Groups | Search | Server Info | Login | Register
Groups > comp.os.linux.security > #708
| From | Moe Trin <ibuprofin@painkiller.example.tld.invalid> |
|---|---|
| Newsgroups | comp.os.linux.security |
| Subject | Re: yet another IP blocklist (mine!) |
| Date | 2016-11-24 01:13 +0000 |
| Organization | Schroedinger's cat is alive and dead. |
| Message-ID | <slrno3cfo3.gb2.ibuprofin@planck.phx.az.us> (permalink) |
| References | (2 earlier) <MPG.327c65692bdf48dc989683@news.eternal-september.org> <slrno17fn7.raa.ibuprofin@planck.phx.az.us> <MPG.327d9502ab733f6f989682@reader80.eternal-september.org> <slrno1a8cn.q8v.ibuprofin@planck.phx.az.us> <MPG.329ea37bff320fd4989681@news.albasani.net> |
On Tue, 22 Nov 2016, in the Usenet newsgroup comp.os.linux.security, in article
<MPG.329ea37bff320fd4989681@news.albasani.net>, Supratim Sanyal wrote:
>ibuprofin@painkiller.example.tld.invalid says...
>> Supratim Sanyal wrote:
>>> but these blocklists are missing a vast number of port 23 bots.
>> I'm not sure it's even possible to come up with a reasonably accurate
>> list - it changes so frequently. It's getting worse even now due to
>> the "Internet of Things" (commonly written as "IoT") which includes
>> all of the poorly designed devices in the modern home. Most of the
>> current crop of 'bots are unprotected DVD players, Internet-enabled
>> cameras, and similar.
>interesting - looks like mirai would have eventually got into your DVD
>players
Not likely mine - the firewall here blocks those unwanted inbounds, and
the DVD players are intentionally not networked. If you want a simple
hint about the prevalence of 'bots, set your firewall to "IGNORE" or
"DROP" TCP connection attempts to ports 23 (and 2323), and then look at
the values of the variables in the SYN packet headers received (the
initial packet used to set up a TCP connection) - source port number is
one, TCP window size is another (see a good networking textbook such as
"TCP/IP Illustrated - Volume 1" by the late W. Richard Stevens for what
is "normal" and notice the differences in what's hitting your address
now). Also note the 'bots make a single SYN (in the absence of a reply)
rather than 3 spaced several seconds apart. Last month, I enabled
logging on the firewall for a day, and was seeing an _average_ of 81
rather obvious 'bots per hour during the entire period. Based on the
RFC defined protocols, more than 95% of the connection attempts I saw
(1953 of 2029 in 24 hours) were 'bots. My firewall normally drops all
"new" inbounds (not just to 23/tcp) and does not bother logging the
idiots - which would be a waste of CPU cycles and disk space.
>looked up the password list it uses, it covers the ones your
>DVD players came with
I ceased to be amazed at the gross stupidity of some manufacturers
long ago. For a while in 2005, I was browsing a Usenet newsgroup
named "alt.privacy.spyware" (still exists, but I haven't bothered with
it since), and there were semi-regular posts with pointers to large
lists of default passwords used by manufacturers who should have known
better. "admin" with "admin" was very common, as was "admin with ""
(just hit Enter). and "admin" with "password" - the lead engineer and
managers of those products should be lined up and shot _repeatedly_
with a rusty keyboard. But they don't care, so I'm not sure it would
do much good. In 2003, there was a windoze worm that went through the
world effortlessly - search for "Deloder" or the CERT Advisory issued
about it ("CA-2003-08 Increased Activity Targeting Windows Shares").
Briefly, it attacked using the premise that every windoze administrator
account was protected by one of just 86 possible passwords that were
really un-guessable like "abc" or "123" (see the CERT Advisory for the
actual list). But using *nix shouldn't make one feel superior as more
than one security professional has pointed out to me - "CA-2003-08
passwords are equally common in the rest of the computer world".
Old guy
Back to comp.os.linux.security | Previous | Next — Previous in thread | Next in thread | Find similar
yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseup.invalid> - 2016-10-03 11:42 -0400
Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-10-04 20:32 +0000
Re: yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseup.invalid> - 2016-10-27 20:27 -0400
Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-10-28 21:10 +0000
Re: yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseup.invalid> - 2016-10-28 18:02 -0400
Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-10-29 22:24 +0000
Re: yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseupnet.invalid.com> - 2016-11-22 18:49 -0500
Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-11-24 01:13 +0000
Re: yet another IP blocklist (mine!) Supratim Sanyal <supratim@riseupnet.invalid.com> - 2016-11-26 17:59 -0500
Re: yet another IP blocklist (mine!) Moe Trin <ibuprofin@painkiller.example.tld.invalid> - 2016-11-28 02:10 +0000
csiph-web