DOS / Brute Force Attack on an FTP Server

Associate
Joined
6 Feb 2004
Posts
689
Location
Herts
Hello all,

Just wanted to consult the network bods around here on an issue I’ve recently uncovered with one of our web servers.

It appears that someone is trying to attack the FTP service as the IIS log reveals thousands of hits an hour attempting to crack the Administrator account. To get an idea of the extent of the attack our daily IIS log for the server is around 40MB (not too huge but way above normal!).

The local admin account is not called administrator so I’m not too concerned about the brute for side of things, however I am concerned about the unnecessary load being placed on the server.

I tried using IPSec and IIS' IP filtering tools however the IP is different each day and is proving hard to stop. What would you guys do in a situation like this?

Dan.
 
Associate
Joined
6 Oct 2004
Posts
1,921
Location
London
are the attacks coming from the same IP each day (I know you've said the IP is different each day, I mean say you get 1000 attacks on monday are they all from the same IP?)

What is the frequency? (simultaneous connections or successive)

I'm not sure how to do it in IIS, but your firewall (depending on sophistication) should be able to mitigate flooding attachs from that IP?
 
Associate
Joined
18 Nov 2003
Posts
1,311
Location
Newcastle
It doesnt really matter what the user account is called tbh. The Administrator user will always have the RID of 500 so hackers can easily bypass that.

Is the attack coming from the same IP each time? If its the same try and route all traffic from that IP to a dead end... basically a machine which isnt connected to anything and doesnt exist on your range.
 
Soldato
Joined
18 Oct 2002
Posts
2,714
Depending upon your firewall you might be able to limit the number of connections. Failing that is it possible to change the IP on the server? Also you might want to consider setting up some sort of VPN, or pass through authentication, that way legitimate users will have to authenticate before reaching the server in question. Do you actually need to open up FTP on the machine to the internet and if you do can you actually tie it down to specific IPs or IP ranges? As for redirecting to another IP on the network if you are using a decent firewall its a pointless exercise.
 
Associate
OP
Joined
6 Feb 2004
Posts
689
Location
Herts
are the attacks coming from the same IP each day (I know you've said the IP is different each day, I mean say you get 1000 attacks on monday are they all from the same IP?)
Yes.


What is the frequency? (simultaneous connections or successive)
As far as i can see they are successive.


What firewall are you using?
A Cisco PIX 515e


Is the attack coming from the same IP each time?
No it changes. If I block traffic by IP it takes a couple of days to re-appear under a different one.


Failing that is it possible to change the IP on the server?
Not really no. The server is used to host around 80 public facing web sites. FTP is used by our clients to upload data to their web directories. I suppose the ideal solution would be some kind of connection lockout feature that blocks an IP following a number of invalid connection attempts. I have configured account lockout policies within Windows but as the account in question does not exist then the attack continues without intervention.

Thanks for the input so far!

Dan.
 
Associate
Joined
24 Aug 2003
Posts
317
You should definetely look at blocking the ip for several minutes after so many unsuccessfull connections.

You should also see if you can block an ip address the moment it tries to use the administrator account, we had a script do this on a old ftp server, maybe not MSFTP though :(, basically if you tried admin/root/administrator etc, your ip was blocked immediately.

Delay the "incorrect password" response. On our FTP server, the error message is delayed by 10-15 seconds every time, so it really slows down the attackers.

Theres not much point in changing IP address, as it will only start getting scanned again minutes/hours/days later.
 
Associate
Joined
6 Oct 2004
Posts
1,921
Location
London
If you're using a PIX I'm sure one of the more experienced Cisco bods can help you out (such as V-Spec)

The PIX definately supports this feature, you can set it to shun an IP for a set period after a certain behaviour is detected.

I don't think you'll be able to prevent the attacks, just minmise the possibility of success.

If you know the IPs can you check if they are from a single ISP (if so then contact the ISP anyway to lodge a complaint)

EDIT:
I'll look it up in my PIX book when I get home (if I get time)

Also what version are you running (a 515e should support 7.x)
 
Soldato
Joined
18 Oct 2002
Posts
2,714
Unfortunetly using the PIX there is a limited amount you can do, its possible that an ftp brute force attack is part of the inbuilt IDS attack signatures on the PIX. Check on cisco.com and you might be able to drop the connections, unfortunetly I dont believe it is possible to set up per signature options so you are likely to get some false positives on other signatures blocked. As stated above you can use the shun command, syntax shun souce_IP [dest_ip sport dport [protocol]]

ie to block attacker 10.10.10.1 = shun 10.10.10.1

Your best bet might be to setup up firewall authentication for FTP traffic. That way if they dont authenticate to the firewall they dont get any further.
 
Last edited:
Associate
Joined
26 Oct 2002
Posts
1,714
The connection attempts you are seeing, are they all from a common IP address range ? If so I'd consider blacklisting the entire netblock (for FTP connections) on the PIX. Also dig out the abuse address for the ISP concerned with the attacks and report them.

We tend to see a lot of SMTP & SNMP based attacks from certain IP blocks so just blacklist the entire netblock!

An Example of this would be....

name your network objects
name 172.16.1.1 my_ftp_server
name 10.1.0.0 bad_guy_16
name 192.168.3.0 bad_guy_24

create a blacklist object group
object-group network FTP_Blacklist
description Blocked FTP connections from these IP's.
description block the following slash 16 range
network-object bad_guy_16 255.255.0.0
description block the following slash 24 range
network-object bad_guy_24 255.255.255.0

deny ftp connections from the object group using access list
access-list outside_access_in remark Blacklisted FTP addresses
access-list outside_access_in deny tcp object-group FTP_Blacklist host my_ftp_server eq ftp

oh, and don't forget to apply the access list

If possible I'd also consider setting up the firewall to only allow FTP connections from known IP addresses, but if your hosting for customers this may not be possible.
 
Last edited:
Back
Top Bottom