NetTalk Central

Author Topic: Just dealt with my first real hacker attack.  (Read 5218 times)

Matthew51

  • Full Member
  • ***
  • Posts: 152
    • View Profile
    • Email
Just dealt with my first real hacker attack.
« on: February 27, 2019, 03:43:19 PM »
NT 10.36

The hacker could have been hitting our system for up to 10 minutes by time I got notified to look at it. We don't keep file logging on so I don't have a record of what he was doing earlier. When I looked at it he was asking for php files as fast as the server would let him. 2 WebSocket connections were open, even though our server doesn't even use web sockets.

My big concern is that he managed to lock everyone else out of the server. Everyone else got a time out error. Even after I banned his IP no one else could connect, I had to restart the SebServer app (I didn't think to try the restart button).

I'm sorry I didn't manage to collect a lot of information, but this was during our busy time so my focus was on getting things working again asap.

Is this anything we can to to prevent an attacker from locking people out of our server in the future?

Also a feature idea:  Auto ban an ip address of it gets too many 404s is a short amount of time. I bet that would limit most probing attacks.

Thanks Matthew
Contractor with 10+ years of NetTalk experience looking for work.
www.linkedin.com/in/matthew-leavitt
BisWare.ca
Check out my free EasyTime Template

Robert Iliuta

  • Sr. Member
  • ****
  • Posts: 472
    • View Profile
    • Email
Re: Just dealt with my first real hacker attack.
« Reply #1 on: February 27, 2019, 10:31:04 PM »
Hallo Matthew!

Where was located the server? (locally or on cloud server?) *If locally, what OS you have and what ports do you have open?
Your app is on 80 port or different one?
Do you have SSL certificate?

*Usually they connect trough VPN so block IP sometimes not very useful. (but it's a step)

Regards,
Robert

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11251
    • View Profile
Re: Just dealt with my first real hacker attack.
« Reply #2 on: February 28, 2019, 02:19:55 AM »
Hi Matthew,

So it's probably worth covering a few of your points there.

a) I prefer not to use the word "attack". It suggests that something was "directed at you" which is unlikely. It's more accurate to think of it simply as a bot finding your server and doing a scan for possible vulnerabilities. It's not personal, it's just normal background traffic on the internet.

b) I doubt very much it was your first. More likely it was the first one so unsophisticated as to attract your attention. I know if I run a server for more than about 30 minutes it will inevitably get some "unwelcome" traffic during that time. Mostly it's just sort of "background noise".

c) it makes no difference if the server is HTTP or HTTPS - any client can ask for any resource from any server at any time. the server may or may not have that resource, that's not important, but any client can ask at anytime.

>> The hacker could have been hitting our system for up to 10 minutes by time I got notified to look at it. We don't keep file logging on so I don't have a record of what he was doing earlier.

All he did earlier, and all he did while you were looking, was sending requests. There is nothing intrinsically scary about this. If you do watch your server you'll see it goes on pretty much all day anyway. If anything this probe was really unsophisticated because they went too fast and attracted your attention.

>> My big concern is that he managed to lock everyone else out of the server. Everyone else got a time out error.

This is known as a denial of service attack. Basically it just makes your server so busy that others can't get a request in. It's like a pesky toddler that won't stop saying "mommy, mommy, mommy...."

>> Is this anything we can to to prevent an attacker from locking people out of our server in the future?

It's difficult to prevent denial-of-service (DOS) (and even more so distributed-denial-of-service (DDOS)) because by definition it's hard to differentiate legitimate traffic from illegitimate traffic. DOS is easier to prevent than DDOS.

On the upside they probably weren't trying to DOS you - if they were they would have asked for pages you _do_ have.

>> Also a feature idea:  Auto ban an ip address of it gets too many 404s is a short amount of time. I bet that would limit most probing attacks.

All "banning" schemes come at a cost, and it's worth being very careful that you understand the cost before implementing them. Quite apart from the extra work incurred in tracking incoming requests, and then deciding what constitutes an "attack" and what is just errant behavior - it also has side effects (like performance slow-down) on legit traffic.

I'm not saying it's not possible, but you want to tread _very_ carefully here.
(For example - if you have a style file in your css list, or image file, which does not exist then your egit customers may be getting 404's behind the scenes. you probably don't want to ban them...)

Cheers
Bruce



Matthew51

  • Full Member
  • ***
  • Posts: 152
    • View Profile
    • Email
Re: Just dealt with my first real hacker attack.
« Reply #3 on: March 07, 2019, 03:18:19 PM »
I used real attack because I don't consider the ones that give up after a handful of 404s real.  From what I can tell I get 20-50 404s a day, most of them are likely these small probes.

I was thinking about adding code when a 404 is detected, but I couldn't find an embed point that would work.  I could add logging to find dead links, as well as look out for people causing problems.  Since 404 are less then 0.02% of my regular traffic it shouldn't have a noticeable impact on performance.

Thanks
Matthew
Contractor with 10+ years of NetTalk experience looking for work.
www.linkedin.com/in/matthew-leavitt
BisWare.ca
Check out my free EasyTime Template

Bruce

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 11251
    • View Profile
Re: Just dealt with my first real hacker attack.
« Reply #4 on: March 08, 2019, 05:00:52 AM »
You could add a call to NetBan in the WebHandler in the .SendError method.
The first parameter there (p_ErrorNumber) contains the HTML response code.

p_web.WebServer.Ban(p_web.RequestData.FromIp)

cheers
Bruce