From owner-freebsd-security@FreeBSD.ORG Wed Apr 6 15:58:16 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1380416A4CE for ; Wed, 6 Apr 2005 15:58:16 +0000 (GMT) Received: from avscan1.sentex.ca (avscan1.sentex.ca [199.212.134.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9CE8343D2D for ; Wed, 6 Apr 2005 15:58:15 +0000 (GMT) (envelope-from mike@sentex.net) Received: from localhost (localhost.sentex.ca [127.0.0.1]) by avscan1.sentex.ca (8.12.11/8.12.11) with ESMTP id j36FwBW1024495; Wed, 6 Apr 2005 11:58:11 -0400 (EDT) (envelope-from mike@sentex.net) Received: from avscan1.sentex.ca ([127.0.0.1]) by localhost (avscan1.sentex.ca [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 23621-10; Wed, 6 Apr 2005 11:58:11 -0400 (EDT) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by avscan1.sentex.ca (8.12.11/8.12.11) with ESMTP id j36FwBm4024480; Wed, 6 Apr 2005 11:58:11 -0400 (EDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.3/8.12.11) with ESMTP id j36Fw5Lp002944; Wed, 6 Apr 2005 11:58:05 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <6.2.1.2.0.20050406114850.04d0b538@64.7.153.2> X-Mailer: QUALCOMM Windows Eudora Version 6.2.1.2 Date: Wed, 06 Apr 2005 11:56:29 -0400 To: Martin McCormick , freebsd-security@freebsd.org From: Mike Tancsa In-Reply-To: <200504061549.j36Fn8Y5082507@dc.cis.okstate.edu> References: <200504061549.j36Fn8Y5082507@dc.cis.okstate.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by amavisd-new X-Virus-Scanned: by amavisd-new at avscan1b Subject: Re: What is this Very Stupid DOS Attack Script? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2005 15:58:16 -0000 At 11:49 AM 06/04/2005, Martin McCormick wrote: > We have been noticing flurries of sshd reject messages in >which some system out there in the hinterlands hits us with a flood of >ssh login attempts. An example: > >Apr 6 05:41:51 dc sshd[88763]: Did not receive identification > string from 67.19.58.170 >Apr 6 05:49:42 dc sshd[12389]: input_userauth_request: illegal > user anonymous > Other than spewing lots of entries in to syslog, what is the >purpose of the attack? Are they just hoping to luck in to an open >account? The odds of guessing the right account name and then guessing >the correct password are astronomical to say the least. Actually, sadly the odds are far too good given the cost to run such a script. Unless you force users to use GOOD passwords, they will use dumb ones.... Think Paris Hilton recently. The cost to let a script like that go in the background and pound away at hosts that have open ssh access is zilch. If you have ftpd running anywhere, you will see similar attempts ---Mike