OpenBSD Journal

Botnets May Be Learning... to avoid OpenBSD

Contributed by jason on from the paranoia-can-be-fun dept.

ITILGuy wrote in with a reference to Peter Hansteen's blog about coordinated botnets. According to Peter and his colleagues at FreeCode, it appears that not only are these distributed bruteforce attacks becoming more cagey at avoiding intrusion detection thresholds, but they are adapting by avoiding difficult targets such as OpenBSD.

Peter Hansteen is the author of Firewalling with PF, an excellent supplementary text to the OpenBSD PF FAQ.

(Comments are closed)


Comments
  1. By Anonymous Coward (213.227.184.100) on

    This is interesting, because previously all UNIX boxes would be treated as targets, the OpenBSD security people would think of something clever, OpenBSD would get stronger, and this would trickle down.

    Now OpenBSD is out of the loop: the other UNIXes must come up with their own security cleverness. If this happens (I'm sure it can), will it trickle down to OpenBSD?

    OpenBSD could be left in a strange situation because of this.

    Comments
    1. By tedu (udet) on


      > Now OpenBSD is out of the loop: the other UNIXes must come up with their own security cleverness. If this happens (I'm sure it can), will it trickle down to OpenBSD?

      No, cleverness invented elsewhere can not trickle down to OpenBSD.

      Comments
      1. By raw foo(d) (80.249.194.29) on

        > No, cleverness invented elsewhere can not trickle down to OpenBSD.

        Yes, it is evident that it can't. Want an example? ZFS.

        Comments
        1. By Anonymous Coward (150.101.245.181) on

          Perhaps the point being made is that security is a result of simplicity, not "cleverness".

          Good ideas can come from anywhere, even proprietary software. Licensing issues aside, the code itself will probably not come from anywhere else - look at the quality of code in OpenBSD and look at the quality of code in other projects. Most projects don't write their code defensively or with simplicity in mind, so OpenBSD devs are going to be far more hesitant at including it.

        2. By Anonymous Coward (59.167.252.29) on

          > > No, cleverness invented elsewhere can not trickle down to OpenBSD.
          >
          > Yes, it is evident that it can't. Want an example? ZFS.

          An isolated case of avoiding something for specific reasons, equates to an inability to import cleverness to OpenBSD period?

          You have options. If you want ZFS, use something else. If you want ZFS in OpenBSD, do it yourself. If you want some ZFS features in OpenBSD, you could wait to see what might happen with HAMMER.

          Trying to put the developers and project down, because they choose to not incorporate ZFS, is not a valid option. It will not get you what you want and only makes you look like an arse.

          Comments
          1. By raw foo(d) (80.249.194.29) on

            You're right. It is an isolated case. I'm not saying *nothing* can trickle down; alas, a lot of it can't because of licensing. We feel that OpenBSD used not much more than a hand-waving argument when deciding not to accept CDDL. In a perfect world I would be as talented and as devoted as Theo. In that case, I'd simply fork OpenBSD--now I'm simply forced to go with the flow and use something else.

            Comments
            1. By Anonymous Coward (59.167.252.29) on

              > You're right. It is an isolated case. I'm not saying *nothing* can trickle down; alas, a lot of it can't because of licensing. We feel that OpenBSD used not much more than a hand-waving argument when deciding not to accept CDDL. In a perfect world I would be as talented and as devoted as Theo. In that case, I'd simply fork OpenBSD--now I'm simply forced to go with the flow and use something else.

              Okay. You continued with the word "can't" but it didn't seem like you were using it with sarcasm.

              In a perfect World, people would do nothing less than appreciate the efforts of those who are happy to give so selflessly.

              Sly remarks about a free system not matching exactly what you want, only serve to be detrimental.

              The project won't budge on licence and their ideals and for that I am glad. I use ZFS at work, but if I don't get it in OpenBSD, that's fine. If I get something better some day in OpenBSD, then brillant. They have a habit of doing that and it has shown to be worth the wait.

              I sure won't complain about what gets given to me for nothing.

    2. By Bees (84.75.23.135) on

      If I understood the article correctly, we are talking about brute-force password guessing attacks. If OpenBSD is a less interesting target to these attacks, it is not because OpenBSD is more secure, but because OpenBSD users are more paranoid (in a good sense). They have much fewer weak passwords.

      The OpenBSD community is not only hardening their OS, they are also hardening their members.

      Comments
      1. By Anonymous Coward (150.101.245.181) on

        > The OpenBSD community is not only hardening their OS, they are also hardening their members.

        Yeah, I've often considered this to be a byproduct of heavy flaming when clueless users do clueless things. Either they learn, or they leave.

        Comments
        1. By Anonymous Coward (80.37.248.67) on

          This is called sintering. :)

      2. By Anonymous Coward (203.20.78.196) on

        > The OpenBSD community is not only hardening their OS, they are also hardening their members.

        0_o

        Comments
        1. By Anonymous Coward (128.171.90.200) on

          > The OpenBSD community is not only hardening their OS, they are also hardening their members.
          >
          > 0_o
          >

          Hopefully that should scare off intruders.

      3. By Anonymous Coward (216.167.201.130) on

        >they are also hardening their members.

        That's what she said!

  2. By Srikant (122.169.127.46) on

    How sure can we be that the botnet is able to detect that the machine is an OpenBSD one? Good scrub rules in pf cause nmap to miss the OS detection by a mile. Are botnets more thorough than nmap?

    OS detection can be misled in some cases. If OpenBSD starts getting left alone, very soon, other OSes may try mimicking it. I don't know the difficulty level of doing this. But as a result, botnets will drop this privilege given to OpenBSD. We are then back to square zero. So, instead of bothering about who endorses OpenBSD's security, let us just keep our systems secure and sleep well.

    Comments
    1. By Anonymous Coward (212.20.215.132) on

      > But as a result, botnets will drop this privilege given to OpenBSD.
      > We are then back to square zero.

      I think that's square one, but whatever the square, the only thing really
      affected by this is our logs. I'm pretty sure it won't affect my sleep.

      An interesting read, nevertheless.

      Comments
      1. By pepo (190.76.20.225) on

        > > But as a result, botnets will drop this privilege given to OpenBSD.
        > > We are then back to square zero.
        >
        > I think that's square one, but whatever the square, the only thing really
        > affected by this is our logs. I'm pretty sure it won't affect my sleep.
        >
        > An interesting read, nevertheless.
        >

        the only thing really
        > affected by this is our logs

        LOL

    2. By Anonymous Coward (203.20.78.196) on

      > How sure can we be that the botnet is able to detect that the machine is an OpenBSD one? Good scrub rules in pf cause nmap to miss the OS detection by a mile. Are botnets more thorough than nmap? > > OS detection can be misled in some cases. If OpenBSD starts getting left alone, very soon, other OSes may try mimicking it. I don't know the difficulty level of doing this. But as a result, botnets will drop this privilege given to OpenBSD. We are then back to square zero. So, instead of bothering about who endorses OpenBSD's security, let us just keep our systems secure and sleep well.

      From: http://www.openssh.org/portable.html

      "Portable releases are marked with a 'p' (e.g. 4.4p1)."

      $ telnet OpenBSD.Host 22
      Trying OpenBSD.Host...
      Connected to OpenBSD.Host.
      Escape character is '^]'.
      SSH-2.0-OpenSSH_5.1
      

      A script could simply skip any server which lacks the 'p' perhaps?

      Comments
      1. By Srikant (210.211.128.226) on

        Thanks for pointing this out.

      2. By Anonymous Coward (2001:1938:30f:dead:21f:3bff:fe03:b159) on

        > How sure can we be that the botnet is able to detect that the machine is an OpenBSD one? Good scrub rules in pf cause nmap to miss the OS detection by a mile. Are botnets more thorough than nmap?
        >
        > OS detection can be misled in some cases. If OpenBSD starts getting left alone, very soon, other OSes may try mimicking it. I don't know the difficulty level of doing this. But as a result, botnets will drop this privilege given to OpenBSD. We are then back to square zero. So, instead of bothering about who endorses OpenBSD's security, let us just keep our systems secure and sleep well.
        >
        > From: http://www.openssh.org/portable.html
        >
        > "Portable releases are marked with a 'p' (e.g. 4.4p1)."
        >
        >
        > $ telnet OpenBSD.Host 22
        > Trying OpenBSD.Host...
        > Connected to OpenBSD.Host.
        > Escape character is '^]'.
        > SSH-2.0-OpenSSH_5.1
        >
        >
        > A script could simply skip any server which lacks the 'p' perhaps?
        >

        This is way too unreliable of a test.

        $ telnet www.kernel.org 22
        Trying 149.20.20.133...
        Connected to www.kernel.org.
        Escape character is '^]'.
        SSH-2.0-OpenSSH_5.1

        $ telnet www.slackware.com 22
        Trying 64.57.102.34...
        Connected to www.slackware.com.
        Escape character is '^]'.
        SSH-2.0-OpenSSH_4.9

        $ telnet www.debian.org 22
        Trying 194.109.137.218...
        Connected to www.debian.org.
        Escape character is '^]'.
        SSH-2.0-OpenSSH_4.3p2 Debian-9etch3

        $ telnet www.ubuntu.com 22
        Trying 91.189.94.9...
        Connected to www.ubuntu.com.
        Escape character is '^]'.
        SSH-2.0-OpenSSH_4.7p1 Debian-12ubuntu1.CAT.8.04

        Comments
        1. By Anonymous Coward (78.21.21.141) on

          > This is way too unreliable of a test.
          >
          > $ telnet www.kernel.org 22
          > Trying 149.20.20.133...
          > Connected to www.kernel.org.
          > Escape character is '^]'.
          > SSH-2.0-OpenSSH_5.1
          >
          > $ telnet www.slackware.com 22
          > Trying 64.57.102.34...
          > Connected to www.slackware.com.
          > Escape character is '^]'.
          > SSH-2.0-OpenSSH_4.9

          Nah, they secretly all run OpenBSD ;-)

          Comments
          1. By Anonymous Coward (129.174.112.141) on

            > > This is way too unreliable of a test.
            > >
            > > $ telnet www.kernel.org 22
            > > Trying 149.20.20.133...
            > > Connected to www.kernel.org.
            > > Escape character is '^]'.
            > > SSH-2.0-OpenSSH_5.1
            > >
            > > $ telnet www.slackware.com 22
            > > Trying 64.57.102.34...
            > > Connected to www.slackware.com.
            > > Escape character is '^]'.
            > > SSH-2.0-OpenSSH_4.9
            >
            > Nah, they secretly all run OpenBSD ;-)

            The main OpenBSD hosting, after all, is on solaris.

            Comments
            1. By Anonymous Coward (85.158.44.149) on

              > The main OpenBSD hosting, after all, is on solaris.

              s/is/was/

              Comments
              1. By Anonymous Coward (81.83.46.237) on

                > > The main OpenBSD hosting, after all, is on solaris.
                >
                > s/is/was/

                Netcraft detects OpenBSD too.
                http://toolbar.netcraft.com/site_report?url=http://www.openbsd.org

            2. By Anonymous Coward (65.93.7.167) on

              > > > This is way too unreliable of a test.
              > > >
              > > > $ telnet www.kernel.org 22
              > > > Trying 149.20.20.133...
              > > > Connected to www.kernel.org.
              > > > Escape character is '^]'.
              > > > SSH-2.0-OpenSSH_5.1
              > > >
              > > > $ telnet www.slackware.com 22
              > > > Trying 64.57.102.34...
              > > > Connected to www.slackware.com.
              > > > Escape character is '^]'.
              > > > SSH-2.0-OpenSSH_4.9
              > >
              > > Nah, they secretly all run OpenBSD ;-)
              >
              > The main OpenBSD hosting, after all, is on solaris.

              *yawn*
              http://openbsd.org/faq/faq8.html#wwwsolaris

        2. By Renaud Allard (renaud) on

          > $ telnet www.kernel.org 22
          > Trying 149.20.20.133...
          > Connected to www.kernel.org.
          > Escape character is '^]'.
          > SSH-2.0-OpenSSH_5.1
          >
          > $ telnet www.slackware.com 22
          > Trying 64.57.102.34...
          > Connected to www.slackware.com.
          > Escape character is '^]'.
          > SSH-2.0-OpenSSH_4.9
          >
          > $ telnet www.debian.org 22
          > Trying 194.109.137.218...
          > Connected to www.debian.org.
          > Escape character is '^]'.
          > SSH-2.0-OpenSSH_4.3p2 Debian-9etch3
          >
          > $ telnet www.ubuntu.com 22
          > Trying 91.189.94.9...
          > Connected to www.ubuntu.com.
          > Escape character is '^]'.
          > SSH-2.0-OpenSSH_4.7p1 Debian-12ubuntu1.CAT.8.04
          >

          What you pointed out is why botnets try to evade OpenBSD hosts, because most OpenBSD administrators care about security. The telnet to port 22 verifying that it shows a "p" in the answer works on most hosts except those where the admin cares about security and changed the source to hide them (although security through obscurity is probably not a good idea). They don't care if it doesn't work with your particular host, as long as it works with 70%-90% of the others. If you took the time to modify the source to not show the "p", then you probably choose a good password too, so it is useless to keep trying on this one with basic attacks.
          In fact, your test really showed how this "p" test is reliable. You checked on 4 of the biggest sites where admins are more than probably very competent and got 50% success.

          Comments
          1. By Anonymous Coward (2001:1938:30f:dead:21f:3bff:fe03:b159) on

            > What you pointed out is why botnets try to evade OpenBSD hosts, because most OpenBSD administrators care about security. The telnet to port 22 verifying that it shows a "p" in the answer works on most hosts except those where the admin cares about security and changed the source to hide them (although security through obscurity is probably not a good idea). They don't care if it doesn't work with your particular host, as long as it works with 70%-90% of the others. If you took the time to modify the source to not show the "p", then you probably choose a good password too, so it is useless to keep trying on this one with basic attacks.
            > In fact, your test really showed how this "p" test is reliable. You checked on 4 of the biggest sites where admins are more than probably very competent and got 50% success.
            >

            An older stock install of OpenSuse has "SSH-1.99-OpenSSH_4.6" -- I doubt suse guys patch their sshd specifically to defer `smart' botnets.

      3. By Damien Miller (djm) on http://www.mindrot.org/~djm/

        > "Portable releases are marked with a 'p' (e.g. 4.4p1)."

        Not in the server banner - we stopped doing that a couple of years back.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]