During an FTP dictionary attack, the attacker uses a brute-force process to attempt to guess passwords for accounts on the system. The attacker will have a "name" dictionary of names that might be used for accounts on a system, e.g. aaron, abe, abigail, administrator,...zack. The attacker runs through all of the names in the name dictionary pairing each name with words from another dictionary that might be used as passwords. One should never use a password that is a word from a dictionary in any language, since attackers may try different dictionaries, but some users won't understand the danger of picking such passwords. Some even think "why would anyone want access to my account?", so don't worry about picking easily guessed passwords. But by doing so, they give an attacker an opportunity to gain access to a system and, potentially, others data as well as their own.
I use a Perl program, KRIPP, which I modified to allow me to observe the userids and passwords in FTP dictionary attacks. When I started it, I saw that two systems were conducting a brute-force dictionary attack against the system.
ftp password :: frostdragon.com -> 202.123.213.3 :: Administrator :: arja [F] ftp password :: frostdragon.com -> 218.108.235.43 :: Thomas :: Flowers [F] ftp password :: frostdragon.com -> 218.108.235.43 :: Thomas :: Gizmo [F] ftp password :: frostdragon.com -> 202.123.213.3 :: Administrator :: arjan [F] ftp password :: frostdragon.com -> 218.108.235.43 :: Thomas :: Goalie [F] ftp password :: frostdragon.com -> 218.108.235.43 :: Thomas :: Golden [F] ftp password :: frostdragon.com -> 202.123.213.3 :: Administrator :: arjen [F] ftp password :: frostdragon.com -> 218.108.235.43 :: Thomas :: Gunner [F] ftp password :: frostdragon.com -> 218.108.235.43 :: Thomas :: Harvey [F] ftp password :: frostdragon.com -> 202.123.213.3 :: Administrator :: arjeta [F] ftp password :: frostdragon.com -> 218.108.235.43 :: Thomas :: Homer [F] ftp password :: frostdragon.com -> 202.123.213.3 :: Administrator :: arjun [F] ftp password :: frostdragon.com -> 218.108.235.43 :: Thomas :: Jasper [F] ftp password :: frostdragon.com -> 202.123.213.3 :: Administrator :: arjunasa [F]
I could see that two systems, 202.123.213.3 and 218.108.235.43 were attempting to guess userids and passwords that would grant them access to the system. Looking up the addresses at the American Registry for Internet Numbers (ARIN), I was referred to the Asia Pacific Network Information Centre (APNIC) . When I checked the addresses there, I found the first one listed as a Hong Kong address and the other address listed as belonging to an organization in Beijing, China.
To stop the attacks, I used the route add <host> reject
command
# route add 202.123.213.3 reject
Checking the routing table on the system, I then saw the following:
# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 202.123.213.3 - 255.255.255.255 !H 0 - 0 - 66.22.186.0 * 255.255.255.0 U 0 0 0 eth0 169.254.0.0 * 255.255.0.0 U 0 0 0 eth0 127.0.0.0 * 255.0.0.0 U 0 0 0 lo default 66.22.186.1 0.0.0.0 UG 0 0 0 eth0
When I then checked for ongoing attacks with KRIPP, I saw only password guessing from the second system, 218.108.235.43.
# ./kripp ftp Protocols being kripped: ftp ftp password :: frostdragon.com -> 218.108.235.43 :: Thomas :: Kayla [F] ftp password :: frostdragon.com -> 218.108.235.43 :: Thomas :: Killme [F] ftp password :: frostdragon.com -> 218.108.235.43 :: Thomas :: Kittens [F] ftp password :: frostdragon.com -> 218.108.235.43 :: Thomas :: Kombat [F] ftp password :: frostdragon.com -> 218.108.235.43 :: Thomas :: Kristen [F] ftp password :: frostdragon.com -> 218.108.235.43 :: Thomas :: Kristin [F] ftp password :: frostdragon.com -> 218.108.235.43 :: Thomas :: Lennon [F] ftp password :: frostdragon.com -> 218.108.235.43 :: Thomas :: Letter [F] ftp password :: frostdragon.com -> 218.108.235.43 :: Thomas :: Light [F] ftp password :: frostdragon.com -> 218.108.235.43 :: Thomas :: Little [F] ftp password :: frostdragon.com -> 218.108.235.43 :: Thomas :: Loveme [F]
I then added the IP address of the second attacking system to the routing
table, so that all packets from it would be rejected as well, with
route add -host 218.108.235.43 reject (when you are telling
the system to reject packets from a specicific host address you can specify
the IP address with route add <ipaddress> reject or
route add -host <ipaddress> reject.
Checking the routing table again with the route command, I then saw the following:
# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 202.123.213.3 - 255.255.255.255 !H 0 - 0 - 218.108.235.43 - 255.255.255.255 !H 0 - 0 - 66.22.186.0 * 255.255.255.0 U 0 0 0 eth0 169.254.0.0 * 255.255.0.0 U 0 0 0 eth0 127.0.0.0 * 255.0.0.0 U 0 0 0 lo default 66.22.186.1 0.0.0.0 UG 0 0 0 eth0
When I then ran KRIPP again with ./kripp ftp to look for FTP
password guessing, I did not see any activity.
Once the attacking system no longer gets responses, it will likely move on
to attacking another system. You can then remove the routing table entry,
perhaps after a few hours or the next day, if you wish. The command format
to use is route del -host <ipaddress> reject or
route del <ipaddress> reject, e.g.
route del -host 218.108.235.43 reject
If you omit the reject at the end of the command, you will see
SIOCDELRT: No such process.
# route del 218.108.235.43
SIOCDELRT: No such process
# route del -host 218.108.235.43
SIOCDELRT: No such process
In the above case, route del 218.108.235.43 reject would remove
the entry.
In addition to the two systems listed above, which I observed conducting FTP dictionary attacks on April 14, 2007, I've also seen recent FTP password guessing attacks from the following IP addresses. All 3 of the attackers listed below were attacking the system at the same time.
| IP Address | Country |
|---|---|
| 203.232.244.50 | Korea |
| 220.196.59.5 | China |
| 211.161.140.253 | China |
References:
Created: Saturday April 14, 2007