NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: brute force/dictionary attacks

At Mon, 26 Sep 2011 11:30:07 -0500 (CDT), Al - Image Hosting Services 
<> wrote:
Subject: brute force/dictionary attacks
> I am running NetBSd 4 with UW ipop3d. Anyway, I am getting more and
> more brute force attacks with pop. What happens is that after inetd
> reaches the set limit of connections it stops all pop3 requests, so
> the pop server is effectively down. I put the IP address in
> hosts.deny, but inetd still reached its limit and stopped taking
> requests for pop. I then raised the limit of connections to 999. This
> created a new issue and although the server continued to answer pop
> requests its cpu was 0% idle.

In inetd(8) the TCP Wrappers (libwrap) checks are done in the child
process just before it executes the service program, however rate checks
are necessarily done before the child process is forked.

You will have to use network layer firewalling (e.g. IP-filter) to block
abusive client hosts from hammering on inetd.

If you switch to Cyrus IMAPd then you will benefit from both a full IMAP
server, as well as traditional POP, all rolled into one; and you will
also benefit from use of the Cyrus "master" daemon which manages
pre-forking and maximum child process counts, as well as a "pop3d" (and
"imapd") which can be re-used for new connections.

You'll probably still want to use a firewall to block abusive clients if
possible, but I think you'll find that the Cyrus master daemon, along
with the imapd and pop3d service daemon's ability to be reused, goes a
long way to mitigating service outages during dictionary style attacks.

> Maybe someone has a better suggestion on how to deal with this kind of
> attack.

There are a number of scripts and tools to watch logs and manipulate
firewall rules.

I have just today discovered "sshguard".  It's a C implementation of a
log-watcher and attack detector which knows about syslog and various
firewalls.  It already knows about Cyrus IMAPd, as well as OpenSSH,
ftpd, etc.  FreeBSD has had a package for it in their "ports" tree since
about 2007 but as yet I don't see anything for it in pkgsrc.

(I'm going to modify it so that it only does "dynamic" blocking and
doesn't modify /etc/ipf.conf)

I've also been looking for something that could I run on the main
gateway firewall instead of on each target host.

Some time ago I found a paper describing an algorithm called LQS which
it claims is quite successful at detecting scan-style attacks and which
can be used successfully to implement firewall rules to block scanners
without interfering with normal users:

        "Network Scan Detection with LQS: A Lightweight, Quick, and
        Stateful Algorithm"
        Mansour Alsaleh,
        P.C. van Oorschot
        School of Computer Science, Carleton University, Ottawa, Canada

        Pub. in Proceedings of the 12'th USENIX Security Symposium
        August 2003

I haven't found anything more recent that is claimed to be any more

The paper describes implementing LQS in the Bro language, and using
it as a plug-in to the Bro Network Intrusion Detection System.

I have had hopes of finding time to sit down and implement a slightly
simplified form of LQS in hopefully AWK, or possibly Python, using
IP-Filter as a method of detecting connection attempts, and further
using IP-Filter as a method of blocking the detected scanners.

Making it work really well, including avoiding syslogd's compression
feature, will also require some adaptation of ipmon(8) so that log
entries can be sent to multiple (or at least two) consumers

However LQS as-is just detects TCP/IP scanners.  I.e. it doesn't make
use of authentication failures from the monitored services to detect
user-id and/or password dictionary attacks on individual services, and
in particular it does not detect user-id scans and password guessing
attacks.  So I think some combination of network scan detection (which
can be centralized) and dictionary attack detection (which at minimum
required centralized log record collection) is ultimately required for
basic network intrusion and DDoS prevention.

                                                Greg A. Woods
                                                Planix, Inc.

<>       +1 250 762-7675

Attachment: pgpqeGV_Ub_eQ.pgp
Description: PGP signature

Home | Main Index | Thread Index | Old Index