Re: Preventing distributed password cracking attack

• Previous message: Cyberscholars Summer03: "Summer School on Information Security at FSU"
• In reply to: Brennan Cheung: "Preventing distributed password cracking attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: unruh@string.physics.ubc.ca (Bill Unruh)
Date: 10 Apr 2003 01:34:01 GMT

ga972@yahoo.com (Brennan Cheung) writes:

]Hello,

]I am running a web server that is frequently under attack by password
]crackers. I am trying to gain a better understanding of how they are
]attacking my site as well as how to prevent them from doing so.

]I am running Apache on a Linux box and am using the normal .htpasswd
]authorization to valid users.

]Every now and then (usually 2-3 times a week from what I can tell) I
]am hit by a massive password hacking attempt where they attempt at
]least 30 logins per second.

]I can understand using a password cracking program that can attempt
]multiple logins and I have countermeasures that block an IP after a
]certain number of bad attempts with a certain time period. The
]problem is that, just recently, I had an attack came from 605 (yes,
]six hundred five) different IP addresses in a 1 minute window.

]Are these machines actually hijacked machines or are they proxy
Yes, probably, although since you have given no info we do not know for
sure.

]servers? Is there any way of finding out who is responsible for these

Probably not, since that attacker has taken over a bunch of machines,
and he probably did that from other cracked systems. In theory it would
be possible to track hime down. In practice, no.

]attacks? What are they using to carry out such an attack and is there
]a way to secure my site against it?

Grin and bear it? find out why it is you they are targeting (do youhave
enemies?)

]Any help would be greatly appreciated. These attacks are slowing down
]my site quite significantly.

• Previous message: Cyberscholars Summer03: "Summer School on Information Security at FSU"
• In reply to: Brennan Cheung: "Preventing distributed password cracking attack"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: security? ? ? ... NASL (Nessus Attack Scripting Language) for coding up new vulnerability ... Thus a web server might have a policy something like: ... compromise your administrator workstations, or some router in some way to ... defacement might not be on the "home" page. ... (comp.os.linux.security) Re: Someone try to hack my machine? ... This is not a serious attack, but is simply a scan to see if your machine ... Apache too has its own vulnerabilities, and I advise you at least ... If tis Web server is intended for local users only, ... and it looks like these hackers are sending out same ... (comp.security.firewalls) [NT] Denial of Service Vulnerability in Xeneo Web Server ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Xeneo Web ... The condition is triggered when the web server receives a request ... attack URL: ... (Securiteam) RE: Need help to choose a security policy ... Firewall: ... < architecture (for example, you might have only one type of web server, ... pay attention to this attack. ... < Last but no least, if your IDS allows you to create custom rules, ... (Focus-IDS) Re: Data Cha0s PHP script attempt ... > banning bots like this from our web server all together. ... > The attack attempts to trick the uptime.php form into loading the given ... > URL through one of the form variables. ... > which isn't a JPG at all, but itself is a PHP page. ... (Incidents)