Ho ho hoping you had a hacker free xmas

January 7th, 2015 by

Hack attacks have been all the rage lately, and it got us musing: What does the attack surface look like in Kenyan cyberspace?  In particular, where are the opportunistic attacks coming from, and how prevalent are they?  It’s Christmas, we’re procrastinating, we went and ran some numbers.

Studying FTP, because it’s still 1994: We focus our study on brute-force FTP login/password attempts.  We choose to study FTP because, quite simply, it’s the lowest barrier to entry for script kiddies.  You can download FTP brute force attackers easily and attackers tend to focus on FTP servers because they’re generally regarded to be misconfigured and overlooked.   While it can be argued that FTP is obsolete and insecure it still tends to be popular because it’s simple, familiar and well understood.

The system under analysis: We analysed login attempts on a production system on our network located in Nairobi. It runs FTP for customers with Internet facing websites.  The server hosts over 100 domains.  FTP is provided to allow them to change site content and store and retrieve data files.

We focus on a two week window starting the 1st of Dec 2014 and ending on the 14th of December 2014. In particular, we collect time and space properties of every successful (legitimate) and unsuccessful (illegitimate) login attempt in that period (up until fail2ban kicks in) which we group and analyse at hourly granularity.

Number of successful and unsuccessful logins: Over the fortnight there were approximately 100 legitimate logins in contrast to approximately 3600 illegitimate login attempts.  Notwithstanding that there are a factor of 36 more illegitimate logins than legitimate ones, over the studied period we’re averaging one cracking attempt every 6 minutes.


Fig 1: Login attempts (click for interactive version)

Figure 1 illustrates the attempted login traffic observed at the server.  There is a constant stream of cracking attempts with a peak of 150 attempts in an hour (1 every 24 seconds).  Attempts exhibit periodicity over 2-4 day intervals but there’s always some activity going on at all times.

Country of origin: Figure 2 illustrates the number of unsuccessful login attempts categorised by country of origin.  As seen, the top 3 countries (Ukraine, Russia and China) account for approximately 70% of all login attempts, followed by a long tail making up the additional 30%.  In effect, this graph hints to the fact that the majority of attacks seem to come from organised sources, but proving this point requires further analysis.

Fig 2: Unsuccessful logins by country (click for interactive version)

City of origin: Digging down into origin city of the attacks (Figure 3) there’s a marked difference between the attacks originating out of  different countries.

Fig 3: Failed logins by originating city (click for interactive version)

Fig 3: Failed logins by originating city (click for interactive version)

Russian attacks originate from many different cities — the top 3 cities only account for 21% of all attacks coming from the country.  This hints towards botnet based mechanisms blindly brute force iterating through the IP address space looking for opportunities.   In contrast, 73% of the attacks coming out China and can be traced to 3 origin cities leading credence to the hypothesis of a more organised and systematic attack structure.

The Ukraine exhibits a third distribution in which approximately  50% of all attacks come from 3 origin cities with a long tail for the rest (note, however that we were unable to classify the origin for about 14% of all attacks originating from the Ukraine).

Time of attack: Characterising the top 3 origin countries by time of attack makes the botnet verses organised argument a lot clearer.  Figure 4 provides the cumulative number of logins organised by time for each country.


Fig 4: Failed logins over time (click for interactive version)

A couple of property differences between the attacks originating from the former Soviet Union and China are quite explicit in this visualisation. Firstly, the close mirroring between the behaviour of the Ukrainian and Russian attacks means they are probably part of the same command-and-control structure; they are the same organisational unit.  We’re only seeing a demarcation due to the logical separation of the IP address space issued to the Ukraine and Russia.

Secondly, you can see classic periodic botnet behaviour in the traffic patterns from the Ukraine and Russia.  Most of the login attempts occur over the weekend (Saturday and Sunday) while they lie dormant during the week (possibly to avoid detection on the infected hosts).  Chinese traffic, however, is more insidious, making continual but low-rate login attempts in a bid to avoid detection at the end-host. The steady progress rate of Chinese attacks also signals there is less concern about detection on attacking hosts, indicating dedicated resources.

Logins tried: Finally, we did some analysis on the actual logins tried by the attacking hosts.  In total, the top 5 logins tried were:

Login Attempts
1 [email protected] 1548
2 admin 333
3 test 276
4 user 236
5 [email protected] 149

This is followed by a long tail of logins composed of various transpositions of the domain name and common UNIX and Windows admin role accounts.

In summary: This has been a first-cut casual analysis, done to provide a broad overview of simple attacks occurring in the Kenyan IP space.  While we uncovered some indication of directed attacks (known usernames and passwords being tried) there is no evidence of anything more sinister.  It does, however,  highlight the need for diligence when managing Internet-facing services.  Something that we hope to help with our Managed Services products.

In future we hope to make this a regular feature, providing insights and characterisations of interesting facets in our systems and networks.  We are very interested to hear from you on what you’d like to see covered and encourage your comments and feedback.

Leave a Reply

Your email address will not be published. Required fields are marked *