Stopping an Attacker with the Route Reject Command

A user reported that her interactions on one of my servers were "lagging". I was also seeing a very slow responses on the SSH connection I had to that server. I've seen such slow responsiveness previously when the system, which is running Linux, has come under simultaneous attack from several systems conducting an FTP dictionary attack.

During an FTP dictionary attack, the attacker uses a brute-force process to attempt to guess passwords for accounts on the system. The attacker will have a "name" dictionary of names that might be used for accounts on a system, e.g. aaron, abe, abigail, administrator,...zack. The attacker runs through all of the names in the name dictionary pairing each name with words from another dictionary that might be used as passwords. One should never use a password that is a word from a dictionary in any language, since attackers may try different dictionaries, but some users won't understand the danger of picking such passwords. Some even think "why would anyone want access to my account?", so don't worry about picking easily guessed passwords. But by doing so, they give an attacker an opportunity to gain access to a system and, potentially, others data as well as their own.

I use a Perl program, KRIPP, which I modified to allow me to observe the userids and passwords in FTP dictionary attacks. When I started it, I saw that two systems were conducting a brute-force dictionary attack against the system.

ftp password :: frostdragon.com -> 202.123.213.3 :: Administrator :: arja [F]
ftp password :: frostdragon.com -> 218.108.235.43 :: Thomas :: Flowers [F]
ftp password :: frostdragon.com -> 218.108.235.43 :: Thomas :: Gizmo [F]
ftp password :: frostdragon.com -> 202.123.213.3 :: Administrator :: arjan [F]
ftp password :: frostdragon.com -> 218.108.235.43 :: Thomas :: Goalie [F]
ftp password :: frostdragon.com -> 218.108.235.43 :: Thomas :: Golden [F]
ftp password :: frostdragon.com -> 202.123.213.3 :: Administrator :: arjen [F]
ftp password :: frostdragon.com -> 218.108.235.43 :: Thomas :: Gunner [F]
ftp password :: frostdragon.com -> 218.108.235.43 :: Thomas :: Harvey [F]
ftp password :: frostdragon.com -> 202.123.213.3 :: Administrator :: arjeta [F]
ftp password :: frostdragon.com -> 218.108.235.43 :: Thomas :: Homer [F]
ftp password :: frostdragon.com -> 202.123.213.3 :: Administrator :: arjun [F]
ftp password :: frostdragon.com -> 218.108.235.43 :: Thomas :: Jasper [F]
ftp password :: frostdragon.com -> 202.123.213.3 :: Administrator :: arjunasa [F]

I could see that two systems, 202.123.213.3 and 218.108.235.43 were attempting to guess userids and passwords that would grant them access to the system. Looking up the addresses at the American Registry for Internet Numbers (ARIN), I was referred to the Asia Pacific Network Information Centre (APNIC) . When I checked the addresses there, I found the first one listed as a Hong Kong address and the other address listed as belonging to an organization in Beijing, China.

To stop the attacks, I used the route add <host> reject command

# route add 202.123.213.3 reject

Checking the routing table on the system, I then saw the following:

# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
202.123.213.3   -               255.255.255.255 !H    0      -        0 -
66.22.186.0     *               255.255.255.0   U     0      0        0 eth0
169.254.0.0     *               255.255.0.0     U     0      0        0 eth0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         66.22.186.1     0.0.0.0         UG    0      0        0 eth0

When I then checked for ongoing attacks with KRIPP, I saw only password guessing from the second system, 218.108.235.43.

# ./kripp ftp
Protocols being kripped: ftp
ftp password :: frostdragon.com -> 218.108.235.43 :: Thomas :: Kayla [F]
ftp password :: frostdragon.com -> 218.108.235.43 :: Thomas :: Killme [F]
ftp password :: frostdragon.com -> 218.108.235.43 :: Thomas :: Kittens [F]
ftp password :: frostdragon.com -> 218.108.235.43 :: Thomas :: Kombat [F]
ftp password :: frostdragon.com -> 218.108.235.43 :: Thomas :: Kristen [F]
ftp password :: frostdragon.com -> 218.108.235.43 :: Thomas :: Kristin [F]
ftp password :: frostdragon.com -> 218.108.235.43 :: Thomas :: Lennon [F]
ftp password :: frostdragon.com -> 218.108.235.43 :: Thomas :: Letter [F]
ftp password :: frostdragon.com -> 218.108.235.43 :: Thomas :: Light [F]
ftp password :: frostdragon.com -> 218.108.235.43 :: Thomas :: Little [F]
ftp password :: frostdragon.com -> 218.108.235.43 :: Thomas :: Loveme [F]

I then added the IP address of the second attacking system to the routing table, so that all packets from it would be rejected as well, with route add -host 218.108.235.43 reject (when you are telling the system to reject packets from a specicific host address you can specify the IP address with route add <ipaddress> reject or route add -host <ipaddress> reject.

Checking the routing table again with the route command, I then saw the following:

# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
202.123.213.3   -               255.255.255.255 !H    0      -        0 -
218.108.235.43  -               255.255.255.255 !H    0      -        0 -
66.22.186.0     *               255.255.255.0   U     0      0        0 eth0
169.254.0.0     *               255.255.0.0     U     0      0        0 eth0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo
default         66.22.186.1     0.0.0.0         UG    0      0        0 eth0

When I then ran KRIPP again with ./kripp ftp to look for FTP password guessing, I did not see any activity.

Once the attacking system no longer gets responses, it will likely move on to attacking another system. You can then remove the routing table entry, perhaps after a few hours or the next day, if you wish. The command format to use is route del -host <ipaddress> reject or route del <ipaddress> reject, e.g. route del -host 218.108.235.43 reject

If you omit the reject at the end of the command, you will see SIOCDELRT: No such process.


# route del 218.108.235.43
SIOCDELRT: No such process
# route del -host 218.108.235.43
SIOCDELRT: No such process

In the above case, route del 218.108.235.43 reject would remove the entry.

In addition to the two systems listed above, which I observed conducting FTP dictionary attacks on April 14, 2007, I've also seen recent FTP password guessing attacks from the following IP addresses. All 3 of the attackers listed below were attacking the system at the same time.

FTP Attackers
IP AddressCountry
203.232.244.50Korea
220.196.59.5China
211.161.140.253China

References:

  1. LINUX HOME NETWORKING with IP MASQUARADING and NFS
    Silviu's Page
  2. How do I Drop or block attackers IP with null routes?
    Posted by Vivek
    nixCraft

 

TechRabbit ad 300x250 newegg.com

Justdeals Daily Electronics Deals1x1 px

Valid HTML 4.01 Transitional

Created: Saturday April 14, 2007