ALERT! Business Thread burte force attacks and deny from - GoFuckYourself.com

mikesouth · 08-18-2008, 03:28 PM

Every so often I get brute force attacks, of course strongbox catches them and diables the IP at which point the cript uses another IP and strongbox disables it....and on and on

My question is...

Is there any value to adding these IPs to the .htaccess file in a deny from

or is that just futility?

TheDoc · 08-18-2008, 03:39 PM

It's not smart to auto deny IP's via .htaccess for members. As an example, Ripe is a huge ISP that you will have brute force attacks on but you also have lots of members using it. One wrong IP block and you could take out a small group of people.

Now, part of the Asia Pac network, if you break the IP's down you can kill out entire countries/cities/regions that you know can't process so no reason to let them be a password leak or a possible attack.

mikesouth · 08-18-2008, 03:44 PM

so these password guessing scripts are forging random IPs

not using a proxy server ?

Due · 08-18-2008, 03:46 PM

Quote:

Originally Posted by TheDoc

Now, part of the Asia Pac network, if you break the IP's down you can kill out entire countries/cities/regions that you know can't process so no reason to let them be a password leak or a possible attack.

There is no such things as countries you can't process from

ladida · 08-18-2008, 03:48 PM

Quote:

Originally Posted by mikesouth

so these password guessing scripts are forging random IPs

not using a proxy server ?

No, they're using proxies.

mikesouth · 08-18-2008, 03:51 PM

so I would assume the proxies have a finite list of IPs they can use so if I block individual IPs wouldnt it eventually run out. This appears to be the same script every time guess at the same list of usernames and passes

mikesouth · 08-18-2008, 03:52 PM

itll go through about 100 guesses then stop

TheDoc · 08-18-2008, 03:58 PM

Quote:

Originally Posted by Due

There is no such things as countries you can't process from

Maybe so, but if you calculate net profit percentages on income earned vs damage produced in some regions, it just isn't worth it to allow the transactions. Which is why I recommend selling the traffic off totally, to someone like you that can process it and handle the members

TheDoc · 08-18-2008, 04:03 PM

Mike, it's not normal proxies, as people think of proxies.

If you start tracking your attacks, use geoip lookup on the ip's and reverse lookup, you will start to see many of the IP's are from hosting companies. The Webmaster has say 20 IP's, and he will rotate through them, like a proxy. You just have to be careful that it isn't also a dial up ISP.

A quick lookup of the hosting company name + spam on google, will let ya know if it's legit or not. From here you can block the entire hosting company, which will lower your overall brute force attacks.

Just make sure you put a notice up that actually tells the people they have been blocked, and if it's an error give them a clean way to contact you so you can unblock the ip.

mikesouth · 08-18-2008, 04:05 PM

Gotcha doc...thanks man that makes sense now

08-18-2008, 03:28 PM	#1
mikesouth Confirmed User Industry Role: Join Date: Jun 2003 Location: My High Horse Posts: 6,334	ALERT! Business Thread burte force attacks and deny from Every so often I get brute force attacks, of course strongbox catches them and diables the IP at which point the cript uses another IP and strongbox disables it....and on and on My question is... Is there any value to adding these IPs to the .htaccess file in a deny from or is that just futility? __________________ Mike South It's No wonder I took up drugs and alcohol, it's the only way I could dumb myself down enough to cope with the morons in this biz.

08-18-2008, 03:39 PM	#2
TheDoc Too lazy to set a custom title Industry Role: Join Date: Jul 2001 Location: Currently Incognito Posts: 13,827	It's not smart to auto deny IP's via .htaccess for members. As an example, Ripe is a huge ISP that you will have brute force attacks on but you also have lots of members using it. One wrong IP block and you could take out a small group of people. Now, part of the Asia Pac network, if you break the IP's down you can kill out entire countries/cities/regions that you know can't process so no reason to let them be a password leak or a possible attack. __________________ ~TheDoc - ICQ7765825 It's all disambiguation

08-18-2008, 03:44 PM	#3
mikesouth Confirmed User Industry Role: Join Date: Jun 2003 Location: My High Horse Posts: 6,334	so these password guessing scripts are forging random IPs not using a proxy server ? __________________ Mike South It's No wonder I took up drugs and alcohol, it's the only way I could dumb myself down enough to cope with the morons in this biz.

08-18-2008, 03:51 PM	#6
mikesouth Confirmed User Industry Role: Join Date: Jun 2003 Location: My High Horse Posts: 6,334	so I would assume the proxies have a finite list of IPs they can use so if I block individual IPs wouldnt it eventually run out. This appears to be the same script every time guess at the same list of usernames and passes __________________ Mike South It's No wonder I took up drugs and alcohol, it's the only way I could dumb myself down enough to cope with the morons in this biz.

08-18-2008, 03:52 PM	#7
mikesouth Confirmed User Industry Role: Join Date: Jun 2003 Location: My High Horse Posts: 6,334	itll go through about 100 guesses then stop __________________ Mike South It's No wonder I took up drugs and alcohol, it's the only way I could dumb myself down enough to cope with the morons in this biz.

08-18-2008, 04:03 PM	#9
TheDoc Too lazy to set a custom title Industry Role: Join Date: Jul 2001 Location: Currently Incognito Posts: 13,827	Mike, it's not normal proxies, as people think of proxies. If you start tracking your attacks, use geoip lookup on the ip's and reverse lookup, you will start to see many of the IP's are from hosting companies. The Webmaster has say 20 IP's, and he will rotate through them, like a proxy. You just have to be careful that it isn't also a dial up ISP. A quick lookup of the hosting company name + spam on google, will let ya know if it's legit or not. From here you can block the entire hosting company, which will lower your overall brute force attacks. Just make sure you put a notice up that actually tells the people they have been blocked, and if it's an error give them a clean way to contact you so you can unblock the ip. __________________ ~TheDoc - ICQ7765825 It's all disambiguation

08-18-2008, 04:05 PM	#10
mikesouth Confirmed User Industry Role: Join Date: Jun 2003 Location: My High Horse Posts: 6,334	Gotcha doc...thanks man that makes sense now __________________ Mike South It's No wonder I took up drugs and alcohol, it's the only way I could dumb myself down enough to cope with the morons in this biz.