I am running a small (Windows-based) server. When I check the logs, I see a steady flow of (unsuccesfull) password-guessing hacking attempts. Should I try to report those attempts to the owners of the source IP addresses, or are these attempts nowadays considered completely normal and nobody would bother doing anything about them, anyway?
6 Answers
While the answer can depend greatly on the agency you are attempting to inform, I believe that in general you should. In fact, since monitoring and responding to the abuse mailbox for our organization is one of my primary job duties, I can positively say, 'Yes Please!'. I had this same conversation with members of other security organizations and the answers seemed to largely consist of:
- If the whois information on the IP shows a business or university, then report
- If the whois information on the IP shows an ISP, then don't bother
I, of course, won't tell you to follow those rules, but I would recommend erring on the side of reporting. It usually doesn't take much effort, and can really help out the guys on the other end. Their reasoning was that ISPs aren't often in positions to take meaningful actions, so they will file the information away. I can say that we will aggressively pursue the matter. We do not appreciate hacked machines on our network, as they have a tendency to spread.
The real trick is to formalize your response and reporting procedure so that it can be consistent between reports, as well as between staff. We want, at minimum, the following:
- IP address of the attacking system
- Time stamp (including time zone) of the event
- The IP addresses of the systems on your end
If you can also include a sample of the log messages that tipped you off, that can also be useful.
Normally, when we see this kind of behaviour, we also institute firewall blocks of the most appropriate scope at the most appropriate location. The definitions of appropriate are going to depend significantly on what is happening, what kind of business you're in, and what your infrastructure looks like. It may range from blocking the single attacking IP at the host, all the way up to not routing that ASN at the border.
- 14,717
- 10
- 51
- 83
-
Thanks - good to know. Are there any simple-to-deploy tools to help automate such reports? Identifying the sorts of abuse that are useful to report, finding who to report to, including the useful information, dealing with reports that get bounced, etc? – nealmcb Jan 29 '11 at 20:49
-
@Nealmcb - there are fun expensive IDS systems that can sum up all of this. I've seen Cisco MARS do it. I dunno if there are cheap/free options that make this easy, but if your set of logs are small, you can probably write up a logscraper to present you with an easy-to-use report. – mfinni Feb 03 '11 at 16:59
We get hundreds of hacking attempts on our web servers every day. Perhaps that is because we have had a web presence with about 40 sites for over 20 years. The hacking is bad enough for us to have written a 404 filter that searches for vulnerability patterns that generate 404's. When a vulnerability pattern is detected, we blackhole the IP for 3 days. We can see that hackers use lists of vulnerabilities and sequentially try them one at a time. We generate a daily report of the hack attempts, usually about 400 per day, and look up the netblock of the ISP originating the hack attempt. If the attempt is obvious and egregious, we add the netblock to a DB table with their abuse reporting address.
There are both responsible and irresponsible ISPs. In our experience, the following really want to receive your abuse reports in an email message:
- Microsoft (Azure)
- Sendgrid
- Comcast
- Amazon (AWS)
The following do not want to receive your abuse reports, but they respond back:
- Charter (insists that it is not from their IP)
The following ignore your abuse reports:
- Digitalocean (netblock had to be firewalled permanently)
- ovh.net, ovh.ca, ovh.us (netblock had to be firewalled permanently)
The following countries host ISPs, and they ignore your abuse reports:
- Russia
- China
- Indonesia
- Netherlands
- India
- Pakistan
- Bulgaria
- Vietnam
There are, of course, many others, but these are the most egregious.
- 21
- 1
This is password-guessing attack known as a brute force attack. Best defense is to make sure that users passwords is strong. Another, solution is to lock out an IP address with multiple failed logins. Brute force attacks are difficult to stop.
- 8,357
- 24
- 22
As what lynxman said all you really can do is contact their ISPs Abuse department and inform them. I would block that IP both in the Firewall and on the server. Second I would also setup attempt based lockout in Group policy(if you have AD). As long as your Passwords are strong I wouldn't worry about it, I have Servers that I run to learn and I get login attempts all day long.
- 9,114
- 4
- 44
- 56
-
Contacting their ISPs is what I meant (nothing important happened, the attack was not successful, therefore contacting the ISP is all I might want to do) – should I do it, or is it a waste of time? – Mormegil Jan 29 '11 at 19:15
-
@mormegil It depends I usually do but if its in russia or a country in the old soviet bloc I don't bother. They can null route to you which will get traffic from him to you to stop. – Jacob Jan 29 '11 at 19:25
Unfortunately it's completely normal, most of this attempts are generated through other servers that have been hacked as well.
The best you can do is that if you see these attacks coming persistenly from a unique IP address and you have suspicion that the server got hacked is to email the abuse/sysadmins at that server so they can fix the situation, it's quite easy to lose track of a server when you're overloaded and maintaining hundreds of them.
In any other case firewalling, filtering or ignoring is mostly a good practice.
- 9,157
- 3
- 24
- 28
Your problem here is that the vast number of these are likely to be coming from compromised machines, in various countries, that are probably home users' PC's and are probably on dynamic addressing schemes.
Which means that the owners of the machines don't know they are forwarding attacks, and don't care, they may be in countries where the law really doesn't care, and the ISP's probably don't care and in any case won't want to trawl logs to see who was using that IP address.
Best plan is a combination of lynxman's, Jacob's and packs' - generally block them, but set up a script to see if there are common culprits and specifically send your comms to the Abuse departments of those ISP's.
Better use of your time that way.
- 1,184
- 11
- 20