I've been there. Sleep is good.
Though you did remind me with your null attack comment to get off my butt
and capture the packets to see if it's a specific hole trying to be
exploited and not just a brute force password run.
--
Erin Carroll
Moderator, SecurityFocus pen-test mailing list
amoeba_at_amoebazone.com
"Do Not Taunt Happy-Fun Ball"
-----Original Message-----
From: Robert Taylor [mailto:rjamestaylor_at_gmail.com]
Sent: Wednesday, May 07, 2008 11:24 AM
To: Erin Carroll
Cc: 'Gary Baribault'; incidents_at_securityfocus.com
Subject: Re: Weird SSH attack last night and this morning (still ongoing)
Good points.
I plead exhaustion for missing the key differentiator of this attack :
one attempt at root (likely the null password attack, as a guess).
Reason for my tiredness? I'm a third shift admin.
Thank you for the clarification.
On May 7, 2008, at 1:15 PM, Erin Carroll wrote:
> Robert,
>
> I agree that this kind of traffic/attack is extremely common. The only
> notable thing about this one is the very slow attack interval
> perceived by
> the individual targets. Instead of hammering away at a single target
> it
> looks like a botnet which is cycling through a large list of targets
> to
> spread the attack around and more likely sneak in under the radar.
> That way
> the botnet can leverage its size to run thousands of attacks
> simultaneously
> but limit the risk of alerting the individual targets since each
> destination
> is hit with attempts in a small trickle. This method of attack is
> not so
> common.
>
> It's easy to see or be alerted on the defense side of hundreds or
> thousands
> of failed attempts but a couple an hour from all different IP's?
> Fairly easy
> to imagine this slipping past most automated defense or threshold-
> based
> protections alerts for organizations. Fail2ban, denyhosts, and other
> ways of
> automating response need the threshold to be reached to blackhole/
> null the
> attacker source. This attack pattern seems explicitly designed to
> bypass
> those types of controls which is what makes it interesting.
>
>
> --
> Erin Carroll
> Moderator, SecurityFocus pen-test mailing list
> amoeba_at_amoebazone.com
> "Do Not Taunt Happy-Fun Ball"
>
>
>
>
>
>
> -----Original Message-----
> From: Robert Taylor [mailto:rjamestaylor_at_gmail.com]
> Sent: Wednesday, May 07, 2008 10:04 AM
> To: Gary Baribault
> Cc: incidents_at_securityfocus.com
> Subject: Re: Weird SSH attack last night and this morning (still
> ongoing)
>
> It's extremely common to have these scans.
>
>
http://robotterror.com/site/wiki/mitigating_brute_force_password_attacks_wit
> h_pam_abl
>
> That's a link to my blog. I'm a Linux System Admin at a major hosting
> company; this is something I see nightly. Usually, though, I see hits
> on the order of thousands per hour before I get worried.
>
>
> On May 7, 2008, at 7:27 AM, Gary Baribault wrote:
>
>> I don't know what is going on last night and this morning ... I have
>> three Linux servers facing the Internet, two on cable modems and
>> another on a static IP/commercial connection and this last one is a
>> gateway to a Web/FTP/SMTP/Pop3/NTP Linux based system.
>>
>> I have DenyHosts installed on all three and have blocked about 75
>> attempts .. from known compromised adresses .. The log shows
>> (obviously) that there where even more attempts from adresses that
>> are unknown to DenyHosts but there was only one login attemps per
>> adress and it was with the Root account .. which is obviously
>> blocked in my sshd config ..
>>
>> Of the three machines, one of them only had about 10 attempts, but
>> the other two had about 200 attempts .. all of them with only 1 try
>> with the user Root ..
>>
>> Is any one else seing this? or am I being targeted? This is still
>> going on now .. and it started arround 10:00 last night GMT+4
>>
>> --
>> Gary Baribault
>> Courriel: gary_at_baribault.net
>> GPG Key: 0x4346F013
>> GPG Fingerprint: BCE8 2E6B EB39 9B23 6904 1DF4 C4E6 2CF7 4346 F013
>>
>
Received on May 07 2008
Intro
