It all started Monday at around 12:00am with a series of alert messages bombarding my phone.
Site Lockout Notification – an unknown user tried to login as “jive-turkey” but with no soul.
This happens from time to time, so I wasn’t too concerned until I personally checked on the ‘Perimeter defence grid’ and was alarmed at the frequency of lockouts and IP bans!
approximately 300 login attempts per hour from over 150 difference IPs in both the IPv4 and IPv6 space.
300 login attempts is low for a DDoS assault, but only because I have rules setup which do not allow it to get higher than that. Still, this was way above the 5 or 6 rogue login attempts my services receive on average per day. By process of elimination, I determined this was a systematic targeting of a particular site and service. To give you an idea, I have similar configurations and services running on the same servers that weren’t being targeted with this type of traffic and nowhere near this scale. It seemed the attackers had isolated this particular website by DNS and/or IP. I could have narrowed it down to either a DNS assault or an IP attack by changing the IP, but I didn’t. I wanted to see how long this attack was going to last. As of this writing it is still going on. However I did eliminate other factors. For example, the site is not being targetted because it is running a particular software stack or OS, or becasue it was behind a particular router or firewall or running on a particular server hardware. As I mentioned I have other services and sites with the same configurations not being targetted.
I therefore expanded my view and started checking around to see what else was going on both online and in the real world.
Show and tell is alwasys better with props, so have a look at some threat tools you can use yourself:
What didn’t help was what was going on internationally on the morning of Monday December 20, 2016. For example, the assasinations of the Russian ambasador in Turkey, or the Lorey attack on the Christmas market in Germany, etc. Although terrible things go on all the time, it was particularly jarring for me at the time because of the wide array of news services I follow reporting these tragic events.
I performed reverse lookups on the IPs targetting the site, mapped out their vectors and frequency. It also pointed to a more targetted attack. I did find that other, more “traditional” attacks on other services were broadly down or non-existent. Which may also point to law enforcement’s take down of botnets, etc., having worked and now cyber-criminals are looking for new vectors to exploit.
Some lookup, diagnostic and IP forensic tools:
What I did want to point out and stress is the number of tools I needed to get a reasonable picture of what was happeneing at the time. I used a series of software firewall rules, honeypot logins, IP redirects, thresholds, analytics, page rules, DNS redirects, IP lookups and DDoS mitigation services to map out the attack. I did not set up these services or rules during the attack, but in preparation for one. In fact, I’m sure I would never had known this attack was taking place had I not already had all of these contingencies in place.
I also want to point out that I have a history or “normative” data to compare the attack against. There is always a constant flow of malicious login attempts and DDoS’n going on across my various services, but this particular assault differed in scale and duration. I can compare and contrast this information to get an idea of the purpose of the attack, what tools they are using, and therefore how to best mitigate the assault.
I think 2017 is not going to be a good year for cyber security as a whole. I have already put money aside to increase my expenditure on IT security across the board. I have also mapped out a policy of minimum account configurations for all my services. I have also increased monitoring of all software targets, and increased security around hard targets like mobile phones and computer USB ports. If there is interest I will list the kind of security measures and services I use. But OpSec states I shouldn’t. Still if it helps anyone send me a message to convince me.