From owner-freebsd-hackers@FreeBSD.ORG Wed Oct 7 22:04:52 2009 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 33B661065670 for ; Wed, 7 Oct 2009 22:04:52 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.delphij.net (delphij-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:2c9::2]) by mx1.freebsd.org (Postfix) with ESMTP id CC1F08FC16 for ; Wed, 7 Oct 2009 22:04:51 +0000 (UTC) Received: from tarsier.geekcn.org (tarsier.geekcn.org [211.166.10.233]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.delphij.net (Postfix) with ESMTPS id DA59B5C025 for ; Thu, 8 Oct 2009 06:04:50 +0800 (CST) Received: from localhost (tarsier.geekcn.org [211.166.10.233]) by tarsier.geekcn.org (Postfix) with ESMTP id AC44955CE3ED; Thu, 8 Oct 2009 06:04:50 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([211.166.10.233]) by localhost (mail.geekcn.org [211.166.10.233]) (amavisd-new, port 10024) with ESMTP id BX2+BDRR88IC; Thu, 8 Oct 2009 06:04:46 +0800 (CST) Received: from charlie.delphij.net (adsl-76-237-33-60.dsl.pltn13.sbcglobal.net [76.237.33.60]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTPSA id B8AAB55CE3F5; Thu, 8 Oct 2009 06:04:44 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:cc:subject:references:in-reply-to: x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=lyczJLkQdA2v4RlsLJlwlZs8psqe3+v2tgXLQvRHOd32yb2Ql0bspPFnvWqf4Dy2q BaEfe7nLGXlqu/yY04czQ== Message-ID: <4ACD107A.5080803@delphij.net> Date: Wed, 07 Oct 2009 15:04:42 -0700 From: Xin LI Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.23 (X11/20091004) MIME-Version: 1.0 To: "Andresen, Jason R." References: <20091002201039.GA53034@flint.openpave.org> <20091003081335.GA19914@marx.net.bit> <200910032357.02207.doconnor@gsoft.com.au> <4AC85E3B.4040906@delphij.net> <600C0C33850FFE49B76BDD81AED4D2580131FCB08C@IMCMBX3.MITRE.ORG> In-Reply-To: <600C0C33850FFE49B76BDD81AED4D2580131FCB08C@IMCMBX3.MITRE.ORG> X-Enigmail-Version: 0.96.0 OpenPGP: id=18EDEBA0; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: "freebsd-hackers@freebsd.org" Subject: Re: Distributed SSH attack X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Oct 2009 22:04:52 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Anderesen, Andresen, Jason R. wrote: [...] >> Believe it or not, I find this pf.conf rule very effective to mitigate >> this type of distributed SSH botnet attack: >> >> block in quick proto tcp from any os "Linux" to any port ssh > > How does that work? Does PF do some sort of os fingerprinting on the remote side before allowing the first SYN through? Well, this would have pros and cons. pf employs a "fingerprint" mechanism that would passively detect the operating system based on some predefined criteria, and the "Linux" matches several old Linux kernel's TCP fingerprint. Note that with some tweaks to Linux's TCP parameters, or newer Linux kernels, this can be bypassed. However, if the administrator choose to do this, it's not quite likely that their boxes would be part of the botnet. > Also, if you have a mix of Linux and FreeBSD boxes, presumably this > would not be a great idea right? It's not just getting people who > are faking it? Yes and no. Attackers would adopt to whatever defenders trying to stop them, however, for this type of attack (note that blocking Linux from being able to SSH on one system does not mean you would be more safe, it just mitigate the excessive login issue), what the attacker wanted is to have more botnet boxes, and he or she wouldn't care about having 1 more FreeBSD system be there or not, at the expense of faking or tweaking the TCP stack. >> From what I've seen on this attack, it looks like the hosts just >> send random logins to random IP addresses constantly, so adding an >> IP address to a blackhole list isn't as effective because you'll be >> getting hits from thousands of IP addresses, but only a single hit. >> In fact it looks like this attack is specifically designed to >> defeat the "I'll add the attacker's IP address to a black hole >> list" strategy, by coming in on a different address every time. Yes that's right. Since the scan is being done over a large scale of IP address space, it's possible to hide yourself by blocking Linux logins, since these boxes are usually managed by neglecting administrators and tends not to apply security updates from time to time. Cheers, - -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.13 (FreeBSD) iEYEARECAAYFAkrNEHkACgkQi+vbBBjt66BFxACfbfrUJnnVM9YGw6bVSo5hnfnO BwwAoKFf8DnRd3suCIYMGhZN6FqlTPrP =NwHo -----END PGP SIGNATURE-----