The brute-force SSH attacks that have plagued the Internet for much of this year are continuing, and experts are responding by creating tools to stop the brute-force attempts and lists of the attacking IP addresses. The SANS Internet Storm Center has a good post with some information on SSH attack mitigation tools and advice on what to do if you’re being attacked. But the most interesting information on this wave of attacks is coming from The Shadowserver Foundation, which has compiled a quick list of some IP addresses that are attacking and the domains that own those machines. The list has quite a few interesting domains on it, including a number of U.S. colleges and universities. Shadowserver also has a chart showing which countries have the most attacking IP addresses, and not surprisingly, the U.S. and China are at the top of the list, with nearly 17% in China and nearly 14% in the U.S.
It’s a small sample size, but if you’re being hit with this, it never hurts to know where it’s coming from. These attacks have been ongoing for several months, and there are a variety of attack tools out there to make life simple for the bad guys. Stay tuned, as I’d doubt this is going to stop anytime soon.