Some security professionals think brute forcing is a dead art. Gone are the days when everybody was using THC Hydra or John the Ripper or other custom tools that they wrote themselves. On today’s Internet, when it is much easier to just take advantage of one of the flaws in certain plug-ins to gain control of your website, we still see millions of brute forcing attempts.
I wanted to come up with some quantitative data behind what we see at Go Daddy. To do this, I built something we call the RepFeed database, which is an aggregator of all the security events that we detect in our hosting environment. What started as a pet project grew into something really big, really fast. In one 24-hour period, we detected over 50 million brute force events. When plotting the top 10 countries, the distribution looks like this:
Looking at this, China doesn’t look so bad after all. So, I thought there might be something wrong so I tried to break down this data further. Next, I separated the different types of Brute force events into four categories.
After seeing these results, I thought, “This can’t be true! We can’t be our own worst enemy!” So, I decided to plot FTP and SSH events as well.
Sure enough, I found that it was indeed true! So how did we address this issue? Based on all this data, we built a few internal tools, like the Brute Forcinator and the Threat Accelerometer, that help us automatically quarantine these bad actors as they start to ramp up their dirty work. You can read about the Threat Accelorometer and how it works in Scott Gerlach’s earlier blog post.