I'm running into a similar situation with a small FTP server we use. It's
mostly an annoyance, but, I limit to 5 concurrent connections and one hacker
opened up multiple threads using all 5 connections locking out my legitimate
clients.
Anonymous logins are not allowed, obviously.
I'm working on a VB application that scans the FTP log tallying up failed
login attempts by IP. It then checks if an offending IP is already in the
directory security table and adds it if not there. Different hackers take
different approaches as I mentioned. Some try every 6 seconds, others really
hammer away, for hours on end.
The application is still pretty rough around the edges right now. The
variables are the scan interval (I use 60 seconds) and the hack attempt
threshold (20 attempts). In a 2-3 month period I have 39 IP's locked out.
--
greg gallager
gallid assoc inc
[quoted text, click to view] "Ralph Hulslander" wrote:
> A FTP server is being subjected to a massive (5 hours) login attack.
> Apparently this is a know exploit attempt. Any ideas on how to stop this?
>
> It appears the attack is from hijacked computers as the IP is allways
> different.
> It does not do any good to block a IP.
> I can not use GPO as the user names are legitimate the passwords are not.
>
> This is on a W2K SP 4 server.
>
> Until I set the Event Log to overwrite this was definately a denial of
> service attack
> now my server handles the attack but it is using resources to acknowledge
> each login request.
>
> Any one have a script to turn off FTP for a minute? I beleive if the login
> request were not acknowledged
> the attacking script would give up and go look for someone else.
>
> Thanks for any help.
> Ralph
> --
