Re: Weird SSH attack last night and this morning (still ongoing)

On Wed, 07 May 2008 10:53:35 PDT, Erin Carroll said:

> When I saw this hitting my servers last night I thought it an odd attack
> pattern but surmised it was either a targeted slow attack with spoofed IP's

Unless your operating system is *very* broken and doesn't do RFC1948 randomization
of the TCP Initial Sequence Number, using a spoofed ID just gets you a bunch
of sockets stuck in half-open state (SYN received, SYN/ACK send to the spoofed
source, no ACK back). If it's gotten through the 3-packet handshake, you may
as well assume that it's a real IP address (or the attacker has already pwned
enough infrastructure that they can see the SYN/ACK you send, in which case
they control the horizontal and vertical and you're now in an Outer Limits
episode... ;)