There was a recent discussion on the OS X Server list about the recent nature of Distributed Dictionary Attacks. It seems that attackers are getting around defenses like Denyhosts by attacking a huge number of hosts at once such that they try a user/pass on any given host only once every 12 hours or so. Between attempts on your host, any given attacker is busy attacking others -- also once in every 12 hours -- and works its way back to you.
A DDA as described is able to make just as many attempts but so infrequently on any one host as to not exceed any reasonable limits we might set in Denyhosts. It seems to me that the way to defend against this is to aggregate data from as many (attacked) hosts as possible. If data from multiple attacked hosts showed that an IP address was in fact being used in a DDA, Synchronization mode could be used to block it even though it did not exceed any one host's triggers. Admittedly, it would be a big job to collect data from multiple attacked hosts. It would result in far more data than just those blocked IPs sent in via synch mode currently. The collection point would have to track each reported IP and, at some predetermined trigger count, add that IP to the normal Denyhosts synch list. Sound feasible? Discuss! ------------------------------------------------------------------------------ Join us December 9, 2009 for the Red Hat Virtual Experience, a free event focused on virtualization and cloud computing. Attend in-depth sessions from your desk. Your couch. Anywhere. http://p.sf.net/sfu/redhat-sfdev2dev _______________________________________________ Denyhosts-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/denyhosts-user
