Odd Persistent Password Bruteforcing
This isn't something new, but I think it is often overlooked: "slow and low" password brute forcing.
One of the daily reports I like to look at is password brute force attempts. more or less "forever", A few networks stick out in these daily reports. The password brute force attempts are not particularly agressive, with usually less then 10 attempts per day from any particular IP address. The other odd thing is that the accounts being brute forced don't exist, which a heave focus on "@hotmail.com" accounts.
By far the most agressive network is 193.201.224.0/22,"Besthosting" in the Ukraine, followed by an other Ukraining network, 91.207.7.0/24 (Steephost).
The top brute forced domains:
gmail.com
outlook.com
zfymail.com <- this domain is associated with many bots/spam messages.
hotmail.com
The intend isn't perfectly clear as the accounts don't exist, and the attempts are not very aggressive (maybe to avoid getting locked out?).
Anybody observing similar attacks and able to figure out what they are after?
Network Monitoring and Threat Detection In-Depth | Singapore | Nov 18th - Nov 23rd 2024 |
Comments
Anonymous
Sep 8th 2014
1 decade ago
Anonymous
Sep 8th 2014
1 decade ago
Thanks!
Anonymous
Sep 8th 2014
1 decade ago
Anonymous
Sep 8th 2014
1 decade ago
Few ways to mitigate: captcha, 2FA and geo-blocking.
Geo-blocking was very effective for us; we limit the login page to our country IP range only.
This works because we are not in a big country such as US or Russia
Anonymous
Sep 9th 2014
1 decade ago
http://www.reddit.com/r/talesfromtechsupport/comments/2g2jlx/the_socalled_gmail_credentials_leak_and_the/
Anonymous
Sep 11th 2014
1 decade ago