![[Skip the navigation bar]](../graphics/dot.gif)
There's a new trend in brute force attacks. Most IP addresses are being used a single time. This renders IP address blocking useless.
Traditionally, criminals used a few (compromised) computers to wage brute force attacks against a given site. So security professionals and web masters have monitored IP addresses and set up rules to deny requests from bad actors.
But the increasing proliferation of root kits and sophistication of command and control software has meant attackers can consider each bot (kind of) disposable. They'll use a given computer for one shot, then move on to another computer for the next shot.
Here's an example. One of my sites received a steady stream of 3,496 bogus login requests over a 56 hour period (about 60 per hour) in early January, 2016. The attack came from 2,019 different IP addresses. 1,260 (36%) of the IP's were used only once. Just 3 addresses were used more than 10 times. The most used address only made 15 requests!
Filtering by the first two or three octets of the IP space doesn't get you anything either.
| Item | Quantity | Used 1x | Used > 10x | Maximum Used |
|---|---|---|---|---|
| Unique IPs | 2,019 | 1,260 | 3 | 15 |
| Unique First 3 Octets | 1,651 | 871 | 9 | 17 |
| Unique First 2 Octets | 744 | 191 | 71 | 80 |
| Passwords | 1,191 | n/a | 0 | 4 |
| User Names | 3 | n/a | n/a | n/a |
The attacker's control server picks three likely user names ("administrator", "admin", and the blog's name) and one password then tells three bots to try one combination. Then the control server picks another password and has three other bots try those combinations. Rinse and repeat.
I noticed this trend because I'm the author, and user, of the Login Security Solution WordPress plugin. Fortunately, LSS is set up to catch these kinds of attacks by monitoring any combination of IP address (including IPv6), user name, or password. All of the other brute force plugins I've looked at only watch for IP addresses.
Hmm.... Insert your favorite closing quip here by sending it to me on Twitter. :)
Here's a fun one... I recently received emails from two tech firms in London. They had a suspicion that the "Daniel Convissor" seeking employment from them was an imposter. The guy put some of my work on his resume. So, yes, they're a fraud.
The fool is using "danielconvissor@gmail.com" to email folks. On January 12th, I filled out Google's Abuse Form. Ten days later, I got another report, so filled out the form with that information. As of Noon on February 1st, the email account is still active.
I sent an email to someone I know who works for The Borg. They found a help page which says "Gmail is unable to participate in mediations involving third parties regarding impersonation." So much for security.
The fraudster is also using the "danny.conv" Skype account. I sent a GPG signed email to Skype detailing the problem. That got an autoreply saying signature.asc doesn't have an allowed file name extension. Sigh. Then they replied that I should use the website to report abuse. So I did. To which they replied with steps on how to report about a hijacked account. Double sigh.
I finally got someone to say that people should use one's Skype client as follows. View the contacts list (or search for a new contact) select the problematic account and use the "block" option. In the resulting popup, check the "report abuse" checkbox and then submit the form. "If the person is also reported by other Skype users too, his account will be automatically blocked once the number of reports reaches the limit."
So Skype deflects responsibility, but at least they have something.
For the record, I don't have a Gmail account and never will. My email is "danielc@analysisandsolutions.com". My Skype user name is "danielconvissor". If you're ever in doubt, my GPG key is 8FFE1FFC.