[nycbug-talk] Analyzing malicious SSH login attempts
Dru
dlavigne6 at sympatico.ca
Wed Sep 13 13:55:01 EDT 2006
On Wed, 13 Sep 2006, Isaac Levy wrote:
> Forgive my possible naiveté, but how does any ssh/packet-filter
> incorporation strategy really secure anything, big picture
> (regardless of the implementation)?
Aaah, but isn't that the rub in security? Security after all is a myth, or
at best, an arms race where you have to balance risk and effort :-)
> What happens when ssh passwords come under distributed dictionary
> attack by a botnet (many IP addresses)? Wouldn't it render the
> filter moot, and perhaps even create a resource attack as a side
> effect of dynamically loading gargantuan filter rulesets?
I haven't experienced this problem and would be interested to hear if
others have. My worst box experience was on a network where the ISP did
absolutely no upstream filtering. The first time I activated a service on
that system, I had to stop it within 30 seconds as the amount of crap
traffic hitting the system was faster than syslog could keep up with. However
some pf overload rules took care of the crap and even though the bad_hosts
table I was overloading to had over 10,000 entries, it did not effect
performance on the box. Being a bit cautious, I spent an afternoon
whois'ing and combining network blocks for portions of the world that had no
legit reason to contact that server--again, I'd be interested in hearing how
large others' tables are without effecting performance.
> What happens when an attacker spoofs the IP addresses you use, with
> the effect of blocking you from your own systems?
This I haven't experienced. But, again, I have addresses scattered
throughout various networks I could come in from as I have been known to
lock myself out on rare occasion :-)
Dru
More information about the talk
mailing list