Hacker News new | ask | show | jobs
by achillean 1744 days ago
In cases like this it's actually not that difficult as they're using devices that can be fingerprinted from the Internet. We at Shodan provide a local, embedded database (SQLite or RocksDB) so you can see which open ports connecting IPs have. If an IP is connecting from a device that's running weird ports, is compromised or has other unusual characteristics then you can either flag the connection as high risk or outright drop it if you're under attack. It's mostly used by banks etc. for fraud prevention but we have a few that use it for blocking traffic based on IP risk.
1 comments
jtchang 1744 days ago
How does fingerprinting them help? You can fingerprint them but they are just desktops/mobile phones/laptops that have been compromised to be part of the botnet.

The compromised hosts that are part of the botnet look exactly like normal traffic.

link
creeble 1744 days ago
If you have a database of known-compromised hosts (because a fingerprint scan of them shows something clearly identifiable as part of a botnet, which I think is usually rare [but possibly not for MÄ“ris]), it can mitigate an attack if you've already blocked them.

But the problem that still exists is the initialization traffic -- there are still up to 200k hosts that may hit your site (essentially, a syn flood). Depending on your infrastructure, that can still hurt your firewall or single server. But it is unlikely to hurt as much as having to actually respond (through a request stack) to those requests.

link
achillean 1744 days ago
That's not what the article said though. They say that the compromised devices had these characteristics among others:

* Port 2000 open

* Port 5678 open

* SOCKS proxy on port 80 (maybe)

Most likely most of the visitors to your website won't have those ports open and exposed to the Internet. That is a really easy way to filter traffic based on the network fingerprint. Especially when you're under attack it's a great way to reduce a majority of the impact without requiring any AI/ ML - just filter traffic from IPs that have TCP port 5678 open. That same technique was also used to identify Mirai bots and it worked well.

link
HansOlo23 1742 days ago
Implemented here: https://github.com/craig/merisbot-detect Do you have more info on port 80/socks?
link