http://itknowledgeexchange.techtarget.com/security-bytes/ssh-brute-force-attacks-still-going-strong/ A SearchSecurity.com blog Fri, 27 Nov 2009 19:00:31 +0000 http://wordpress.org/?v=2.6.2 http://itknowledgeexchange.techtarget.com/security-bytes/ssh-brute-force-attacks-still-going-strong/#comment-555 More attacks on SSH passwords | Security in Mind Sun, 19 Oct 2008 15:53:49 +0000 http://security.blogs.techtarget.com/2008/09/19/ssh-brute-force-attacks-still-going-strong/#comment-555 [...] It appears that SSH attacks are becoming the go-to move for lazy attackers looking to victimize lazy admins. A couple of weeks ago I wrote about some ongoing brute-force attacks against SSH implementations and now it seems that attackers are moving on to some new tactics. The INternet Storm Center has gotten a couple of reports of SSH attacks in which the attacking machines are trying to brute-force the SSH password with about 20 attempts per hour. The key here is that number of attempts falls below the threshold of the scripts usually used to detect these attempts and ban the attacking IP addresses. Usernames are being brute forced starting at “aaa” and incremented. This is being done in a distributed manner with almost perfect synchronization between the scanning hosts. Over the last 32 hours, his system received 216 login attempts of which 138 attempts were from unique IP addresses. Obviously, the attacker is trying to avoid the popular SSH banning scripts by going under the banning thresholds of these programs. At peak, there was only 20 total attempts per hour. Note that the username guessing did not actually cover all possibilities. Perhaps it is a bug, or by design. The last letter was not being exhaustively tested - only about 10 of 26 letters were being tested in the last position, and it seemed to be randomly picked. [...] [...] It appears that SSH attacks are becoming the go-to move for lazy attackers looking to victimize lazy admins. A couple of weeks ago I wrote about some ongoing brute-force attacks against SSH implementations and now it seems that attackers are moving on to some new tactics. The INternet Storm Center has gotten a couple of reports of SSH attacks in which the attacking machines are trying to brute-force the SSH password with about 20 attempts per hour. The key here is that number of attempts falls below the threshold of the scripts usually used to detect these attempts and ban the attacking IP addresses. Usernames are being brute forced starting at “aaa” and incremented. This is being done in a distributed manner with almost perfect synchronization between the scanning hosts. Over the last 32 hours, his system received 216 login attempts of which 138 attempts were from unique IP addresses. Obviously, the attacker is trying to avoid the popular SSH banning scripts by going under the banning thresholds of these programs. At peak, there was only 20 total attempts per hour. Note that the username guessing did not actually cover all possibilities. Perhaps it is a bug, or by design. The last letter was not being exhaustively tested - only about 10 of 26 letters were being tested in the last position, and it seemed to be randomly picked. [...]

]]> http://itknowledgeexchange.techtarget.com/security-bytes/ssh-brute-force-attacks-still-going-strong/#comment-554 More attacks on SSH passwords | Security in Mind Sat, 04 Oct 2008 23:33:34 +0000 http://security.blogs.techtarget.com/2008/09/19/ssh-brute-force-attacks-still-going-strong/#comment-554 [...] It appears that SSH attacks are becoming the go-to move for lazy attackers looking to victimize lazy admins. A couple of weeks ago I wrote about some ongoing brute-force attacks against SSH implementations and now it seems that attackers are moving on to some new tactics. The INternet Storm Center has gotten a couple of reports of SSH attacks in which the attacking machines are trying to brute-force the SSH password with about 20 attempts per hour. The key here is that number of attempts falls below the threshold of the scripts usually used to detect these attempts and ban the attacking IP addresses. Usernames are being brute forced starting at “aaa” and incremented.  This is being done in a distributed manner with almost perfect synchronization between the scanning hosts.  Over the last 32 hours, his system received 216 login attempts of which 138 attempts were from unique IP addresses.  Obviously, the attacker is trying to avoid the popular SSH banning scripts by going under the banning thresholds of these programs.  At peak, there was only 20 total attempts per hour. Note that the username guessing did not actually cover all possibilities.  Perhaps it is a bug, or by design.  The last letter was not being exhaustively tested - only about 10 of 26 letters were being tested in the last position, and it seemed to be randomly picked. [...] [...] It appears that SSH attacks are becoming the go-to move for lazy attackers looking to victimize lazy admins. A couple of weeks ago I wrote about some ongoing brute-force attacks against SSH implementations and now it seems that attackers are moving on to some new tactics. The INternet Storm Center has gotten a couple of reports of SSH attacks in which the attacking machines are trying to brute-force the SSH password with about 20 attempts per hour. The key here is that number of attempts falls below the threshold of the scripts usually used to detect these attempts and ban the attacking IP addresses. Usernames are being brute forced starting at “aaa” and incremented.  This is being done in a distributed manner with almost perfect synchronization between the scanning hosts.  Over the last 32 hours, his system received 216 login attempts of which 138 attempts were from unique IP addresses.  Obviously, the attacker is trying to avoid the popular SSH banning scripts by going under the banning thresholds of these programs.  At peak, there was only 20 total attempts per hour. Note that the username guessing did not actually cover all possibilities.  Perhaps it is a bug, or by design.  The last letter was not being exhaustively tested - only about 10 of 26 letters were being tested in the last position, and it seemed to be randomly picked. [...]

]]> http://itknowledgeexchange.techtarget.com/security-bytes/ssh-brute-force-attacks-still-going-strong/#comment-553 More attacks on SSH passwords — Security Bytes Fri, 03 Oct 2008 20:02:28 +0000 http://security.blogs.techtarget.com/2008/09/19/ssh-brute-force-attacks-still-going-strong/#comment-553 [...] It appears that SSH attacks are becoming the go-to move for lazy attackers looking to victimize lazy admins. A couple of weeks ago I wrote about some ongoing brute-force attacks against SSH implementations and now it seems that attackers are moving on to some new tactics. The INternet Storm Center has gotten a couple of reports of SSH attacks in which the attacking machines are trying to brute-force the SSH password with about 20 attempts per hour. The key here is that number of attempts falls below the threshold of the scripts usually used to detect these attempts and ban the attacking IP addresses. Usernames are being brute forced starting at “aaa” and incremented.  This is being done in a distributed manner with almost perfect synchronization between the scanning hosts.  Over the last 32 hours, his system received 216 login attempts of which 138 attempts were from unique IP addresses.  Obviously, the attacker is trying to avoid the popular SSH banning scripts by going under the banning thresholds of these programs.  At peak, there was only 20 total attempts per hour. Note that the username guessing did not actually cover all possibilities.  Perhaps it is a bug, or by design.  The last letter was not being exhaustively tested - only about 10 of 26 letters were being tested in the last position, and it seemed to be randomly picked. [...] [...] It appears that SSH attacks are becoming the go-to move for lazy attackers looking to victimize lazy admins. A couple of weeks ago I wrote about some ongoing brute-force attacks against SSH implementations and now it seems that attackers are moving on to some new tactics. The INternet Storm Center has gotten a couple of reports of SSH attacks in which the attacking machines are trying to brute-force the SSH password with about 20 attempts per hour. The key here is that number of attempts falls below the threshold of the scripts usually used to detect these attempts and ban the attacking IP addresses. Usernames are being brute forced starting at “aaa” and incremented.  This is being done in a distributed manner with almost perfect synchronization between the scanning hosts.  Over the last 32 hours, his system received 216 login attempts of which 138 attempts were from unique IP addresses.  Obviously, the attacker is trying to avoid the popular SSH banning scripts by going under the banning thresholds of these programs.  At peak, there was only 20 total attempts per hour. Note that the username guessing did not actually cover all possibilities.  Perhaps it is a bug, or by design.  The last letter was not being exhaustively tested - only about 10 of 26 letters were being tested in the last position, and it seemed to be randomly picked. [...]

]]>