[nycbug-talk] Analyzing malicious SSH login attempts
ike at lesmuug.org
Wed Sep 13 14:11:04 EDT 2006
Hi Dru, All,
On Sep 13, 2006, at 1:55 PM, Dru wrote:
> On Wed, 13 Sep 2006, Isaac Levy wrote:
>> Forgive my possible naiveté, but how does any ssh/packet-filter
>> incorporation strategy really secure anything, big picture
>> (regardless of the implementation)?
> Aaah, but isn't that the rub in security? Security after all is a
> myth, or at best, an arms race where you have to balance risk and
> effort :-)
That statement gets the packet-fu award from me for this summer.
>> What happens when ssh passwords come under distributed dictionary
>> attack by a botnet (many IP addresses)? Wouldn't it render the
>> filter moot, and perhaps even create a resource attack as a side
>> effect of dynamically loading gargantuan filter rulesets?
> I haven't experienced this problem and would be interested to hear
> if others have.
I haven't seen it with SSH, but I have experienced this with MTA's
and web applications, simultaneous distributed dict. attacks, each
originating from a different IP address. Ugly. Not sure of the
scale or true nature of the attacker's systems, never investigated
once the problem was solved- (the apps modified to limit particular
auth. attempt scale, respectively).
> My worst box experience was on a network where the ISP did
> absolutely no upstream filtering. The first time I activated a
> service on that system, I had to stop it within 30 seconds as the
> amount of crap traffic hitting the system was faster than syslog
> could keep up with. However
> some pf overload rules took care of the crap and even though the
> table I was overloading to had over 10,000 entries, it did not effect
> performance on the box. Being a bit cautious, I spent an afternoon
> whois'ing and combining network blocks for portions of the world
> that had no
> legit reason to contact that server--again, I'd be interested in
> hearing how large others' tables are without effecting performance.
>> What happens when an attacker spoofs the IP addresses you use, with
>> the effect of blocking you from your own systems?
> This I haven't experienced. But, again, I have addresses scattered
> throughout various networks I could come in from as I have been
> known to lock myself out on rare occasion :-)
I've had this kind of attack attempted, the following all happened in
about 20 seconds.
During a large mail joe-back attack I was part of resolving, which
also included an LTA attack on the mailserver- exploiting a vuln. in
Cyrus involving oversize subject lines (over 256 characters). Bad
I made the mistake of running a traceroute on a particular host which
was part of the attack, using my laptop behind a remote DSL line
where I was ssh'd to the servers.
Within seconds, around 100 ssh auth attempts were made to one
mailserver *spoofing the IP address of my DSL line*, in effect
locking me out of future SSH connections based on 'MaxAuthTries' in
I had a few shells already on that box, so I was able to continue
working, (or I guess I could have figured out how to flush
MaxAuthTries somehow if I needed to do it then). That was less
important to me though, for suddenly my DSL line was ping-flooded
with what must have been oversized packets, and I went dark for a few
Startled the bejeziz out of me at the time though, bad day, won't
forget it. :)
More information about the talk