Sunday, December 7, 2008

A new type of brute force attack

Till now, it was easy to spot brute force attacks. A brute force attack is one where attackers are using dictionaries to try and guess correct combinations of username and password.

As those dictionaries are really long, this type of attack used to be easily detectable, because the attacker had to put a big part of his machine to the task and so he tended to do a lot of attempts per second, so this was easily spotted by most firewalls.

But since the the technology to herd large zombie computer farms was developed, this is changing in a subtle way. For better understanding, a zombie computer is a dormant infected computer, and has inside a virus, worm, rootkit or back door that allows the attacker enter and use commands from that machine as if it were his own.

A zombie computer farm is a group of dormant computers infected by the same person, so he can make this group of computers send massive quantities of spam, a little each one. He also can use them to host webpages with ilegal content, whithout risking being traced. The last use was a joint attack to some server, trying to get a Denial of Service provocked by the sheer ammount of virtual attackers.

However, once more this evil minded people have shown they have brains up there and know how to use them. Using zombie computer farms, they aren't using them to do mindless ping attacks. They are now using them in a step by step kind of attack, where each zombie uses a small part of a far bigger dictionary to do spaced attempts.

So, instead of getting a lot of quick attacks from a single IP, now we get tens, hundreds or thousands computers, each one slowly and patiently testing a combination of username and password.

This is almost impossible to detect by automatic means, you need to do a manual revision of firewall logs to check the attempts to access the system over a long time to detect the pattern. Luckily, there's some hope. Most zombies seem to come from a pretty limited range of IPs, so the people over at Begin Linux posted a method to block most zombie machines with iptables, using a list of offending IPs gathered by spamhaus.

No comments: