Brute force attack

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • cgiGeek
    Confirmed User
    • Jan 2002
    • 203

    #1

    Brute force attack

    some one is brute forcing my member area with multipe country ips and very fast, cannot block it on account of the amount of ips he is using, about 10 diferent ones per second,
    cant script anything either on account of ip quantity

    any ideas would be appreciate it

    Thanks
    Need help dealing with a hacked website? Contact me via icq 163583431 :D
    Premium Bandwidth Managed Servers, 12 Years in business xxxHOSTit.com
    I work for xxxhostit.com
  • pr0
    rockin tha trailerpark
    • May 2001
    • 23088

    #2
    Get used to it...take all known precautions & just ride out the storm.

    People will tell you pennywise this...proxy gaurd that...but nothing works if someone knows what they are doing.
    __________
    Loadedca$h - get sum! - Revengebucks - mmm rebills! - webair (gotz sErVrz)

    Comment

    • Backov
      Confirmed User
      • Mar 2001
      • 1600

      #3
      Originally posted by pr0
      Get used to it...take all known precautions & just ride out the storm.

      People will tell you pennywise this...proxy gaurd that...but nothing works if someone knows what they are doing.
      Sorry mate, you're just plain wrong.

      To the poster - go get proxypass http://www.proxypass.com/ - it will fix your problem, like it did ours.

      When the script denies any attempts to brute force from an open proxy, then they've got no tools. The others like Pennywise and IProtect and such are useless against an open proxy based brute force attack.

      Cheers,
      Backov
      <embed src="http://banners.spotbrokers.com/button.swf" FlashVars="clickURL=http://banners.spotbrokers.com" quality=high pluginspage="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash" type="application/x-shockwave-flash" width="120" height="60"></embed>

      Comment

      • notjoe
        Confirmed User
        • May 2002
        • 5599

        #4
        Originally posted by cgiGeek
        some one is brute forcing my member area with multipe country ips and very fast, cannot block it on account of the amount of ips he is using, about 10 diferent ones per second,
        cant script anything either on account of ip quantity

        any ideas would be appreciate it

        Thanks

        Write a script to deactivate the username/password trying to be cracked and have it re-enabled once the attack is done... shouldnt be too hard to implement.

        Joe

        Comment

        • pr0
          rockin tha trailerpark
          • May 2001
          • 23088

          #5
          Yea im just plain wrong

          We got kevin mitnick from BikiniVoyeur over here.....

          I clearly stated "nothing works if someone knows what they are doing". I.E. using non standard port proxies etc. much like the new 3rd generation hitbots.

          What does your script scan 3128, 80, 8080, 8000, 8001, 1080, 21, 22, 25 etc.

          Any surfers firewall would be lighting up like an x-mas tree.

          But its cool, if what you got is working for you then great, just don't tell me im plain wrong.
          Last edited by pr0; 09-22-2002, 05:30 PM.
          __________
          Loadedca$h - get sum! - Revengebucks - mmm rebills! - webair (gotz sErVrz)

          Comment

          • Jamie
            Confirmed User
            • Apr 2001
            • 2517

            #6
            Pennywise ?
            CelebPay: Promote Celebrity Reviews
            i/c/q - :1851935

            Comment

            • WiredGuy
              Pounding Googlebot
              • Aug 2002
              • 34512

              #7
              Well, your users are real people that probably click on the members link to enter your site right? And this script is stupid and will keep hitting the same login page over and over? So why not just do a simple renaming of the login section?

              So if your members site is http://www.site.com/members/, just rename your directory something like /member/ and the old directory deleted. This won't prevent the brute force aspect but it won't bog down your server as much from failed login attempts, it will just 401 error the script.

              Not a great solution I admit but its a quick solution until you can reduce brute force attacks.

              WG
              I play with Google.

              Comment

              • SleazyDream
                I'm here for SPORT
                • Jul 2001
                • 41470

                #8
                Originally posted by cgiGeek
                some one is brute forcing my member area with multipe country ips and very fast, cannot block it on account of the amount of ips he is using, about 10 diferent ones per second,
                cant script anything either on account of ip quantity

                any ideas would be appreciate it

                Thanks
                send him the password to get in. Obviously he wants to see the members area. don't be soo cheap - show him the good porn.
                This dog, is dog, a dog, good dog, way dog, to dog, keep dog, an dog, idiot dog, busy dog, for dog, 20 dog, seconds dog!

                Now read without the word dog.

                Comment

                • Backov
                  Confirmed User
                  • Mar 2001
                  • 1600

                  #9
                  Originally posted by pr0
                  Yea im just plain wrong

                  We got kevin mitnick from BikiniVoyeur over here.....

                  I clearly stated "nothing works if someone knows what they are doing". I.E. using non standard port proxies etc. much like the new 3rd generation hitbots.

                  What does your script scan 3128, 80, 8080, 8000, 8001, 1080, 21, 22, 25 etc.

                  Any surfers firewall would be lighting up like an x-mas tree.

                  But its cool, if what you got is working for you then great, just don't tell me im plain wrong.
                  You're just plain wrong bud. There it is. Again. I've been a programmer for about 16 years - have you been alive that long?

                  Anyway, it's not my script. We just use it. It not only scans for tags that the attacker is using an open proxy, there's a HUGE centralized db of open proxies that's constantly updated. It's about as serious as you can get.


                  Cheers,
                  Backov
                  Last edited by Backov; 09-22-2002, 09:28 PM.
                  <embed src="http://banners.spotbrokers.com/button.swf" FlashVars="clickURL=http://banners.spotbrokers.com" quality=high pluginspage="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash" type="application/x-shockwave-flash" width="120" height="60"></embed>

                  Comment

                  • PxG
                    Confirmed User
                    • Feb 2002
                    • 105

                    #10
                    Dear CGI Geek,
                    If you got Qs, please hit me up on ICQ and we can chat!
                    #153529369

                    BTW. Backov is not the owner of the pxp , but he is a client
                    of ours, here's another testimonial from another one of our clients
                    "The load times where averaging 5.0 and got as high as 16.0 the same day you installed this I stopped our daily backups as well so I think between the two this server should be smooth. It's doing .3 - .5 all day wow I'm happy this server was crashing daily. On top of the servers already high loads customers where yakking about pennywize which causes even higher loads. So your solution is a miracle in the working. I think everything is fine, I probably going to roll this out on two more boxes next week.

                    Thank you,

                    Charles Yarbrough
                    www.dwhs.net
                    www.adult-website-hosting.com
                    1-866-660-HOST"

                    Also check out TopCash's testimonial at http://www.proxypass.com/modules.php...rder=0&thold=0

                    Sorry not trying to spam, but people should be aware that there's an alternative to Pennywize and Iprotect.


                    Best regards,



                    PxG
                    Kill Password Hackers Now!
                    Kill Hit-Botters Now!
                    _____________________________

                    Comment

                    • exitmoney
                      Confirmed User
                      • Apr 2002
                      • 143

                      #11
                      change your member area files or something like that so the robot hammers a file that does not exist

                      Comment

                      • mike503
                        Confirmed User
                        • May 2002
                        • 2243

                        #12
                        if you're a true CGI geek, you should be able to figure something out on your own. ya know.
                        php/mysql guru. hosting, coding, all that jazz.

                        Comment

                        • salsbury
                          Confirmed User
                          • Feb 2002
                          • 1070

                          #13
                          tips from a guy who knows how to do this:

                          1) avoid any programs/scripts that attempt to "throttle" the crackers in real time. that is a sure path to doom. your server's connections will be so tied up with this throttling that nobody else will be able to get in.

                          2) don't use ipf - your CPU will be so busy checking each and every incoming packet that it will slow down the site for everyone else.

                          3) if you don't know how to do it, don't worry about it. just catch the guys who make it in. or assign good passwords.

                          Comment

                          • Rory
                            Confirmed User
                            • Jul 2002
                            • 616

                            #14
                            Just wanted to mention that I just talked to a guy from proxypass.com cause I had a few questions and he got right back to me and answered all the questions I had quickly and he seemed to know what he was talking about. He seemed very proffessional and knowledgeable, I will be using proxypass when I get launched, if it does what it says should be nice addition.

                            Rory

                            Promote a site that actually retains members!

                            Comment

                            • PxG
                              Confirmed User
                              • Feb 2002
                              • 105

                              #15
                              Originally posted by salsbury
                              tips from a guy who knows how to do this:

                              1) avoid any programs/scripts that attempt to "throttle" the crackers in real time. that is a sure path to doom. your server's connections will be so tied up with this throttling that nobody else will be able to get in.

                              2) don't use ipf - your CPU will be so busy checking each and every incoming packet that it will slow down the site for everyone else.

                              3) if you don't know how to do it, don't worry about it. just catch the guys who make it in. or assign good passwords.
                              I just wanted to respond to both Salsbury and pr0. Both have interesting points that I'd like to address.

                              Salsbury: your point about network connections is valid. However, we use UDP protocol which extremely low level and doesn't rely on a three-part handshake. Basically, we average response times of 0.01 - 0.05 seconds to our clients. And, since its UDP there is never any network backup or bottleneck. Also, we do deposit a local db of proxies we've caught on the client system, for fast reference.

                              pr0: your concern about non-standard port proxies has one problem with it: there are very few non-standard port proxies around. I found a list of proxies on your web site, it was a list of 2065. Our DB currently has between 50,000 - 100,000 open, abusable proxies that we refresh and remove old ones from on a daily basis. Now, I am not sure if all of your proxies are non-standard port or not, but let's assume they are.

                              You have a list of 2000, more or less. Let's do some math:

                              1) Our software will also block attempts from the same IP after X attempts (usually 5 or so). As a result, even if we don't detect your 2000 proxies then you will get about 10,000 attempts to crack a password. In the cracking world, this is not a lot.

                              2) Let's say you optimize your cracking effort and therefore use only 1 username (you've lowered the number of variables you need to guess at to 1 now). Our software also does username blocks after X attempts on a particular username (regardless of IP). So this optimization is now null.

                              So the bottom line is that since there are very few non-standard port proxies available to a cracker, attempting to crack a site protected with ProxyPass has very little chance for success. 10,000 attempts is VERY LOW, as most cracking requires 100,000s or millions of attempts before a username/pass is obtained. And that's if you concentrate on a single username!
                              And the most important thing is that your server doesn't handle and return a ton of authentication attempts, lowering the user load average greatly.

                              The cracker would be much better off to assemble a list of say, 10,000 proxies and attack another site that is not protected with proxypass.

                              I hope this helps,
                              Kill Password Hackers Now!
                              Kill Hit-Botters Now!
                              _____________________________

                              Comment

                              • cgiGeek
                                Confirmed User
                                • Jan 2002
                                • 203

                                #16
                                attack does not repeat ip per user,
                                so no conventional method will work,
                                I have stop proactivly 100 IPs attacks before,
                                this is very diferent.
                                Now proxi based software is based on 2 assumtions:
                                1. Attack signature
                                Does not have one
                                2. It knows all open proxies
                                Numeric imposibility
                                Also it has to authenticarte ip on query, but next query to log it
                                would be a killer counting on God giving you a way to tell which IP is bad and which one is not.

                                I think is more on replacing apache authentication
                                with something booby trapped with timeouts,
                                and non standard http headers so damn bot goes crazy,
                                of course at a great resources cost.
                                Need help dealing with a hacked website? Contact me via icq 163583431 :D
                                Premium Bandwidth Managed Servers, 12 Years in business xxxHOSTit.com
                                I work for xxxhostit.com

                                Comment

                                • PxG
                                  Confirmed User
                                  • Feb 2002
                                  • 105

                                  #17
                                  Originally posted by cgiGeek
                                  attack does not repeat ip per user,
                                  so no conventional method will work,
                                  I have stop proactivly 100 IPs attacks before,
                                  this is very diferent.
                                  Now proxi based software is based on 2 assumtions:
                                  1. Attack signature
                                  Does not have one
                                  2. It knows all open proxies
                                  Numeric imposibility
                                  Also it has to authenticarte ip on query, but next query to log it
                                  would be a killer counting on God giving you a way to tell which IP is bad and which one is not.

                                  I think is more on replacing apache authentication
                                  with something booby trapped with timeouts,
                                  and non standard http headers so damn bot goes crazy,
                                  of course at a great resources cost.
                                  cgiGeek,

                                  We do not simply rely on our DB of open proxies. We actively search for open proxies during an attack, so that you receive denial of proxies in REAL-TIME, even though they are not in our DB yet. Of course, we analyze millions of hits per day between the proxypass and proxyguard products, so we have a very sizable database of open proxies.

                                  We built this program because there is no commercial program out there right now to stop brute force attacks through proxies and because we felt there is room in the market for something that does. Our clients have all seen dramatically improved results, as you can tell by their testimonials and unprompted comments on this and other boards.

                                  Of course, nothing is perfect and the Apache auth scheme sucks.
                                  That's the core of the problem, you are right. But until Ibill, CCbill, and Epoch change their requirements (right now they require apache auth) there is very little alternative. Our program has built in "booby traps" too. I won't get into specifics, but under "heavy attacks" a mode is triggered in which responses are not given to proxy-ip requests. This frustrates bots and spins them into timeout/wait states... it's a little way of saying BACK OFF. This could potentially crash a botters server, etc.

                                  And even if you used php/mysql, the potential is still there for brute forcing via proxies... it just won't take such a dangerous toll on your server (PHP is faster and has less overhead than apache auth schemes). But the physical attacks will still persist and passwords will be stolen.

                                  Best Regards,
                                  Kill Password Hackers Now!
                                  Kill Hit-Botters Now!
                                  _____________________________

                                  Comment

                                  Working...