Dear white hat attackers,
recently we observed a number of Redis instances that were targeted by a simple attack,
consisting in setting a password using the
CONFIG SET requirepass <password> command
to instances which are left open on the internet.
This is, in my opinion, a good idea, since those Redis instances are going to be cracked anyway. I believe you are doing this in order to make Redis users aware they forgot to setup firewalling rules in order to make their instances not reachable from the outside.
However you should NOT DO IT since it is NOT LEGAL, and you may incur into very bad consequences for doing this. However if you will not stop doing this, here are a few tips in order to mitigate the side effects this has in the attacked instances.
Your attack causes a DOS, but is better than the DOS with possible data loss, and unauthorized access to the instance, that a real attack will cause. The reason why those instances are going to be cracked anyway is that after I published an example attack against Redis left open, a number of attackers activated to exploit it, we get reports every day.
However you can improve your script in order to provide more clues to the people you are targeting:
You may set a message, as the password itself, by usign
CONFIG SET requirepass "your instance is left open on the internet, please setup firewalling". Followed by
CONFIG REWRITEin order to persist the configuration in
redis.conf. People will check their configuration file after seeing the
-AUTHerrors, and will understand what is happening.
You may want to also send a Lua script using the redis.log() command, in order to also leave a similar message on the Redis log. Something like this works:
EVAL 'redis.log(redis.LOG_WARNING,"Your Message Here")' 0
This way we can allow people to more promptly understand what happened and recover. Also if possible, you should try to concentrate your attacks in the time of day in the intersection of office hours of the most countries where you believe you'll have an impact, so the DOS is not performed during night, which may result into people having to be called in the middle of the night to fix stuff.
EDIT: Please make sure, if you set a password which is a message, to also add some random string at the end so that it's not guessable by an external attacker.