BitNinja & The Map

This week I have been - amongst other things - messing around with ( trialling seems like a very grandiose phrase ) BitNinja. BitNinja is a service that helps protect the server. It had been brought to my attention by an email in the first instance - the most polite, useful if strangely formatted abuse@ email I had seen. Kind of like a brick wrapped in velvet. Nice. I needed to know more.

What is BitNinja? The deployed service runs server side that assists with intrusion detection (IDS / NIDS) and intrusion protection (IPS) - with a smattering of web application firewall (WAF) thrown in. The two things however that set it aside for me right here right now are honeypots (both file and port), and collective intelligence. Using these together is golden.

The collective intelligence makes a decision on an IP as a possible threat and greylists it. Moving to blacklist if this activity is seen elsewhere, and in some cases validating with a CAPTCHA. Once blacklisted this is then blacklisted for this host, any other instances of bitninja you have running.... or any other instance... anywhere. This is a two way street so IPs seen attacking elsewhere are blocked from us also.

What it is not is 'user' friendly. When I say user - I mean just that - users... my world is a world packed full of users of varying backgrounds and abilities. Having said that I feel the need to make clear that it is engineer or admin friendly - however there is no tie in the users space to notify them what has happened - this puts it in a very different space to products such as the delicious Patchman. This makes my world an easier one by mechanising the work flow of compromise, vulnerabilities and patching.... and allowing users to roll back changes, and so on.

SO - how has the week gone.

Two things come to mind... no, make that three ... THREE THINGS COME TO MIND ("Fear, Surprise, and Ruthless efficiency.... and a fanatical devotion to the Pope.... FOUR - FOUR one expects the Spanish Inquisition!").

1. Idiocy Amplification

Yes. We all do it. We mash the keys and wrench the keyboard around in an Harambe style from time to time. However now you have the added bonus of calls and emails that "your company is completely offline" ... no... just we have just sent you to Coventry.

2. Quieter evenings

Purely circumstantial at this point (it is a 7 day trial for heavens sake) - but after a recent spike in compromises and service issues related to said badness... there has been a notable lul. It is hard to compromise even the most slackly administered, insecure, and vulnerable CMS if you are unable to reach it in the first place.

3. Reassessment of threats

Well well well (three large holes in the ground) - attacking threats are not from the traditional hotspots of filth - no - top of the list are India and Pakistan. Gone are the traditional ex Russian states as clear leaders, and gone are the "yes I can name some Chinese cities and provinces"  (yes I am looking at you Shenzehn and Guangdong!) of even as recently as two years ago and my adventures with Suricata and Snorby.

So how about for redrawing the borders on the map?


In Conclusion - well I continue to contribute once my trial runs out - sure. Can I afford the outlay - no, sorry, not personally. Would we be taking it on at work - now that is a strong maybe. Some products come out fighting and while this has no rough edges as such - it's not quite what the shared hosting environment is looking for .... but it has one very strong offering over its similar competitors.... there is a Windows version. Now that is a conversation to be had on it's own.

Its great to see who they are after, who (which domain / site) is popular with the bad man, and better still what passwords they are using when they are not bruting. It is a real thing - it makes it physical and viewable over the whole estate.... and a warm cosy feeling that someone attacking one user, be they here, or elsewhere will not be able to even see your resources.... and abuse is managed in realtime, remotely.... with obfuscated examples.

But hey - lets look at that distribution again.... the times... they are-a-changing.



Leave a Reply

Your email address will not be published. Required fields are marked *