Re: Blocking attacks from spoofed IP addresses

On Fri, 02 Oct 2009 15:01:11 -0500, ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin) wrote:

On Fri, 02 Oct 2009, in the Usenet newsgroup comp.os.linux.networking, in
article <a1jac5119p0tr7ar15ci6548eusq1hoh7s@xxxxxxx>, Grant wrote:

ibuprofin@xxxxxxxxxxxxxxxxxxxxxx (Moe Trin) wrote:

Two thoughts - what are you "offering" to the world, and what are
you trying to defend against.

Anonymous ftp + hhtp. Defending against too much traffic :)

Sounds as if you have thought the problem through - that's good.

Banned blocks mostly from annoying web crawlers that don't honour
the web 'robots.txt' file -- like the recently new Chinese crawler.

I hesitate to ask, but what IP[s]? Some time ago, I looked at the
logs of someone else's system, and noted a lot of consistent hits
from a handful of IP ranges registered in China. DNS lookups were
useless, as most addresses there don't have PTR records, but the
'whois' queries provide some hints. There is a whois server for
.cn, but it's not going to provide useful data. The 1630 IPv4
blocks registered in China are scattered over 39 /8s from 58.14.0.0
to 222.249.255.255.

From my block drop list:
....
# some idiot playing with the ftp server
91.195.136.0/25

# idiot pinger
85.178.0.0/16

# dunno, something is calling home to 38.97.225.166:6667
38.97.225.128/25

# some wankers playing with web server
58.224.0.0/12
80.93.208.0/20
83.149.64.0/18
85.17.0.0/16
87.106.0.0/16
91.206.182.0/23 # 91.206.183.148
207.234.209.0/24 # 207.234.209.146

# Baiduspider
61.135.168.0/24
123.125.0.0/16
220.181.0.0/16

# Asian probes
61.156.0.0/16 # China
121.121.0.0/16 # Malaysia
123.0.232.0/13 # Taiwan
123.112.0.0/13 # China
123.128.0.0/13 # China
220.181.0.0/16 # China

After a while I'll comment out blocks to see if they still active:

# site rippers
#65.213.208.128/27 # CYVEILLANCE
#63.148.99.224/27 # CYVEILLANCE
#65.222.185.72/29 # CYVEILLANCE
#66.148.64.0/18 # HopOne Internet Corp
#67.19.114.224/29 # site ripper
#208.66.192.0/22 # McColo
#128.194.0.0/16 # Texas A&M University, bad bot 128.194.135.81
#207.241.224.0/20 # Internet Archive, bad bot 207.241.233.245
#66.194.6.0/24 # Websense, bad bot, msie6 with info in Q3124nn
#204.11.96.0/21 # too stupid?
#217.70.144.0/20 # bad bot
#211.43.212.0/24 # bad bot

Or web site rippers. Once it was some script kiddies from NL playing
with a web form -- after I used their crap traffic to refine a quota
system I blocked the IP, then the IP block when the traffic changed IPs.

Residential IPs? Some have commented about my statement about not
wanting traffic "from Kazakhstan, Kenya, Kiribati, Korea, or Kuwait or
a lot of other places" but seem to miss that I also block access from
nearly all the ISPs in North America as well. It's usually not so
much the country that indicates a problem, but the _type_ of network
(with residential providers being some of the worst).

A while back colo IP blocks were a source of annoyance. Much of the
blocking was simply to unclutter the logs. I have a log 'pretty
printer' running on second screen just to see 'odd' traffic -- it
does name and country lookups so I get an idea where the stuff comes
from. Also logs outgoing traffic to less used (non http) ports so
I can see if this 'doze box I type on gets compromised and starts
spewing email or something.

Only caught one oddness, that:
"
# dunno, something is calling home to 38.97.225.166:6667
38.97.225.128/25
"
after a web page hijacking.

Oh, and the port-knocking may run into those same 'blocked by the
corporate firewall' rules that made it impractical to move your
server to an obscure port.

Maybe one could knock the http (or 8000 port area) port? A custom
.cgi could do anything one wanted, no?

Firewall rules alone are all that are needed, so there is no reason to
have an actual server listening. There are many ways to implement this
concept, which _MIGHT_ be as simple as a log-reader running as a cron
job. As for port 80, 8000, and friends, a significant number of
corporate firewalls block user access OUT to those ports - a proxy
server is used to access the remote site. That tends to put a severe
crimp in usable port lists. I've found that _moderately_ well used
ports SUCH AS 21, 23, 43, 53, 113, 119, 443 and some ports around 990
have some chance of success, but nothing is universally going to work.
The "knocking program" on the client can be very nearly anything that
accepts a port number as part of the address URL.

I'd possibly use https here as I don't offer that, or a web .cgi as
that server is always running (no php here :)

I've noticed telnet hits are more frequent last couple years, but
the firewall here bans the IP for some time after first hit to 22
or 23.

Haven't done port knocking yet as I've not yet needed to offer
'random' access for ssh :)

Port knocking is a poorly defined term. Some interpret it to mean using
a (pre-determined) sequence of connection attempts, and this sequence
acts as the authentication function. That's nearly always a horrible
idea. At the other end, the simple "telnet $ADDRESS $PORT_FOO ^c
ssh $ADDRESS <username> <authentication>" sequence is good enough.
Dynamic usernames or authentication based on time of day? Sure, that
can be made to work, and hinder replay attacks. Same for 'challenge -
response' authentication mechanisms. Just don't make the procedure[s]
so complex that you are sure to make a typ0 or other fumble-finger and
lock yourself out.

Think I'd go for the KISS method -- after all it's only about reducing
exposure to the system scanners out there discovering an open port to
try logins on.

And I only have passwordless ssh to the firewall box, I can't even
casually log in with password from localnet -- which doesn't hinder
operations as both linux and windows (PuTTY) have ssh agents for
authentication.

Grant.
--
http://bugsplatter.id.au
.

Relevant Pages

  • Re: How to Maintain an IIS Server?
    ... > server running on a Windows 2000 server. ... before a firewall and antivirus have been installed]. ... open ports; however, this will not identify which program is using the port. ...
    (microsoft.public.inetserver.iis.security)
  • Re: CEICW fails at firewall config
    ... ISA Server prevents connection to a remote desktop when you connect through ... Remote Web Workplace on a Windows Small Business Server 2003-based computer ... Acceleration Server as a firewall. ... connection uses TCP port 4125. ...
    (microsoft.public.windows.server.sbs)
  • Re: Strange WAN Activity
    ... > firewall logs for a possible TCP FIN scan that keeps ... > company's intranet server IP and its port 80 across our ... > My firewall is a Sonicwall Pro 200 and I'm running W2K ... It's difficult to be sure without inspecting the web server for signs of ...
    (microsoft.public.win2000.security)
  • Re: How to Maintain an IIS Server?
    ... >> server running on a Windows 2000 server. ... > before a firewall and antivirus have been installed]. ... > program or executable using that port. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Activesync / Airsync - Alternative Ports
    ... Setup a reverse HTTP proxy. ... Another idea is to use the PPTP capabilities of a Windows Server to allow ... Satellite - Cisco Firewall - Exchange Server ... So on the server side you would configure the port 80 to redirect to ...
    (microsoft.public.pocketpc.activesync)