

Ask HN: The unstoppable rise of the botnets - carlesfe

I consider(ed) myself an experienced sysadmin, however, yesterday I left an Asterisk server on my newly created DigitalOcean droplet open to the public. I thought, on a freshly created machine with a brand new ip, I surely can go to sleep and finish the configuration tomorrow.<p>Today I woke up to the server making calls to countries I didn&#x27;t even know existed.<p>It must be the work of a botnet. The server was brand new and Asterisk had only been running a few hours. I didn&#x27;t make any outgoing requests which could have tracked that the machine was live. My IP can only have been selected randomly and nmap&#x27;d mercilessly for an open port, and it was attacked on the only open port, 5060. Hell, if it were a web or SSH server, I could suppose. But a remotely non-standard service like Asterisk?<p>Botnets may be the business of the next decade, both for the black market and for security analysts. But what can regular sysadmins do to protect against them, besides being cautious?<p>This leads to the question, is there any reliable data regarding botnets? What are the most common attack vectors? Is there a known IP database of zombie machines so that we can firewall all requests from them?<p>I&#x27;d like some insights extracted from real data so that we can protect ourselves from this plague.
======
MalcolmDiggs
It's a fairly common problem unfortunately. Most of the attacks I've
experienced have been directed at known ports used by popular control panels
(like Plesk, CPanel, etc), they typically hit those ports with brute force
attacks, trying to crack admin passwords and such...and yes these attacks can
happen only minutes after you create the server. I wouldn't be surprised if
Asterisk is on their list. Even if it's a one in a million chance, it's worth
it for them to try.

Remember there are only 4 billion or so ipv4 addresses. That's trivial for a
serious botnet to scan repeatedly. They hit the ports looking for live ones,
and if they catch a bite they double-down on that machine and flood it with
attacks. Ipv6 is of course, many orders of magnitude harder for them to fish
for.

But as far as best practices go... you just can't be too careful. Keep
machines behind a firewall until they're ready to be exposed to the public (if
at all). Using non-standard ports doesn't hurt either.

------
michaelbuckbee
I suspect known IP address ranges like DO, Rackspace and AWS are more or less
constantly scanned.

