The Hail Mary Cloud And The Lessons Learned

Video thumbnail (Frame 0)
Video in TIB AV-Portal: The Hail Mary Cloud And The Lessons Learned

Formal Metadata

The Hail Mary Cloud And The Lessons Learned
The Future Of Botnets: Low Intensity, Distributed
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
There was a time when brute force attacks were all rapid-fire and easily blackholed on sight. That changed during the late 2000s: The low intensity, widely distributed password guessing botnet dubbed "The Hail Mary Cloud" that made its debut in 2007 was remarkable for three things: - the service it targeted was SSH, an almost exclusively Unixish-based phenomenon - the glacial pace of attack from each of the participants - the apparent stay-below-the-radar profile Against ridiculous odds and eventually even some media focus, the botnet apparently thrived for several years. This session presents the known facts as seen by an early observer, proceeds to an analysis of the patterns observed during the various encounters with the phenomenon, with conclusions that may have implications for current detection and prevention stratgies and points to remember when formulating future approaches to network security.
Logical constant Computer virus Demon Context awareness Group action Presentation of a group Copula (linguistics) System administrator Execution unit Source code Water vapor Disk read-and-write head Software maintenance Neuroinformatik Mechanism design Sign (mathematics) Roundness (object) Blog Hypermedia Atomic number Different (Kate Ryan album) Single-precision floating-point format Core dump Encryption Videoconferencing Damping Hill differential equation Information security Error message Physical system Exception handling Social class Block (periodic table) Sampling (statistics) Electronic mailing list Sound effect Bit Sequence Random graph Category of being Data management Wave Message passing Arithmetic mean Numeral (linguistics) Interrupt <Informatik> Summierbarkeit Pattern language Quicksort Cycle (graph theory) Reading (process) Spacetime Point (geometry) Web page Slide rule Firewall (computing) Password Similarity (geometry) Online help Mass Rule of inference Number Element (mathematics) Product (business) Frequency Goodness of fit Latent heat Term (mathematics) Alphabet (computer science) Authorization Energy level Traffic reporting Authentication Focus (optics) Graph (mathematics) Matching (graph theory) Key (cryptography) Information Uniqueness quantification Interface (computing) Physical law Content (media) Expert system Counting Plastikkarte Basis <Mathematik> Line (geometry) Limit (category theory) Cartesian coordinate system System call Celestial sphere Word Software Personal digital assistant Revision control Video game Game theory Table (information) Family State observer Length Multiplication sign Modal logic Decision theory Direction (geometry) Plotter View (database) 1 (number) Set (mathematics) Insertion loss Parameter (computer programming) Mereology Thomas Kuhn Usability Optical disc drive Mathematics Bit rate Oval Bus (computing) Cuboid Arrow of time Endliche Modelltheorie Position operator Point cloud Area Software bug Algorithm File format Moment (mathematics) Perturbation theory Flow separation Connected space Type theory Interface (computing) Configuration space Self-organization Right angle Data logger Procedural programming Physical system Resultant Trail Statistics Functional (mathematics) Service (economics) Link (knot theory) Virtual machine Lemma (mathematics) Login Binary file Graph coloring Theory Field (computer science) 2 (number) Wave packet Power (physics) Revision control Root Robotics Natural number Touch typing Robot Noise (electronics) Data dictionary Dependent and independent variables Cellular automaton Consistency Forcing (mathematics) Projective plane Mathematical analysis Logic Password Blog Point cloud Key (cryptography) Routing Near-ring
I guess this is the the talks to abstract was they what we're seeing was it was distributed password guessing botnets something was you and we saw several and several other of sorts to for several years it's possible that the activity may have started as early sometimes 2007 on but the you the 1st recorded or the beta-release history that have popped from late 2008 and but this restriction is already online uh and you can read it as links to to all that are so if you wanna run your own analysis that's was fine but and fortunately the you know the data is not really extensive consultation with from a handful of machines obviously basically because these were being the log files also allowed to grab 1 of my own genes and and then with nobody else has jurisdiction over the although so with the what we're seeing or is it really the decentralized all over diffusion blogs and so basically what we is that it will become clear after a while as presented proces why this was so new and lots of was frustrating at 1st on I suppose everyone here has something that listens on port 22 his invention that somewhere on the who hasn't got 1 police on a set of we do it all over the years probe that's in the area of education what what is the this is the classic 1 city of somebody comes in really quick and goes for those for the the big 1 that straight away fruit and more fortunately the technology listen when I use was came to our rescue pretty quick what would be it's accurate is worth trying to do so rapidly what try whether user names hold you that's where they help us without additional somewhere thank you going until you break in and you have a problem so but anyway they FIL diffusion brute-force attack we use the law the frequency of while several attacks per 2nd or very close this proposed space so wishes and guess what might you ever interfacing with this this is your In response to that on rules here basically have you have a table of the willful like the addresses and that comes from a member of the table is blocked and got the near past rule that says basically the success of parameters for 40 years incoming intervals behavior a reality necessary connections from 1 host to hundreds of you you would not want to see an abundance stage sessions 2 to 1 host but while this eliminates the coming in at a rate of 15 cents per 5 seconds I think that's roughly of of 1st 2nd type anyway so I but of manageable what myself with these exact rules and when and when do it and the host that exceeds any of these limits is thrown into the report table or you will get blocked and for group that must be flushable accessibility levels problem solved and those who missed was a general the general mechanism you can apply similar techniques to to and services related but not to as a so if you're stuck with you would use of this all linear would not get the knowledge you would not have stuff like that might number connection with and well you know the usual IT tables words and of course on religion and Linux you would need a separate set of rules of procedure for beyond 6 tables on I and about this is going to do whatever I soon something the so the proprietary products for all that something the or is probably implementable some somehow but the I really don't know but anyway the nutrition brute force attack was solved problem what you just wanna should very but a little Chalukya looks at no what happened in November 2008 was I had the opportunity for solutions all year long and we can see the the actual loss here is the 1 looks like what happens here sequence of attempts at 1 specific use use so in and we have someone 15 different hosts trying once women will not abandon which was out this ever come from all over you can see the timing here frequency to all the so what the world will be upon that by what can make no 1 will oval table rules to block him so I was kind of 1st frustrating so I will my in his and he direction was course the and again what's so on really I'm a strong believer while I was strongly remind that the village where pupils what these which of course failed miserably on people for the obvious reason would look at that will something that happens twice within an hour just 1 match and so on the right all the words coming and people were never has been the use really isn't any of my boxes for example the but looking at what was seen I came up with what this is probably the this like long you have a bunch of machines to control from somewhere and you have tried 1 time each 1 player on the radar so not much like you know all the fresh ones well try and try again but it's distributed and the graph algorithms because of course I and password from whatever source you have 3 shows the traveling in just started and username and password successful work back for about always with church and this will go on and on Franklin it must have succeeded because of this it this 1st round was somewhat offensive hosts the properties now that grew wild well where equally motivational force for a new interpreted as you got a Unix machine which is a powerful thing really desirable when you tools that against the lesson even here is that if you can get has worked well that will happen now this thing here was for a distributed from a lot of it was about that and the thing that was the idea of the blond you will while and this score in 1st the fact all which will soon written comments the what the do not make the mistake of actually responding uterus letter do not respond to command you will regret it when we the of what was that that was pretty even illustrated but with would you think all of but I message presented commands with all the listed at is what's happening in ways we keep C with just normal is not nothing same thing here rests with the other was a quite a few who set will get we're actually seeing this and the wasn't similar reporter also something like 70 per cent match for the hosts you're don't so some sense of what the others but and most of them couldn't but anyway on all the sense was not the 1st of observation and will just kept going I kept collecting but better not much happened really on but also involves of what was going on I want you to be patient and Thailand came back and In the meantime some variants stopped last year's US Sofia and while the that was the lead statistics here MIT almost 30 thousand tents 5 6 thousand 100 different use right is and yet 1100 my views so called what where and when the people of the during the interface we can see from our plots you can refer this but what's the that like is that well then the fact that the password authentication for the most part they cycle through an awful but in ordered but assignment interruptions portable a few hundred times of and again from anything from a few seconds to several minutes between 10 and 1 machine would it is in any of the individual machine would come back at various want to so what if there was nothing more to see there blog posts resentment and go to the right of the people in world yeah also you given that this was sign our most of the of people were were using stuff like the middle of tables you feel bad of run so the rest of the research work in the travel project started working on the function of the you know lists artist from from resource but I don't think they have the running the 1st time that only problem you will was part so it a strange on almost all the war of the were allowed to collect data on what we have no limits but with only previously and of these 2 blocks of zeros and we also have some some little squishy stuff but they wouldn't be running any service anyway and probably wouldn't be regional so but what we're seeing is that they were not trying to be directly in the face of these 2 boxes that crying for the previous about something you the 1st block and 1 that was just with that shows and that while the early years of conclusions was well the is that was the question like I think that was well from 1 from Kasey there were probably even distributed through most most countries in the world but I haven't I haven't really that bad and a good number crunching away since strict probably well-distributed the so well Net basically was what happened that have permit reloading certain elements which conflicts and others point we and forcing users to all keys only authentication you our friend John gripper had 4 per cent of the worst ones on and a lot what this look like the what we need is a middle ground but attempts love number of number of times per per day graphed over a number of unique users and so a number of new posts participating is you will start out with a lot of activity and so if you have and it has a peak at the end there emerges when way so by the it's obvious it's obvious that the odds against succeeding were large enough but OK this is probably just mn experiment and they when so and when I got from it was OK a couple celestial what posts possible possibly mean approach to more books and more mature but it's still an my within conference call thought that they came back the with of the root and so yeah well basically 2 thousand 318 atoms route going on to admin and while for what is what i'm saying bigger same basic unit the but if you want to see what it's fairly evenly distributed for the whole point 1st but it's possible to run run through the analysis on the and in fact there have been few academics of content contact and they want to do analysis for some reason I never came back length the and useful and so on and and blog posts about this last of storm and not while people were going court quite as that by basically same same guy said it was positioned moment things were still saying that but there's a people both starting believe that water is actually come here and again it was like I see some recent revisions my works and that people have actually been or what that manage track down some system of a lot of fun with posts and was with 1 exception an awareness results machines had a binary 7 times called and this question 5 and that the exact did those ones on what happens and well 1 wasn't sometimes usually world readable world right so convenient place and any lot in and so we again 3 basic lessons they will stay away from DB words you have to use that's versatile watchful it we're meaning anything at but cell it's important and what about this point of starting the yellow people need to internalize properly the fact that prompted through looking gets is about idea that's that's when it now what the the following along as promised would be which were earlier pictures of samples the password rituals cry username and password successful dropped are violent and started to report that the basis of which was instructions good 1 and 1 but currently succeeded and a member of in a number of cases so long for some reason I never many attractive international actual copula 1 it is it's possible it's possible some stored going in the it's really obvious that this was the basic utterance and so just make make this for a little manageable we have this article was listed them and we have we have an 8 sequences person 2008 several into that remind you that the chemical size in 2011 and finally in 2012 on the words some right right you can see your In relates to that and find their work and all of the peak activity as far as personal with a more warming post posts participating money and they just kept coming back I posted a time merchant faced to have a lot in this lasted for it and the really was on so what happened while we were quiet times it's possible way which is the greater attention elsewhere all of were still want to see him all there are getting in and and my uh my machines were offered and it seems to be the of the Dirichlet public the land was going for a and then of of again later on so but for a while I like it was in your and every time I mean to it and the ball thing was that the class but for constant members that conference that hit cloud and on you would not believe that I could that phrase use that might look post and instantaneously there were hundreds with hundreds of numerical of experts on Slashdot you wouldn't believe it so they will obviously were very much knowledgeable about how what this question the convention is fun to watch still do not have to go for it so anyway from that of the and return on you see the media because model there is nothing much to do but it will collect data sequence makes some sense of this all again academic started contacting me and above all somebody was 1 of several subsets of like a good PG project but again by the river about loans the last 1 we have the continue was 2012 what kinds of price because of the ways of the Force along but this time they were this was the 1st time for attempting to to do not mind by these boxes the label that this was not the only from 1 of these 2 systems and at 1st I thought that the world fruit but also what we're solution is low on all right but said the triples scripting error gave me wrong better and what was interesting here was that need to the mostly attempts were timed with someone comes at heart and for quite a quite a while the relative to systems of alternating that constant support so that the style of the array are more and more of a society where the work at the somebody somebody the information to be the main source of bloody problem that have been noticed but this is where all the and not that so this this point they're down to 23 hosts and they just 1 way learning and Scott notes for a given that on so so what you do about this well lesson really is common Sense systems administration 1 thing you need to read a lot of really need to set up a robot with a lot there are dozens of good tools that will give something like that I will send you a warning if there's a lot of books 1 attempts for example by In this case a lot some pretty much sums the use of many many than 1 around 1 and of course you need to keep a system of head of word 1st is a long while you're using all these two year old and and recent of these you will want you always have the latest organization good on there are a package practice varies a lot from the kwacha with previous years and 1 to the way to go as and we go to a search or just from watching news version as if your system used as something called you know what you're talking about yeah laughter of packages I haven't happened the course will was which is that you right partners in place of configured the configure and there are 2 things as my mission because here will also tell you the truth to essentially conquers lines really wanted from group will in no way can pass through the occasion when training users make generates keys and good thing as well stage mastery city that some kind and what 14 and the answer is so so so it and when he has quarreled it because for 50 bucks and I haven't haven't read is the original 1 of the things of the nature of the by the you don't all of the key management can do that by the way and as practical as well the things listed on the left of the arrow yes yes you need to need what we think of so he so this whole lot less than half the atmosphere was with the all going on you need to make sure that you can secure what's so that so you're not quite hold for you but you're making a lot of history if you have a theory of how you build number of things on the part of the the the present well that sometimes the success of the you also said you have if you think that not only that but the obviously there were at least 5 thousand institutions that got and the preventive itself and we really we we don't know how many total it would with a little more open as consists of men's and little checking each of long probably estimate the told the amount of some of the inflaton time but responsible deleted so this is actually proportion on and again for love and keep guessing while back so was hot core encryption guy I was there was no less half of least of something like the 1 result of this restriction I want to that this is a lot so I want to kill him after all after a lot of discussion about the things of beer came up with 1 simple metric and I can understand which is how many bytes would it would be have to get exactly right to get into the system now there is what some a little table use password 1 How many but your password if you don't have that's always not only popular thing to do is run on a on this work well part numbers are limited to this signal 16 bins that value the need to guess 2 bytes for many let's always comes up in the short version of the game that help so that they have to yes but it's still it's extended family each port so essentially you considers all sorts what would metric password I brought Beaulieu uniquely password so that's work and the other against are running and port markers have of least so and the moved to single packets of authorization which gives you what they still have to get the reported as 2 bytes clustering and stuff in effect and most when moving at the interesting side effects going to every sex of your secrets can be shrunk but if you let's say that you are going 1 way in my favorite key only while whatever its strength to give could be some sort color the for 40 years for a strong so what it's you only have to think about what these you the way it is you will have people crying in recent what most new lots of will be there was this list this slow guys where which you get you can effectively blocked a month at the network level so we actually have to the similar things you know yes so the idea was that they have a slide here you can combined several ways methods and this of you use your or an organization also lets you have the effect of education on 1 of which is fairly easy to install true so what are you going to that the last several possible that's there and the so to handle occasion it gives you more it's probably go but as a little as so that you can do that now said that had peace if you do this so you probably all pairs of users in in well but as I said you can now not by my by looks book and throw it uses and have all there is for those of you who are several with but I certainly certain tools that require route log in any way as a little secret here you can match on interface so you can be it probably satisfy even the Oracle tools and said but I have allowing past on on your management and said what yet so sometimes we have to so you have all those promise to come back to to work and so the thing is every in this slide David mentioned these episodes of Part 1 of them but virtues 2 suggestions 1 is all I have is likely to rule that will catch that's no it will as you know at 100 part once said well where I think you're probably familiar with the term anyone not familiar with anyway of all formatting is the general idea is that you said something so that the active listening in any ports but if you come content that machine at a predetermined sequence of words it opens up for the accuracy of the traffic comes from when smart some people on it's even possible to implement Port knocking with all the tools and the use of I do not recommend you do it but it's possible and while I will given the change although you use Port Knocking acts as an excuse to not keeping system and I'll tell you what for not it will lead to something important him always at some of the the demon that reads a firewall logs and with your 11 port in close to start with that demonized where your system no way so well that's 1 thing the the other thing is that so early the courts part sentencing 16 bit values so you basically creating another password rumble password it's really really hard to change this probably common to all users of the system and of course the will cater there's that sense any attempt at truck and getting your work knocking 6 sequence will be indistinguishable from random network noise you will not know what they're trying until they succeed so I was expecting some protests here Pat but anyway you begin get this course of a year who has worked with very little extra security in my mind but then again but if you have if you mention at least links to the Port Knocking aficionado you will come back and we don't use it good to see that the decision anyway but they were not the elements of the of course acts of what's out there probably somebody's and and but this is a very very common misconception expelled from there was 1 surprise came in on From this year and that was and I wasn't surprised actually on the 1 with the techniques that it was usable same move URIs essentially to listen to 20 to 22 hours and then what should the guy who contact mentoring onset when done that and I could see people from scratch that 1 well although I not necessary and last but things are fine but at the end the and but yeah so basically we're still talking about 16 bit number and will not or will not resources and especially if using an XML so resources it's not that hard to guess it's not that hard skinny so well but anyway that's not is actually when 1st wrote about the hill they rules in few tutorial I created while moving to 2 separate problem won't help it took 2 about 5 years for connections let that of that happening but it's it's that so know the score again the conclusion so for this what with all the media attention to work closely and all the in what might Microsoft people were saying all of us this security this just proves that you have the viruses Linux as well as Asia's using some people like to my mind wrong on the organization maintained as part of all these and you can't find the article anymore configured properly and forget about the passwords you probably do lemma cloud there's so so and so interesting and the but not in the sense that it's distributed computing for malicious on sort of like sitting at home and but for for people people so can so well the main lesson here I guess there's lot if you want to keep ahead around but you can do common sense things you're OK if you're running running it touches on Unix the OK on you're up against the fact that computing power is becoming cheaper by the minute and a lot of people do not do do less common sense things and they they will be wounded and they will be part of that mass of machines so trying to trying to use the stuff so on 1 interesting thing what about his presentations press was being you being attacked in exactly the same way large numbers of the hosts guessing passwords fragment counts of WordPress and this is probably the the wave of the future massively distributed text on the page thing is your your thousand dollar machine is usable for other things so that there will be a little bit becoming for you and you have to really have to be aware that you are you unitary for a while and haven't seen the intervals less but backs but the mean the note there so what are the main conclusion is that as long as you have many systems probably like you know what they are really only keeps start running that you have running and you keep watching lots were republican so well against the conclusions were all that well I wonder what's scandalous it's just that it was not and just not a few days in system and like again so any questions this was the 1st to something that we in the history of the world rests on the of here in keeping track of of that previously to so that she is taken off of life and most of the place the same the true focus on this is because we have a customer who was it is still in denial but they don't know how much you would i'm because they we installed the machine from the you repeatedly all come from the media but the only please make this year and consistent with the necklaces and just what's the point in the fields that primarily in the that obviously read what was was was strictly reading your that you 1 thank you so you the good OK what is going have In this going on what most of the other 1 the this is of what things I like the way you know know this is not it is 1 that comes into 2 hours later yeah yeah that's that's sort of lying on the Lewis 1 attacks on various applications is increasing in Wordpress were just we just guess who's next you 1 thing there's no at all going yeah yeah purposes because basically come come in under the radar and know it's we're unity and I subjected dotted was lots of different things a lot of the model this still in discussing that and some of the money and you we haven't seen that have had effect of the class and also there were there were a group of people sounds like the the academics were trying to find a pattern of where these emissions can came from maybe deduct some lot logic and how to systematically and so forth and again a simple trick like if they would start with a random sequence instead of an alphabetic sequence problem with that prevailed as well so I just hope they don't find this video online for this the name of the users and the 1 that please don't do this and we I center of that the from the appropriate looking at and I think you will of the you of the problem would be you getting fresh fresh that would be like those are actually participating in the inside of the work of what would you do other things yeah predominantly title the results and on and this is called young you program the lessons in fall that was the and that a copy of that so you can think of it might be interesting in 1 sense but in the 1st of the this context but when you the what we you know what I have is to you just have to do of to try get hold of a copy of that 1 again look what looks looks like most of those copies that were discovered word yeah all Linux with with the groups yes I will work and 1 of its position as online and includes all over a reference to all the articles if you want to that there is about 26 was that you can download that just means by any to not use a lot of that phrase final on held that that was so I did not I was very missing that again public so all those young needed money that the so so anyway I only 1000 if you don't this organization comes from of these projects and for there's nobody on on-site here actually selling the stuff that you get only a bus credit card go to 1 of you your else using the the other on the other hospitals and make is heuristic on call for papers and ends in 10 days I'm sure there are people in this room who would have something like % of Malta in September surname although I can hang out with clicks for we think about so that