the blog under brute force attack

Since December 18, I have noticed strange behaviors in my blog’s stastistics:

debian-economist.eu statistics

debian-economist.eu statistics

The blue line is the number of hits per day and the orange line is the number of visitors. As you can see, the number of visitors is quite stable (around 40). However, the blue line exhibits heavy pikes:

date December 18 December 25 December 26 December 27 December 31
hits 3511 3502 3483 3521 3472

The number of hits is quite stable. An other noticeable fact is that every time the ip has an Ukrainian origin with the exact same number of hits:

date December 18 December 25 December 26 December 27 December 31
IP 91.200.12.114 91.200.12.113 91.200.12.115 91.200.12.115 91.200.12.92
Hostname a170786571.example.com sv1.shenmiren.net a17078657.example.com a17078657.example.com kehu1101.com
hits 3422 3422 3422 3422 3422

Well, it looks very strange definitely. I was wondering what the heck was that. Then, I found this article of a cybersecurity company, WordFence, which is monitoring the traffic on the websites with a wordpress template:

At Wordfence we constantly monitor the WordPress attack landscape in real-time. Three weeks ago, on November 24th, we started seeing a rise in brute force attacks. As a reminder, a brute force attack is one that tries to guess your username and password to sign into your WordPress website.

Wordfence adds that most of the brute force attacks come from Ukraine and in particular a small set of 8 IPs. It includes 91.200.12.114 and 91.200.12.92 which are at the origin of the shady hits of December 18 and December 31. Interesting detail of the Wordfence article:

These IPs all belong to the same organization and are on the same network. Doing a Google search on the top IP brings back many reports of abuse around the Internet. They belong to a hosting company in Ukraine called “Pp Sks-lugan“. The servers are a mix. Some aren’t running any services. Others appear to be running Windows IIS web server. 

These IPs are using brute force attacks exclusively. They don’t launch any sophisticated attacks. They are hammering away at WordPress sites at a rate of over a quarter million login attempts each, in some cases, during a 24 hour period.

Pp Sks-lugan is a tiny company but a huge number of attacks come from its servers. According to an update of Wordfence, this company is located in Alchevs’k in eastern Ukraine. The city is now under separatists control. Moreover, the IP range of this company involved in the brute force attack is known for criminal activities. Mark Maunder, the CEO of Wordfence, wrote a major point:

In cyber security, attributing attacks to an individual or state is very difficult, sometimes impossible. Attackers on the Internet can route their traffic through as many servers in as many countries as they like before they reach their target.

The Russian intervention in Ukraine makes attribution of attacks even more complex. Using a Ukrainian Internet service provider gives Russia the ability to launch attacks globally with plausible deniability.

It makes sense that disputed areas like eastern Ukraine and Syria are a hotbed of malicious activity because they provide attackers with means, motive and opportunity. Occupying forces have the means to launch their attacks by using local ISP’s. They have several motives: They want to benefit from the attack itself and also discredit local businesses or government. And they have plenty of opportunity as these regions are usually occupied for years.

This statement was attacked by Pro-Putin trolls because they said it was a political claim of the CEO. Well, it is just fact.

If you looked at the Wordfence statistics, as Reynald Flécheaux of the French technology magazine silicon, you may have noticed that France is the second origin for brute force attacks on wordpress websites. Indeed, online (the host for debian-economist.eu) and OVH weight for more than 11% of the attacks. Nonetheless, they are far bigger hosts than Pp Sks-lugan.

To conclude, I changed my password for a stronger one to be safe and I will install a firewall very soon to ban these bad IPs.

Add Comment

Required fields are marked *. Your email address will not be published.