Jared Naude (140)
Attack Mining: How to use distributed sensors to identify and take down adversaries by Lars König
Buckle up for a deep dive into the constant battle to protect systems on the internet against adversaries gaining access, and how you can help make the internet a safer place!
You can get involved by using the data which is available on GitHub, deploying or own attack pod or joining the team to fight against these groups. #38c3
Does any of this work? Looking at the statistics, from 264 000 cases:
1) Average take down time is 5 days.
2) China Telecom does not accept abuse reports.
3) Digital Ocean supports XARF and average takedown is 28 Hours.
4) Tencent does not care about abuse notification unless it comes from government or law enforcement.
From the data, Lars has created these 2 diagrams. The first diagram shows where the attacks come from. The second diagram shows the map of IOT devices. #38c3
Lars has an idea to create an attacker pod hosted in docker that would allow attackers to log in, capture the credentials and then deny the log on attempt. This is a scalable solution. #38c3
The graph shows a subset that was investigated. This shows 238 unique IPs between Feb - Dec. Each IP scan contains 169 username and password combination. #38c3
Adversaries will often brute force well known user names (Root, admin, user, test, etc). However, they will also create a list that is specific to a domain and site. The next set of users that are targeted are accounts created by applications that are installed (e.g. postgres) #38c3
The speaker investigated these passwords and found devices that were being targeted. One example was a Raspberry Pi in South Korea. The speaker was able to get access to the instance and was able to investigate further by using netstat -apn and pstree -a. #38c3
Working with law enforcement is tricky as end users wouldn't know what to do if they receive a notification. Sending letters to ISPs may be helpful but is not scalable to thousands or even millions of reports. #38c3
