I hear you knockin’ but you can’t come in.

I hear you knockin' but you can't come in.
I hear you knockin’ but you can’t come in.

 

State-Sponsored hacking (in the case of this article, we’re talking Russian attackers).  Regardless of your political views, this is happening.  Has been for a long time.  But not at the rates and frequency as seen in recent months.

At Node-Nine, we’ve very clearly seen a marked uptick in attempted website intrusions sourcing directly from Russian IP Space.

While it is trivially simple to obfuscate a source IP, if you happen to live in a country that turns a blind eye to computer attacks aimed at national adversaries, why even bother trying to hide.  There’s no need to even burden yourselves with using TOR, VPN services, open proxies, proxy-chaining, fully spoofed Source Addresses, hijacked BGP routes, router reflections, etc when the leadership of the country won’t prosecute you for hacking ‘the enemy’ or even acknowledge international extradition requests… there’s just no point in wasting time trying to hide.

While securing websites against the myriad angles of compromise is a complex task, there are a couple simple steps that can be taken to at least raise the bar above the most common script-kiddie level nonsense that is most prevalent.

  •  Staying Current with Patching

Modern CMS (Content Management Systems) such as Drupal and WordPress offer some pretty solid mechanisms to keep sites and their components up to date with security and stability patches.  There are even CLI tools such as ‘drush’ and ‘wp’ that even allow these operations to be automated.

At Node-Nine, all of our CMS installations not only receive constant proactive monitoring and reporting for any updates that are available, but also automatically have these patches applied on a scheduled routine, lessening the burden of even having to take action when updates get published.

  • Firewall filtering

Using filter mechanisms as common and simple as iptables can have a significant impact on preventing malicious connections from even reaching your resources in the first place. While firewalls can sometimes be mistakenly seen as ‘silver-bullet’ protection (they’re NOT by the way!!), by preventing known bad sources from even reaching your systems, you drastically reduce the attack volume.

At Node-Nine, we have taken the stance of monitoring for bad actor source addresses to reach our own thresholds of ‘offensiveness’ and then have taken action to outright drop connectivity for entire IP blocks, countries, and even entire global regions. While we are staunch supporters of the concept of Internet “openness”, we also deeply understand the legitimate reasons to filter bad actors. In layman’s terms, if you repeatedly keep trying to break in, you’re not welcome.

For example, following a detailed analysis of repeated SPAM content sources and break-in attempts, coupled with where we expect valid content to ever source from, our mailer systems have all been configured to just flat-out drop any connectivity at all to APNIC IP Space. While at first pass this may feel offensive on various levels, since applying this policy to all our resources, we have seen inbound SPAM reduced by over 80%. We have also seen things such as ssh brute-force scripts reduced by over 60%.

We have unfortunately also decided that Russian IP space has required a similar response. In recent months (mid 2018), we have seen significant levels of attempted website and other service penetrations originating directly from Russian IP Space heighten well beyond our defined thresholds. Based on GeoIP data sources, we have flat-out dropped any and all traffic from Russian IP space. In order to keep tabs on continued activity however, we also log continued connection attempts from these netblocks.

While we will not go into detail here about what firewalls CANNOT protect against, especially in complex web environments, it is important to note that following defense in depth procedures such as even these basic filters helps reduce the attack footprint and volume of traffic you really don’t want anyway.

  • Monitored Logging with Automated Actions

Another defense-in-depth mechanism we employ involves triggered actions based on logged activity. While the country and region-wide filters drastically reduce the “noise-floor” of junk attack traffic, we also want to be able to defend against connections coming from places outside these regions, which will then also include filtering anyone using IP obfuscation methods like mentioned above. Even if a Russian hacker were to try attacking via a VPN service, we would STILL drop their connection based on automated firewalling when we detect break-in attempts.

Try and brute force into a Node-Nine hosted WordPress site from Russia, you’re already blocked outright, but try the same brute force and appear to be sourcing your connection from say, the US, or Poland, or anyplace else on earth, as soon as the attack is detected, the source address(es) gets automatically added to our global network of filters so the bad actor gets no further then the first handful of packets. We distribute these dynamic filters to all Node-Nine resources, so even the very first offense will get the attacker blocked across everything we do.

 

This is just the tip of the iceberg of our approach to providing Secure and Reliable services to our customers. Defense-in-depth is the optimal means to defend against the ever evolving landscape of attacks thriving on the Internet. If other providers and operators followed similar common-sense methodologies, the ‘net would be a much tamer and safer place to be. Until then though, Node-Nine will continue to strive to lead by example and not only benefit our customers and clients but also help make the Internet a little bit safer – site by site, host by host, service by service.