So our FTP server was attacked yesterday...

[NathanBWF]

At about 4:15pm yesterday our FTP server came under attack. The IP seemed to originate from the Czech Republic. We had them blocked and things under control in about 5 minutes. This is a first for me, and am just wondering if there is anyone that I could report this to? I doubt the local Police here could do anything about it.

Anyone else work as an IT Security specialist who could point me in the right direction? Is there anything that I can and should do?

 

[amdskip]

Nah, especially since it came from overseas.

 

[jlazzaro]

what do you define as an "attack"? there are always bots scouring the internet looking for unpatched devices...nothing you can do about it outside of blocking them.

the best offense is a good defense. keep your systems / software up to date and take care of any known vulnerabilities.

 

[n0cmonkey]

Send an email to the abuse@ email for their ISP/connection.

Other than that, stop using FTP.

 

[NathanBWF]

Originally posted by: jlazzaro
what do you define as an "attack"? there are always bots scouring the internet looking for unpatched devices...nothing you can do about it outside of blocking them.

the best offense is a good defense. keep your systems / software up to date and take care of any known vulnerabilities.

Basically they opened up about 260 simultaneous connections to our FTP server which caused it to 'hang up'. The server is up to date on all of its patches.

 

[NathanBWF]

Originally posted by: n0cmonkey
Send an email to the abuse@ email for their ISP/connection.

Other than that, stop using FTP.

Heh...unfortunately is used quite a bit by our employees all across North America so it has to stay up...

 

[Tarrant64]

We use FTP where I work as well. Nothing wrong with using it.

It looks like you took the right steps in getting it under control quickly. Hey, if you never had to worry about security you wouldn't have a job, right? Not much else you can do.

 

[wlee]

You could also have your router ban all IP's from outside of North America.

 

[Nothinman]

Basically they opened up about 260 simultaneous connections to our FTP server which caused it to 'hang up'. The server is up to date on all of its patches.

Sounds like your FTP server needs fixed then, it should allow only as few simultaneous connections as necessary.

We use FTP where I work as well. Nothing wrong with using it.

Unless it's a public service there is something wrong with FTP that's not wrapped in SSH or a VPN.

 

[NathanBWF]

Originally posted by: Nothinman

Basically they opened up about 260 simultaneous connections to our FTP server which caused it to 'hang up'. The server is up to date on all of its patches.

Sounds like your FTP server needs fixed then, it should allow only as few simultaneous connections as necessary.

We use FTP where I work as well. Nothing wrong with using it.

Unless it's a public service there is something wrong with FTP that's not wrapped in SSH or a VPN.

Very true. I checked and it was set to allow up to 10,000 connections or something stupid like that.

Unfortunately customers do also access parts of the FTP site so we do need to keep it public.

 

[n0cmonkey]

Read only FTP isn't horrible...

I guess.

Did they attack it from one single IP or from multiple?

 

[manowar821]

lol @ internet attacks.

They make everyday networking more interesting.

I was going to say you should turn down the number of allowed connections, but they've already gotten to that point.

 

[montypythizzle]

something under the patriot act can let us prosecute them or something like that...
intranets is serious business

 

[jameswhite1979]

Report to ISP and ask them what they suggest. else return the favour only kidding ofcourse!

 

[tHa ShIzNiT]

They have computers in the Czech Republic??!!

 

[Nothinman]

They have computers in the Czech Republic??!!

Yea, and if people would take their heads out of the US sand and look around once in a while they'd realize that the rest of the world isn't quite as backward and destitute as we think.

 

[Sunner]

In my experience, trying to get anything done with regards to abuse reporting to most of the "internet third world" is more or less futile.
I've sent a bunch of those mails for a variety of reasons, generally there's either no response at all(this is most common) or some automated response that doesn't really say anything, and nothing more after that.

 

[KB24]

even if you block all the IP's they could still mask the ip and get in through there. RIgh t?

 

[Nothinman]

even if you block all the IP's they could still mask the ip and get in through there. RIgh t?

They can't spoof their IP if they want to get any return traffic so it severly limits what they can do. Also, if their ISP's routers are configured semi-correctly they'll only route traffic from their own networks so that would limit the attacker's available source IP ranges. The real problem would be proxies, just about all proxies handle FTP traffic by default so all they need is to find an open proxy to go through and the traffic would appear to come from the proxy instead of them.

 

[Fallen Kell]

They don't need to spoof their IP's. Any serious organization will have access to a bot net which is distributed across the entire globe, and could easily just command portions of that network to connect up to your system if others are being blocked.

As for who to report, well, the Secret Service I believe handles problems like this, however, in your case since nothing was stolen or damaged (other then services being down for a period of time), it will be minimally important to them. However, it may still be a good idea to report this as the data may help in other on-going investigations which have been attacked by the same organization (if they hit you, they have probably hit others). And from that standpoint, any bit of data may be helpful.