[nycbug-talk] Analyzing malicious SSH login attempts

Isaac Levy ike at lesmuug.org
Wed Sep 13 14:11:04 EDT 2006

Hi Dru, All,

On Sep 13, 2006, at 1:55 PM, Dru wrote:

> On Wed, 13 Sep 2006, Isaac Levy wrote:
>> Forgive my possible naiveté, but how does any ssh/packet-filter
>> incorporation strategy really secure anything, big picture
>> (regardless of the implementation)?
> Aaah, but isn't that the rub in security? Security after all is a  
> myth, or at best, an arms race where you have to balance risk and  
> effort :-)

That statement gets the packet-fu award from me for this summer.

>> What happens when ssh passwords come under distributed dictionary
>> attack by a botnet (many IP addresses)?  Wouldn't it render the
>> filter moot, and perhaps even create a resource attack as a side
>> effect of dynamically loading gargantuan filter rulesets?
> I haven't experienced this problem and would be interested to hear  
> if others have.

I haven't seen it with SSH, but I have experienced this with MTA's  
and web applications, simultaneous distributed dict. attacks, each  
originating from a different IP address.  Ugly.  Not sure of the  
scale or true nature of the attacker's systems, never investigated  
once the problem was solved- (the apps modified to limit particular  
auth. attempt scale, respectively).

> My worst box experience was on a network where the ISP did  
> absolutely no upstream filtering. The first time I activated a  
> service on that system, I had to stop it within 30 seconds as the  
> amount of crap traffic hitting the system was faster than syslog  
> could keep up with. However
> some pf overload rules took care of the crap and even though the  
> bad_hosts
> table I was overloading to had over 10,000 entries, it did not effect
> performance on the box. Being a bit cautious, I spent an afternoon  
> whois'ing and combining network blocks for portions of the world  
> that had no
> legit reason to contact that server--again, I'd be interested in  
> hearing how large others' tables are without effecting performance.


>> What happens when an attacker spoofs the IP addresses you use, with
>> the effect of blocking you from your own systems?
> This I haven't experienced. But, again, I have addresses scattered  
> throughout various networks I could come in from as I have been  
> known to lock myself out on rare occasion :-)

I've had this kind of attack attempted, the following all happened in  
about 20 seconds.
During a large mail joe-back attack I was part of resolving, which  
also included an LTA attack on the mailserver- exploiting a vuln. in  
Cyrus involving oversize subject lines (over 256 characters).  Bad  
day altogether.

I made the mistake of running a traceroute on a particular host which  
was part of the attack, using my laptop behind a remote DSL line  
where I was ssh'd to the servers.
Within seconds, around 100 ssh auth attempts were made to one  
mailserver *spoofing the IP address of my DSL line*, in effect  
locking me out of future SSH connections based on 'MaxAuthTries' in  
I had a few shells already on that box, so I was able to continue  
working, (or I guess I could have figured out how to flush  
MaxAuthTries somehow if I needed to do it then).  That was less  
important to me though, for suddenly my DSL line was ping-flooded  
with what must have been oversized packets, and I went dark for a few  

Startled the bejeziz out of me at the time though, bad day, won't  
forget it.  :)

> Dru


More information about the talk mailing list