On Thursday 04 December 2008, Steve wrote: > Simon wrote: > > Since it is very unlikely that the attacker is targeting you > > specifically, changing the port number (and removing root access) will > > very likely stop the attack forever. Though, if the attacker did > > target you, then you will need some more security tools (intrusion > > detection, etc...). > > I recognise that this doesn't seem to be a targeted attack - but it is > still frustrating to find that someone has evaded my IP blocking > strategy... even though they pose only a slightly elevated risk by > having done so. (Of course, I don't permit root login - that would be > madness... and, as far as I'm aware, no-one has guessed even a valid > user name... they're all obscure!) > > The thing that strikes me is that, in evading my blocking strategy, they > clearly identified a bot-net of compromised hosts. With this in mind, > ideally, I'd like to: > > 1. Automatically detect and block all future attacks on all ports from > all hosts which are involved in this coordinated attack. These hosts > can't be trusted not to be malicious. > 2. Somehow inform the administrator of the hosts attacking me (in a > respectful way) since, I presume, they are unaware that their host is > involved in the attack. > 3. Ideally, share this kind of information so that myself and others are > better protected from bot-net attacks in future. > > It's the sort of thing I imagine has already been done - and there's no > point in re-inventing the wheel. I recall something similar whereby the attacked machines would automatically launch an attack on the botnet/spammer to effect a DoS. Then the spammers complained and the guys who had written the software were forced by the police to recall it . . . sometimes I wonder. Anyway, I'm a bit thin on details - this was all the rage about 4-5 years ago as a legit way to defend yourself against spam. What I think is required is a script which will identify the compromised machine and promptly reformat its MSWindows OS - problem solved. Of course how you keep tabs on this tool not being misused is another thing. -- Regards, Mick