From owner-freebsd-security@FreeBSD.ORG Wed Apr 6 16:35:16 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9BEF516A4CE for ; Wed, 6 Apr 2005 16:35:16 +0000 (GMT) Received: from mail3.spm1.com (mail.spm1.com [209.210.151.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2A8D843D4C for ; Wed, 6 Apr 2005 16:35:16 +0000 (GMT) (envelope-from linux0642@sbcglobal.net) Received: from localhost (localhost [127.0.0.1])id 93EF648420D for ; Wed, 6 Apr 2005 09:23:45 -0700 (PDT) Received: from mail3.spm1.com ([127.0.0.1]) by localhost (mail3 [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 26356-05 for ; Wed, 6 Apr 2005 09:23:44 -0700 (PDT) Received: from [192.168.4.200] (unknown [192.168.4.200]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (Client did not present a certificate)id 2E57048413B for ; Wed, 6 Apr 2005 09:23:44 -0700 (PDT) Message-ID: <42540FC5.1020002@sbcglobal.net> Date: Wed, 06 Apr 2005 09:35:17 -0700 From: John Davis User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913) X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <200504061549.j36Fn8Y5082507@dc.cis.okstate.edu> In-Reply-To: <200504061549.j36Fn8Y5082507@dc.cis.okstate.edu> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at spm1.com Subject: Re: What is this Very Stupid DOS Attack Script? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Apr 2005 16:35:16 -0000 Martin McCormick wrote: > We have been noticing flurries of sshd reject messages in > which some system out there in the hinterlands hits us with a flood of > ssh login attempts. An example: > > Other than spewing lots of entries in to syslog, what is the > purpose of the attack? Are they just hoping to luck in to an open > account? The odds of guessing the right account name and then guessing > the correct password are astronomical to say the least. > Direct root logins are not possible so there is another roadblock. > This is probably a variant of a worm that infects the server and then spends all its time trying to log into other servers by guessing the ssh password. Once it succeeds, it attempts a compromise, and if successful, tries to break into other machines. I have read some interesting analyses on this. Apparently there are multiple variations of the worm, but they all do essentially the same thing. About the only real defense you have is to enforce a good password policy. I have taken to dropping everthing that comes from the pacific rim at the firewall. This has been helpful in reducing some attacks, though in my case, it seems like about a quarter of them come from inside the USA. Here's a list of pacific rim IP ranges: http://www.okean.com/iptables/rc.firewall.sinokorea Here's an interesting read on one of the worm variants: http://www.security.org.sg/gtec/honeynet/viewdiary.php?diary=20041102 Personally, it think people who write malicious software should be treated like terrorists because it seems to me, they are. I know it's a common defense to claim that publishing exploits is useful to IT (perhaps it is in some twisted way), but that's like saying defendants in foiled murder plots should be forgiven because they helped to expose flaws in one's personal security. It's nonsense. -- -linux_lad