RE: Weird SSH attack last night and this morning (still ongoing)

["Erin Carroll" <amoeba () amoebazone com>]

I've been there. Sleep is good.

Though you did remind me with your null attack comment to get off my butt
and capture the packets to see if it's a specific hole trying to be
exploited and not just a brute force password run. 


--
Erin Carroll
Moderator, SecurityFocus pen-test mailing list
amoeba () amoebazone com
"Do Not Taunt Happy-Fun Ball"




-----Original Message-----
From: Robert Taylor [mailto:rjamestaylor () gmail com] 
Sent: Wednesday, May 07, 2008 11:24 AM
To: Erin Carroll
Cc: 'Gary Baribault'; incidents () securityfocus com
Subject: Re: Weird SSH attack last night and this morning (still ongoing)

Good points.

I plead exhaustion for missing the key differentiator of this attack :  
one attempt at root (likely the null password attack, as a guess).  
Reason for my tiredness? I'm a third shift admin.

Thank you for the clarification.

On May 7, 2008, at 1:15 PM, Erin Carroll wrote:

> Robert,
>
> I agree that this kind of traffic/attack is extremely common. The only
> notable thing about this one is the very slow attack interval  
> perceived by
> the individual targets. Instead of hammering away at a single target  
> it
> looks like a botnet which is cycling through a large list of targets  
> to
> spread the attack around and more likely sneak in under the radar.  
> That way
> the botnet can leverage its size to run thousands of attacks  
> simultaneously
> but limit the risk of alerting the individual targets since each  
> destination
> is hit with attempts in a small trickle. This method of attack is  
> not so
> common.
>
> It's easy to see or be alerted on the defense side of hundreds or  
> thousands
> of failed attempts but a couple an hour from all different IP's?  
> Fairly easy
> to imagine this slipping past most automated defense or threshold- 
> based
> protections alerts for organizations. Fail2ban, denyhosts, and other  
> ways of
> automating response need the threshold to be reached to blackhole/ 
> null the
> attacker source. This attack pattern seems explicitly designed to  
> bypass
> those types of controls which is what makes it interesting.
>
>
> --
> Erin Carroll
> Moderator, SecurityFocus pen-test mailing list
> amoeba () amoebazone com
> "Do Not Taunt Happy-Fun Ball"
>
>
>
>
>
>
> -----Original Message-----
> From: Robert Taylor [mailto:rjamestaylor () gmail com]
> Sent: Wednesday, May 07, 2008 10:04 AM
> To: Gary Baribault
> Cc: incidents () securityfocus com
> Subject: Re: Weird SSH attack last night and this morning (still  
> ongoing)
>
> It's extremely common to have these scans.
http://robotterror.com/site/wiki/mitigating_brute_force_password_attacks_wit
> h_pam_abl
>
> That's a link to my blog. I'm a Linux System Admin at a major hosting
> company; this is something I see nightly. Usually, though, I see hits
> on the order of thousands per hour before I get worried.
>
>
> On May 7, 2008, at 7:27 AM, Gary Baribault wrote:
>
> > I don't know what is going on last night and this morning ... I have
> > three Linux servers facing the Internet, two on cable modems and
> > another on a static IP/commercial connection and this last one is a
> > gateway to a Web/FTP/SMTP/Pop3/NTP Linux based system.
> >
> > I have DenyHosts installed on all three and have blocked about 75
> > attempts ..  from known compromised adresses .. The log shows
> > (obviously) that there where even more attempts from adresses that
> > are unknown to DenyHosts but there was only one login attemps per
> > adress and it was with the Root account .. which is obviously
> > blocked in my sshd config ..
> >
> > Of the three machines, one of them only had about 10 attempts, but
> > the other two had about 200 attempts .. all of them with only 1 try
> > with the user Root ..
> >
> > Is any one else seing this? or am I being targeted? This is still
> > going on now .. and it started arround 10:00 last night GMT+4
> >
> > -- 
> > Gary Baribault
> > Courriel: gary () baribault net
> > GPG Key: 0x4346F013
> > GPG Fingerprint: BCE8 2E6B EB39 9B23 6904 1DF4 C4E6 2CF7 4346 F013