Hughesnet IP Range

I'm not sure if anyone around here would have any knowledge of this but here is the scoop.

We have a client that hosts an FTP and they are under constant attacks. We decided as a safe guard instead of blocking the intruders IPs, to instead block all IPs and allow the range of IPs for their remote clients.

This was working fine until one of the guys with hughesnet called. We allowed his IP range, but it doesn't let him in, but if i allow all traffic, he can. It appears his modems WAN ip isn't what actually goes out, so i'm assuming it hops somewhere, then there is another true WAN IP from hughesnet.

I tried contacting their support, but its a major pain in the ass, so i figured i'd see if you guys have had any experience with this.

LVL 2
STS-TechAsked:
Who is Participating?
 
Ernie BeekExpertCommented:
So if he does a traceroute to your FTP server, he/you should be able to see all the ip's it passes through. That might give you a hint.
0
 
STS-TechAuthor Commented:
Ha, always forget about the simplest tools, he's in the car right now, i'll get back in touch.

We were able to pull logs from the FTP server itself and check his username logins, it appears hughesnet has a ton of random IP ranges...
0
 
Ernie BeekExpertCommented:
Sometimes the simplest approach is the best ;)

But when they have a ton of random ip's it might get difficult......

Perhaps something like sFTP, ftp through VPN?
0
 
pwindellCommented:
The problem with SFTP or FTPS is that not all Firewalls will let it pass.  This could turn into a long post guys,...so feel free to ignore it if you wish.

Firewalls require Application Layer Filters to process FTP traffic because of all the randomness of ports used within the FTP Protocol,...without that the Firewalls cannot maintain the connection and it will drop or "hang". They can do this because the App Filter disassembles the FTP Packets and reads the traffic information inside them and repackages it and sends it on its way.  Unfortunately, this fails with SFTP or FTPS because the encryption prevents the contents of the packets from being read by devices between the Client and the FTP Server.  Cheap low-buck retail "firewalls" (falsely called routers) get around this by being so extremely "loose" that they just simply "let anything happen" after the initial connection. But business grade firewalls don't have that luxury and hence the better the firewall the more chance that SFTP or FTPS will fail.  Now some newer firewall products may have the proper Application Layer Filters to handle SFTP and FTPS but this is far from universal at this time.

The Attacks.  The attacks on the FTP server are not "generic",...an attack is not an attack is not an attack,...attacks do specific things for specific reasons.  With FTP Servers is is almost always trying to guess the credentials with dictionary words or by brute force.  Why?...because that is the primary "real" way to get into someone's FTP Server   These methods can not be stopped by STFP or FTPS,....if they "guess" the right credentials then they get in,...it doesn't matter if it was FTP, FTPS or SFTP,...they guess the right credentials then they are in.

The weakness with FTP is in the credentials being visible in Clear Text in the FTP Packets,..however a hacker has to physically get themselves into a position to actually sniff the traffic by logging into your switches to configure monitoring and monitored ports and plugging themselves physically into the monitoring port.  You cannot just simply sniff the traffic that easily over the "switched" Public Internet without physically doing it from within the ISP actual facility.  So the panic over regular FTP is a little over-hyped,...not saying it should be ignored,...but the typical panic is not based on reality.

FTP over VPN is a valid possibility but the VPN introduces other problems of its own.

I think the original intent of the original question is an example of misplaced security attempts (no offense intended).  The FTP Server is where the attacks happen, therefore the FTP Server is where the remedy has to occur.  The Firewall is not the place to build the protection here.  The primary method here is:

1. Face the fact that attacks against the server are going to happen,...they are automated, and there is nothing you can do about that.

2. Avoid common dictionary names and common user names for the accounts allowed to perform the FTP.
 
3. Use very long and very complex passwords.  When it takes 3000 to 125,000 years to crack the passwords is just is never going to happen.  I'm not exaggerating,...complex passwords, done right, can even take millions of years to crack,...I mean that literally,...it is just the math.

4. The FTP Target (where the files are stored) needs to be a dedicated partition that is backed up regularly.  Never ever use the OS partition,...why,...they'll break into the OS??,...no they won't break into the OS,...but if they gain upload ability they will create gazillions of folders at gazillions of levels using illegal characters that Windows cannot rename, copy, move, or delete and will proceed to fill up the partition with whatever they are trying to use you for storage for.  When it fills the drive it will bring the OS down due to lack of drive space.   To clean up such a mess requires formatting the partition and restoring from backup,...hence a dedicate partition, hence a simple task to do a restore.
0
 
pwindellCommented:
What we have done to cover FTP situations is use a NAS that has its own built in FTP Service with it's own accounts.  The FTP Target "drive" is actually a thumbdrive plugged into the NAS's USB port.  It also has mirrored drives but none of those are open to the public via FTP,...only the drive representing the thumbdrive allows FTP from outside.  Once the upload occurs we swap out the thumbdrive with a blank one and use the full one for whatever its purpose is.  A 16Gig or 32Gig thumbdrive can cover a lot of ground.

Granted this may not be great in all situations but serves the purpose just fine in our case.

The NAS we use for this is just a cheap Linksys model: NAS200

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.