1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

DOS / Brute Force Attack on an FTP Server

Discussion in 'Networks & Internet Connectivity' started by CoXeY, 12 Jul 2006.

  1. CoXeY

    Hitman

    Joined: 6 Feb 2004

    Posts: 689

    Location: Herts

    Hello all,

    Just wanted to consult the network bods around here on an issue I’ve recently uncovered with one of our web servers.

    It appears that someone is trying to attack the FTP service as the IIS log reveals thousands of hits an hour attempting to crack the Administrator account. To get an idea of the extent of the attack our daily IIS log for the server is around 40MB (not too huge but way above normal!).

    The local admin account is not called administrator so I’m not too concerned about the brute for side of things, however I am concerned about the unnecessary load being placed on the server.

    I tried using IPSec and IIS' IP filtering tools however the IP is different each day and is proving hard to stop. What would you guys do in a situation like this?

    Dan.
     
  2. Wyvern971

    Wise Guy

    Joined: 6 Oct 2004

    Posts: 1,921

    Location: London

    are the attacks coming from the same IP each day (I know you've said the IP is different each day, I mean say you get 1000 attacks on monday are they all from the same IP?)

    What is the frequency? (simultaneous connections or successive)

    I'm not sure how to do it in IIS, but your firewall (depending on sophistication) should be able to mitigate flooding attachs from that IP?
     
  3. Curiosityx

    Mobster

    Joined: 17 Oct 2002

    Posts: 3,941

    Location: West Midlands

    What firewall are you using?
     
  4. hybrid

    Wise Guy

    Joined: 18 Nov 2003

    Posts: 1,312

    Location: Newcastle

    It doesnt really matter what the user account is called tbh. The Administrator user will always have the RID of 500 so hackers can easily bypass that.

    Is the attack coming from the same IP each time? If its the same try and route all traffic from that IP to a dead end... basically a machine which isnt connected to anything and doesnt exist on your range.
     
  5. FordPrefect

    Mobster

    Joined: 18 Oct 2002

    Posts: 2,715

    Depending upon your firewall you might be able to limit the number of connections. Failing that is it possible to change the IP on the server? Also you might want to consider setting up some sort of VPN, or pass through authentication, that way legitimate users will have to authenticate before reaching the server in question. Do you actually need to open up FTP on the machine to the internet and if you do can you actually tie it down to specific IPs or IP ranges? As for redirecting to another IP on the network if you are using a decent firewall its a pointless exercise.
     
  6. CoXeY

    Hitman

    Joined: 6 Feb 2004

    Posts: 689

    Location: Herts

    Yes.


    As far as i can see they are successive.


    A Cisco PIX 515e


    No it changes. If I block traffic by IP it takes a couple of days to re-appear under a different one.


    Not really no. The server is used to host around 80 public facing web sites. FTP is used by our clients to upload data to their web directories. I suppose the ideal solution would be some kind of connection lockout feature that blocks an IP following a number of invalid connection attempts. I have configured account lockout policies within Windows but as the account in question does not exist then the attack continues without intervention.

    Thanks for the input so far!

    Dan.
     
  7. Toytown

    Gangster

    Joined: 24 Aug 2003

    Posts: 321

    You should definetely look at blocking the ip for several minutes after so many unsuccessfull connections.

    You should also see if you can block an ip address the moment it tries to use the administrator account, we had a script do this on a old ftp server, maybe not MSFTP though :(, basically if you tried admin/root/administrator etc, your ip was blocked immediately.

    Delay the "incorrect password" response. On our FTP server, the error message is delayed by 10-15 seconds every time, so it really slows down the attackers.

    Theres not much point in changing IP address, as it will only start getting scanned again minutes/hours/days later.
     
  8. Wyvern971

    Wise Guy

    Joined: 6 Oct 2004

    Posts: 1,921

    Location: London

    If you're using a PIX I'm sure one of the more experienced Cisco bods can help you out (such as V-Spec)

    The PIX definately supports this feature, you can set it to shun an IP for a set period after a certain behaviour is detected.

    I don't think you'll be able to prevent the attacks, just minmise the possibility of success.

    If you know the IPs can you check if they are from a single ISP (if so then contact the ISP anyway to lodge a complaint)

    EDIT:
    I'll look it up in my PIX book when I get home (if I get time)

    Also what version are you running (a 515e should support 7.x)
     
  9. FordPrefect

    Mobster

    Joined: 18 Oct 2002

    Posts: 2,715

    Unfortunetly using the PIX there is a limited amount you can do, its possible that an ftp brute force attack is part of the inbuilt IDS attack signatures on the PIX. Check on cisco.com and you might be able to drop the connections, unfortunetly I dont believe it is possible to set up per signature options so you are likely to get some false positives on other signatures blocked. As stated above you can use the shun command, syntax shun souce_IP [dest_ip sport dport [protocol]]

    ie to block attacker 10.10.10.1 = shun 10.10.10.1

    Your best bet might be to setup up firewall authentication for FTP traffic. That way if they dont authenticate to the firewall they dont get any further.
     
    Last edited: 13 Jul 2006
  10. derfderfley

    Wise Guy

    Joined: 26 Oct 2002

    Posts: 1,714

    The connection attempts you are seeing, are they all from a common IP address range ? If so I'd consider blacklisting the entire netblock (for FTP connections) on the PIX. Also dig out the abuse address for the ISP concerned with the attacks and report them.

    We tend to see a lot of SMTP & SNMP based attacks from certain IP blocks so just blacklist the entire netblock!

    An Example of this would be....

    If possible I'd also consider setting up the firewall to only allow FTP connections from known IP addresses, but if your hosting for customers this may not be possible.
     
    Last edited: 13 Jul 2006