Digging into DDoS attacks (includes hostile IP's from multiple honeypots)
It turns out my previous assumption was correct. These DDoS "attacks" are actually a side-effect of a Makost[dot]net-style botnet and is NOT the intention of the attacker (in fact, they seem specifically designed NOT to cause a disruption of service which would make us aware of their activity). The attacks are in fact trying to gain access to my servers in order to rent\sell server time to third parties.
The Attack Process (ie 'Unintentional DDoS')
The attacking process is something like this:
The botnet will start funneling staggered login attempts in batches to a seemingly random block of ip's in the form of miniature Dictionary Attacks & spoofed reconnect attempts. These attempts always come in staggered batches and appear to be automated or run on some kind of schedule, possibly queued by a real person.
The login attempts most often begin by trying to login in with ".\Administrator" (or "local\Administrator") as the domain\username and "Administrator" (same as the username) as the password.
If "Administrator" fails, but the server is responding on default RDP ports, they eventually come back (seconds, minutes, hours, days or weeks later) with knowledge of actual usernames used to RDP into my servers and servernames which those users have RDP'd into (presumably harvested from compromised client-machines). Most often it attempts to login with the username AS the password (ie "{username}"\"{username}", like jdoe\jdoe, owner\owner, etc).Failed login attempts are seemingly hung or kept open by the botnet\attacker, most often followed with some kind of brute force session-reconnect attempt, leaving stale RDP sessions and eating up ports. This is what leads us to a Denial of Service when multiple groups of attacks are received at once.
- It seems this botnet is intentionally staggering their attacks in order to avoid being discovered for what they really are. They want to look like isolated\unrelated bad-login attempts, sparsely spread across multiple servers. Multiple waves coming in at once seem undesirable to the attacker, as a Denial of Service would prevent their own dictionary\brute-force attacks from connecting and make the servers inaccessible to them, as well as making us aware of malicious activity.
- Though we've seen this pattern attacking us since 2011, it has only been since 2013 that batches of attacks have begun overlapping as if they are not aware of each other. Prior to 2013, it was rare to see more than one batch at a time. This says to me that either the botnet has split - new ones are being operated using the same malware, or possibly the others have been there for a while and they've now ended up being fed the same data since 2013 vs prior. It is also worth noting that I've found traces of what appear to be similar attacks dating as far back as February 2009, but they have a different machine-name pattern, with machine names like "37L4247D25-07" and "37L4247D28-05" (see original post, "Section A: DDoS patterns" for more).
I was able to deduce the following by cross-referencing my existing information (original post) against my IIS & http Error logs, outgoing bandwidth logs and watching WireShark during attempted attacks and honeypot use:
Compromised computers are used as botnet hosts and to harvest as much information as possible using a sophisticated collection of malware, viruses, rootkits, browser sidejacking, and a long list of several thousand known server exploits (php, phpNuke, phpMyAdmin, phpGallery, wordpress, IIS and asp.net configs to name a few). They also scan networks using WPAD local DNS queries and have been seen attempting to use WPAD\Windows Update for a Man-In-The-Middle attack as well as attempting to hack network printers in order to compromise network security.
I believe the botnet has a growing centralized repository for server and user information, known exploits and much more metadata that helps them compromise the servers they attack. These machines collect data independently, but attacks come in waves and always follow the same patterns.
Once a server is compromised and "rented out", it's anyone's guess what the logged-in party is using it for, but "illegal" seems a pretty good conclusion given what we've seen (see original post, "Section B: Honeypotting the Attacker" for more info).
The most hostile IPs
Since my original honeypot's inception, I've created and tracked several additional honeypots in an effort to find more meaningful data. I have updated my original post (Section C: IP Addresses) with 2 additional points which I will summarize here:
5.56.133.145 and 176.226.149.255 have both logged into MULTIPLE honeypots using the credentials created by the attacker immediately after account creation. 46.161.40.15 was used to log into only my first honeypot, but shares its first 3 octets with at least 2 other IP addresses blocked by my Network Firewall for DDoS.
I have seen an immediate reduction in DDoS attacks since I posted this article (curious). As I contact my clients and (make them) install\update their security & download (important) Windows Updates, the attacks appear less and less.
I am NOT concluding that Makost[dot]net is behind these attacks. I am simply not aware of another name for this type of botnet, but it follows the same attack and usage patterns as Makost is known for.
For more information about Makost[dot]net, check this link:
http://krebsonsecurity.com/tag/makost/
I hope to update this article with additional information as I find it. Questions\comments welcome. The IP addresses in my original post include both botnet-attackers and users logged into my honeypot after it was "compromised".
Check your outgoing bandwidth logs, it could be that the attacker is using you servers as a botnet of sorts. This does seem very in depth and I would be calling up the spooks right about now(you've got plenty of information). Is disabling RDP completely an option?