A long time ago my profession was network security. One tool we used to watch techniques “black-hats” used to break into networks was what was called a “honeypot”. You basically put a tempting target on the internet with various types of monitoring on it and waited for someone to try and attack it. The idea was to covertly try to collect data on what they did and learn from that. Of course this was a game and each side had to adjust their tactics for hiding/detecting if something was a trap or a real target.
I have been out of the computer security profession for a long time, and while I enjoy reading and hearing things related to the field it has really turned into science-fiction for me.
So, what is so interesting? Well, in my day if you set up a honeypot it could take a long time if ever that you were able to collect information from it. (And that is not to say that we would even detect a real effort at an intrusion, but would most likely detect unfocused or unskilled nibbles). But today, while I was not intentionally setting up a honeypot, I was completely blown away by how fast and unrelenting an attack came.
So now for the more technical things…
At 7:46 AM this morning I opened up an SSH port through my firewall to a virtual machine on my home network. I also had the software installed on that VM to alert me of multiple failed SSH login attempts from the same source as well as IPv4 and IPv6 logging of connections via syslog. (Yes, I am not in the security field anymore, but some of the basic concepts like layers of defense and toolsets are drilled deep into me.) While there is only one account/password combination that could access that VM and both are not standard, there is also the risk that the SSH server could have a bug in it that would go undetected as compromised.
(If someone really wants to get into my home network it is pretty much assured that a targeted attack will work. Like I said, this security stuff is getting into science-fiction territory for me and even at the top of my game I know I was second-rate; I think Stuxnet really brought that home for me.)
Why, then, am I surprised? Well, this is not an example of, (as I see it), a targeted attack but one of convenience. What makes it interesting is the speed of the “nibble”.
You see, at 8:05 AM that same day—less that 30 minutes after making the hole—I received my first email that a computer had been “banned” due to multiple failed SSH login attempts. This notification of banned IP addresses has continued throughout the day. Most seem to be from China, (trying to log in a “root”), but then a few times computers tagged as from Japan tried to log in as “admin”. My email was—in under 12 hours—filled with violation/banning reports. I should just turn off the hole through my firewall, but it is really interesting because of:
1) How fast this hole was discovered, and
2) How often it is attempted to be exploited.
My fear is that something I didn’t see already wormed its way through the hole I left and set up residence on this VM. The good thing about a throw-away VM is you can just, well, throw it away. Although if that VM was used to launch attacks on other computers it can see in the time it can see them, well, like I said, if the attack is that sophisticated there’s not much I could do about it anyway.
But that makes me wonder how much internet bandwidth is consumed by (what I am assuming) are these botnets scanning all possible IP addresses and ports for some treat? This was one computer in 4 billion IPv4 addresses, (I run IPv6 as well but these nibbles were for sure over IPv4), and one port in 65536 ports, (although I’m sure they only target a handful of those with known vulnerabilities). Even so that is one heck of a needle in a haystack to find in under 30 minutes. And if a “treat” is found do they somehow communicate to all focus an attack or are the other “banned” IPs just another botnet finding a potential target?
Science-fiction is pretty real now.