of a median value from the last 48 hours (or whatever) it then invokes the parser which looks for a traded account. If it finds it, it kills the account and e-mails the site owner what it did. We then credit the amount of bandwidth usage used to the site owner, (which is usually negligable, since we nail it so fast.. usually under 50MB) as we guarantee no extra bandwidth charges on traded accounts. This way it takes very, very, little CPU compared to anything else, and protects just as well. Perhaps later we'll add code to re-direct traded accounts elsewhere, etc. But for now it works very well for our needs.

Being able to write stuff in-house is good. ;)

Also, the above list do not appear to be open proxies. Probably just a bunch of machines some kiddie got a backdoor/trojan in. In any case I found it interesting, since I've never experienced a brute force attack like that before, and figured I'd share. In a couple days the system that kills that type of attack will be automated. ;)

-Phil

02-03-2002, 11:38 PM
Phil21 Confirmed User Join Date: May 2001 Location: ICQ: 25285313 Posts: 993	Naw, we have our own software we made in-house that automagically kills shared accounts, that's not an issue. I just never saw a bigass attempt like this at brute-forcing usernames/passwords before. Pennywize or anything wouldn't have helped out, since the bandwidth usage was insane just from the error codes. Yeah, false positives would probably piss the guys off when they get back from their movie after letting the thing run, but my bandwidth is still spiked to hell during the meantime. Going to write some stuff that will watch log files intermitedly and detect this stuff in the future, and automagically have it firewalled off. Keep in mind we're a host. We need stuff that performs quickly on loaded servers. Having something piping logfiles places is not going to work, even locally examining each and every hit would be more CPU work than I want to put on our machines. We allready have intelligent solutions for the password trading stuff, I just need to spend some time to integrate the anti-brute-force attack code into our insane billing/stats system. Our anti password trading stuff works a lot differently than most. We don't examine every logfile we generate. We essentially have a daemon that sits on each server which looks at log file growth every 5 minutes or whatnot, if it's so many percent out of a median value from the last 48 hours (or whatever) it then invokes the parser which looks for a traded account. If it finds it, it kills the account and e-mails the site owner what it did. We then credit the amount of bandwidth usage used to the site owner, (which is usually negligable, since we nail it so fast.. usually under 50MB) as we guarantee no extra bandwidth charges on traded accounts. This way it takes very, very, little CPU compared to anything else, and protects just as well. Perhaps later we'll add code to re-direct traded accounts elsewhere, etc. But for now it works very well for our needs. Being able to write stuff in-house is good. ;) Also, the above list do not appear to be open proxies. Probably just a bunch of machines some kiddie got a backdoor/trojan in. In any case I found it interesting, since I've never experienced a brute force attack like that before, and figured I'd share. In a couple days the system that kills that type of attack will be automated. ;) -Phil