From owner-freebsd-security@FreeBSD.ORG Wed Apr 6 15:49:09 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 317D516A4CE for ; Wed, 6 Apr 2005 15:49:09 +0000 (GMT) Received: from dc.cis.okstate.edu (dc.cis.okstate.edu [139.78.100.219]) by mx1.FreeBSD.org (Postfix) with ESMTP id D9A3F43D39 for ; Wed, 6 Apr 2005 15:49:08 +0000 (GMT) (envelope-from martin@dc.cis.okstate.edu) Received: from dc.cis.okstate.edu (localhost.cis.okstate.edu [127.0.0.1]) by dc.cis.okstate.edu (8.12.6/8.12.6) with ESMTP id j36Fn8Y5082507 for ; Wed, 6 Apr 2005 10:49:08 -0500 (CDT) (envelope-from martin@dc.cis.okstate.edu) Message-Id: <200504061549.j36Fn8Y5082507@dc.cis.okstate.edu> To: freebsd-security@freebsd.org Date: Wed, 06 Apr 2005 10:49:08 -0500 From: Martin McCormick Subject: What is this Very Stupid DOS Attack Script? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2005 15:49:09 -0000 We have been noticing flurries of sshd reject messages in which some system out there in the hinterlands hits us with a flood of ssh login attempts. An example: Apr 6 05:41:51 dc sshd[88763]: Did not receive identification string from 67.19.58.170 Apr 6 05:49:42 dc sshd[12389]: input_userauth_request: illegal user anonymous Apr 6 05:49:42 dc sshd[12389]: Failed password for illegal user anonymous from 67.19.58.170 port 32942 ssh2 Apr 6 05:49:42 dc sshd[12389]: Received disconnect from 67.19.58.170: 11: Bye Bye Apr 6 05:49:42 dc sshd[12406]: input_userauth_request: illegal user bruce Apr 6 05:49:42 dc sshd[12406]: Failed password for illegal user bruce from 67.19.58.170 port 32983 ssh2 Apr 6 05:49:42 dc sshd[12406]: Received disconnect from 67.19.58.170: 11: Bye Bye Apr 6 05:49:42 dc sshd[12422]: input_userauth_request: illegal user chuck You get the idea. This goes on for 3 or 4 minutes and then just stops for now. I can almost promise that later, another attack will start from some other IP address and blaze away for a few minutes. Other than spewing lots of entries in to syslog, what is the purpose of the attack? Are they just hoping to luck in to an open account? The odds of guessing the right account name and then guessing the correct password are astronomical to say the least. Direct root logins are not possible so there is another roadblock. This seems on the surface to be aimed at simply filling up the /var file system, but it is so stupid as to make me wonder if there is something else more sophisticated that we truly need to be trembling in our shoes over. I notice from the syslog servers, here, that the same system is hammering other sshd applications on those devices at the same time it is hitting this system so what ever script it is is probably just trolling our network, looking for anything that answers. Thanks for any useful information as to the nature of what appears to be more of a nuisance than a diabolical threat to security. Martin McCormick WB5AGZ Stillwater, OK OSU Information Technology Division Network Operations Group