IT Knowledge Exchange

Register

Forgot Password

Site FAQ

Advertisement

Home > IT Blogs > Security Bytes > SSH brute force attacks still going strong

» VIEW ALL POSTS Sep 19 2008 1:25PM GMT

SSH brute force attacks still going strong

Posted by: Dennis Fisher

Information Security Threats

The brute-force SSH attacks that have plagued the Internet for much of this year are continuing, and experts are responding by creating tools to stop the brute-force attempts and lists of the attacking IP addresses. The SANS Internet Storm Center has a good post with some information on SSH attack mitigation tools and advice on what to do if you’re being attacked. But the most interesting information on this wave of attacks is coming from The Shadowserver Foundation, which has compiled a quick list of some IP addresses that are attacking and the domains that own those machines. The list has quite a few interesting domains on it, including a number of U.S. colleges and universities. Shadowserver also has a chart showing which countries have the most attacking IP addresses, and not surprisingly, the U.S. and China are at the top of the list, with nearly 17% in China and nearly 14% in the U.S.

It’s a small sample size, but if you’re being hit with this, it never hurts to know where it’s coming from. These attacks have been ongoing for several months, and there are a variety of attack tools out there to make life simple for the bad guys. Stay tuned, as I’d doubt this is going to stop anytime soon.

Comment

RSS Feed

Comment on this Post

You must be logged-in to post a comment. Log-in/Register

More attacks on SSH passwords — Security Bytes | Oct 3 2008 4:02PM GMT

[...] It appears that SSH attacks are becoming the go-to move for lazy attackers looking to victimize lazy admins. A couple of weeks ago I wrote about some ongoing brute-force attacks against SSH implementations and now it seems that attackers are moving on to some new tactics. The INternet Storm Center has gotten a couple of reports of SSH attacks in which the attacking machines are trying to brute-force the SSH password with about 20 attempts per hour. The key here is that number of attempts falls below the threshold of the scripts usually used to detect these attempts and ban the attacking IP addresses. Usernames are being brute forced starting at “aaa” and incremented. This is being done in a distributed manner with almost perfect synchronization between the scanning hosts. Over the last 32 hours, his system received 216 login attempts of which 138 attempts were from unique IP addresses. Obviously, the attacker is trying to avoid the popular SSH banning scripts by going under the banning thresholds of these programs. At peak, there was only 20 total attempts per hour. Note that the username guessing did not actually cover all possibilities. Perhaps it is a bug, or by design. The last letter was not being exhaustively tested - only about 10 of 26 letters were being tested in the last position, and it seemed to be randomly picked. [...]

More attacks on SSH passwords | Security in Mind | Oct 4 2008 7:33PM GMT

[...] It appears that SSH attacks are becoming the go-to move for lazy attackers looking to victimize lazy admins. A couple of weeks ago I wrote about some ongoing brute-force attacks against SSH implementations and now it seems that attackers are moving on to some new tactics. The INternet Storm Center has gotten a couple of reports of SSH attacks in which the attacking machines are trying to brute-force the SSH password with about 20 attempts per hour. The key here is that number of attempts falls below the threshold of the scripts usually used to detect these attempts and ban the attacking IP addresses. Usernames are being brute forced starting at “aaa” and incremented. This is being done in a distributed manner with almost perfect synchronization between the scanning hosts. Over the last 32 hours, his system received 216 login attempts of which 138 attempts were from unique IP addresses. Obviously, the attacker is trying to avoid the popular SSH banning scripts by going under the banning thresholds of these programs. At peak, there was only 20 total attempts per hour. Note that the username guessing did not actually cover all possibilities. Perhaps it is a bug, or by design. The last letter was not being exhaustively tested - only about 10 of 26 letters were being tested in the last position, and it seemed to be randomly picked. [...]

More attacks on SSH passwords | Security in Mind | Oct 19 2008 11:53AM GMT

[...] It appears that SSH attacks are becoming the go-to move for lazy attackers looking to victimize lazy admins. A couple of weeks ago I wrote about some ongoing brute-force attacks against SSH implementations and now it seems that attackers are moving on to some new tactics. The INternet Storm Center has gotten a couple of reports of SSH attacks in which the attacking machines are trying to brute-force the SSH password with about 20 attempts per hour. The key here is that number of attempts falls below the threshold of the scripts usually used to detect these attempts and ban the attacking IP addresses. Usernames are being brute forced starting at “aaa” and incremented. This is being done in a distributed manner with almost perfect synchronization between the scanning hosts. Over the last 32 hours, his system received 216 login attempts of which 138 attempts were from unique IP addresses. Obviously, the attacker is trying to avoid the popular SSH banning scripts by going under the banning thresholds of these programs. At peak, there was only 20 total attempts per hour. Note that the username guessing did not actually cover all possibilities. Perhaps it is a bug, or by design. The last letter was not being exhaustively tested - only about 10 of 26 letters were being tested in the last position, and it seemed to be randomly picked. [...]

Visit Information Security Home | Information Security News | Information Security White Papers | Information Security Videos | Information Security Resources

Ask an IT Question

About the Blogger

Robert Westervelt

Twitter.com/rwestervelt Rob is a news reporter and editor for SearchSecurity.com. Since joining TechTarget in July 2003, Rob has covered SAP, Oracle and the database industry for SearchDatabase.com, SearchSAP.com and SearchOracle.com. Prior to joining TechTarget, Rob was a newspaper reporter for five years at The Day in New London, Conn., where he wrote a variety of crime, general news, government and business stories while covering towns in Southeastern Connecticut. A military veteran, Rob served four years with the U.S. Air Force, U.S. Forces Police in Kaiserslautern Germany. He holds a degree in journalism from the University of Connecticut. READ MORE

>> READ MORE ABOUT THE BLOGGERS

Browse This Blog's Tags

Adobe, Antivirus, antivirus software, Application Security, banking Trojan, botnets, budget, Cisco, CISO, cloud security services, Compliance, Conficker, cross site scripting, Data Breaches and Identity Theft, Data Breaches and Identity Theft, Data leakage, data security, email securit, federal cybersecurity, Firefox security, Identity and access management, Information Security Careers, Information Security Threats, insider threats, Laws, Investigations and Ethics, Microsoft Security, Mozilla security, Network Security, patch management, patching, Phishing, Platform Security, Privacy, ransomeware, risk, Rogue Antivirus, secureworld, Security, security appliance, security budgets, security jobs, Security Management, Security Vendor News, social networking flaws, Twitter security, Uncategorized, web application flaws, Welcome, XSS, zero-day

Security Wire Daily News

brought to you by SearchSecurity.com

Partner Engage 2009: Symantec unveils new programs, incentives for VARs
At the Symantec Partner Engage 2009 channel conference this week, Symantec's new CEO unveiled a new, more channel-friendly vision for the security gia...READ MORE

Microsoft to address flaws in Windows, Office for Mac
Vulnerabilities affecting Windows and Microsoft Office will be updated next week, according to the software giant's advance notification.

Cloud computing data security starts with internal strategy, experts say
EMC's Eric Baize says companies should consider security early and establish trust with the cloud provider. But many factors hinge on an enterprise's ...READ MORE

Expert calls SSL protocol vulnerability a non issue
The researchers who discovered the SSL vulnerability warn that it could have far reaching affects and are working with a consortium of vendors to coor...READ MORE

Two-factor authentication, vigilance foil password theft
Password stealing Trojans, keyloggers and other malware are reaping account credentials by the thousands forcing some to rethink password policies and...READ MORE

Blog Roll

Help

Subscribe to Alerts

RSS feed of Security Bytes

Community Blog | About Us | Contact Us | FAQ | Terms of Use | DMCA Policy

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organization's IT projects - with its network of technology-specific Web sites, events and magazines.

All Rights Reserved, Copyright 1999-2009, TechTarget | Read our Privacy Policy | Site Map

Podcast Powered by podPress (v8.8)