Previously, most automated vulnerability probing I’ve seen on my systems has been brute force and fairly ignorant: one IP address tries many, many (and in some cases many, many and many) times to get in with varying credentials – the most blocked count recently was over 2500 attempts.
This morning it all changed and the rows and columns of the table of attacking IP’s and target users have basically been switched so that one IP will try one login, and then another IP will try the same login etc. This means that whilst the automatic banning is still in place, I now have a huge list of IP’s that have never attempted to get in a second time.
How do I know it’s a single attack ? The fact that the usernames continue to be tried in alphabetical order is one real giveaway that this is a coordinated attack rather than a series of random one-shot attempts. The only really odd aspect is that the same series of usernames is repeated many times from different groups of addresses – I’d guess that whatever ‘common logins’ are being used have been split into a series of one-shot attempts and distributed to small sub-groups of machines (around 10 to 20 or so) which come in a very fast sequence which then has a pause before it begins again. The pause could be simple latency and random chance, or, more likely, it’s the subgroup reporting back failure on one set of data to a central location (or, more P2P like, the next sub-group of IP’s) before the next set of logins is tried.
Interesting ? Maybe. It’s certainly a great way to tip your hand as to who is a member of a particular botnet as you’re exposing all your hosts in one run. On the other hand, it’s far harder to block and consumes far more bandwidth as you need to answer each attempt to discover who it is they’re trying to get in as – the previous method of just dumping the packets after the first offence did save a noticeable number of bytes when counted over a month. I think it’s actually a response to automatic IP blacklisting – only one valid login needs to get in to halt the attack sequence and the pattern shows that banning repeat offenders was a very successful tactic in halting the crack attempts.
Of course, it could all be a very cunning scheme to exhaust disc space due to excessive logging and so cause a very roundabout DoS…