My site has been under attack from password cracking attempts weekly, sometimes daily. During the past few months I have been on a mission to track down and nail the 'lil ba$tard$ behind it. Here is my story.

-----------

I first experienced a brute force password cracking attempt (a process of submitting thousands of logins and passwords at a private area to try and get lucky) in the fall of 2001. I know quite a bit about security and this one was easy to track down. The dumb ass who tried to crack the passwords wasnt using proxies or anonymizers and presented me with a log file with thousands of lines of evidence. I managed to trace him to a rival site of mine. I found out he was a young whippersnapper, eager to please his boss.

The punishment I dished out was nothing more than having his ISP toast him. I could have done more, I could have sued his boss. But I was then, but not now, lenient.

About 3 months later a new 'lil ba$tard arrived on the scene. One night, my site received 10'000's of hits in an hour or so. The logview scripts I have indicated I was getting hit on from all over the globe. This is now getting serious.

If you are not aware of password cracking and proxies, here is an analogy.

You have a house. Your house prevents access by locked doors. Anyone with a valid key can open the door and come in your house. In the first case, chummy had 10,000 keys but he used no disguise, he wore no gloves. Each time that door handle rattled, his mug shot was captured, his dabs were recorded for evidence. In the second case, chummy wears a disguise and gloves. First he wears a Mr Potato Head moustache and glasses, he tries a random key. Next he wears a Mr Potato Head hat, he tries another random key....on the 10,000 attempt he's dressed in a spiderman costume and tries another key. So when it's time to gather evidence all you have is thousand of different witness eye views of different comic characters. Slim chance of getting the law involved in this one.

So for a while I hung out where the 'lil ba$tard$ hang out. I scanned their forums, I got to know what tools they were using, where they got their Mr Potato head disguises from and much more. There are things called wwwhack and goldeneye, there are proxy lists - lists of the thousands and thousands of dumb ass administrators out there who have servers set up with open ended proxies. Anyone can point their browser at the proxy and commit all maners of heinous crimes. All because some dude has set up a Win2kserver in Proxy mode without knowing whos coming and going through it.

So how do you fight back? How do you stop them?

First I thought of blocking the ip address. But this is futile. Chummy is using a suite of proxies and spoofed IP addresses. In one night a thousand different different IP's could be attempting to crack your site. Thats 1000 different Mr Potato Head, Woody', Buzz Lightyears. What ya gonna do? Ban everyone with moustaches, Stetson wearing pointy nosed guys and brick chinned spacemen? No. Not practical.

First make sure your logging is set to full log mode. If you have access to the custom format then add all the IP address fields you can (CLIENT_IP etc.) But the most important is the X_FORWARDED_FOR field.

In the early days I used to lookup the admin of the proxy host and inform them that their proxy is not secure and is being used to launch attacks. I then ask them to check their logs and send me the actual CLIENT_IP so that I could report chummy. One night I spent 5 hours lookingup and email 200 of the bozos. Some were nice, most never replied, some couldnt speak English.

I had some success with that and it got results. But the ISP's won't want to know from third parties. They insist in seeing the actual firewall logs from your server. Don't give in though. Insist they act, because you are impending legal action against them for them allowing chummy to continue his dirty deeds after you have informed them.

Once in a while your log files will show valid entries for X_FORWARDED_FOR. This is cool. This is where the stupid administrator (remember him?) has kindly configured his proxy to forward the CLIENT_IP through to your server. Your log files are now filling up with chummys IP address. Go back to the ISP, send them the logs. The 'lil ba$tard is a piece of freshly cut bread about to be inserted and clamped between a George Forman Grill.

You have to fight back, you have to go out an find the evidence. The ISP's will respond and toast chummy.

Damage limitation?

I have quite a few ingenious methods to spoil chummys fun. First you need to structure your private area:

public_html/private or public_html/membersarea

is how most sites are set up. In theses subdirectories are the goodies the baddies are trying to get.

Don't follow this format. Subdir it again and have your .htaccess in this and all subdirs:

public_html/private/.htaccess
public_html/private/stuff1/.htaccess

what most crackers aim their tools at is public_html/private . The tool will bombard this dir with user/password combos hoping to try and beat the .htaccess and .htpasswd where ever it is located.

When you are under attack, all you have to do is to rename the public_html/private/.htaccess so that the public_html/private is not secured. Don't worry though, because the subdirs are. Your normal members won't know the difference but chummys screen is now filling up with thousands of Status 200 codes indicating 'successful logins'. But we fooled him. This is false positives. Once he has put his weiner back in his pants, he tries to login to the private area with one of his 'guessed' passwords but he's in for a shock.

It doesnt take long for chummy to work out how you fooled him. The next stage is to implement a toggling access system when under attack.

Analogy: Your trying to get into a club but the bouncer on the door has a guest list. If you go up to him and show him your ID and your names down, your coming in. If you give an invalid name, you go away and come back later with da Mr Potato Head moustaches and a new name. Thats the standard procedure as stated above. All it does is tie up your bouncer for a while whilst one person keeps hogging.

What we do know is to make the bouncer appear, and dissapear every 30 seconds. When chummy walks upto the club he sees no bouncer, he states his username and password but hears no 'on yer bike, mate' so he assumes the password is valid. He goes in the door but within 30 seconds a bouncer appears requesting ID. Not valid - booted out. Any valid customer is authorised and not bothered again.

This really screws chummy up. He has no idea why this is happening. He does, though have upto 30 seconds to go in and look around. Is that enough time though to get to all the candy? Probably not.

[edited by: Frank_Rizzo at 11:48 pm (utc) on June 26, 2002]