[nycbug-talk] Analyzing malicious SSH login attempts

[Dru]

On Wed, 13 Sep 2006, Isaac Levy wrote:

> Forgive my possible naiveté, but how does any ssh/packet-filter
> incorporation strategy really secure anything, big picture
> (regardless of the implementation)?


Aaah, but isn't that the rub in security? Security after all is a myth, or 
at best, an arms race where you have to balance risk and effort :-)


> What happens when ssh passwords come under distributed dictionary
> attack by a botnet (many IP addresses)?  Wouldn't it render the
> filter moot, and perhaps even create a resource attack as a side
> effect of dynamically loading gargantuan filter rulesets?


I haven't experienced this problem and would be interested to hear if 
others have. My worst box experience was on a network where the ISP did 
absolutely no upstream filtering. The first time I activated a service on 
that system, I had to stop it within 30 seconds as the amount of crap 
traffic hitting the system was faster than syslog could keep up with. However
some pf overload rules took care of the crap and even though the bad_hosts
table I was overloading to had over 10,000 entries, it did not effect
performance on the box. Being a bit cautious, I spent an afternoon 
whois'ing and combining network blocks for portions of the world that had no
legit reason to contact that server--again, I'd be interested in hearing how 
large others' tables are without effecting performance.


> What happens when an attacker spoofs the IP addresses you use, with
> the effect of blocking you from your own systems?


This I haven't experienced. But, again, I have addresses scattered 
throughout various networks I could come in from as I have been known to 
lock myself out on rare occasion :-)

Dru