Date: Wed, 07 Oct 2009 15:04:42 -0700 From: Xin LI <delphij@delphij.net> To: "Andresen, Jason R." <jandrese@mitre.org> Cc: "freebsd-hackers@freebsd.org" <freebsd-hackers@freebsd.org> Subject: Re: Distributed SSH attack Message-ID: <4ACD107A.5080803@delphij.net> In-Reply-To: <600C0C33850FFE49B76BDD81AED4D2580131FCB08C@IMCMBX3.MITRE.ORG> References: <20091002201039.GA53034@flint.openpave.org> <20091003081335.GA19914@marx.net.bit> <d36406630910030303j2e88046epa30f2a76b9ae1507@mail.gmail.com> <200910032357.02207.doconnor@gsoft.com.au> <4AC85E3B.4040906@delphij.net> <600C0C33850FFE49B76BDD81AED4D2580131FCB08C@IMCMBX3.MITRE.ORG>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Anderesen, Andresen, Jason R. wrote: [...] >> Believe it or not, I find this pf.conf rule very effective to mitigate >> this type of distributed SSH botnet attack: >> >> block in quick proto tcp from any os "Linux" to any port ssh > > How does that work? Does PF do some sort of os fingerprinting on the remote side before allowing the first SYN through? Well, this would have pros and cons. pf employs a "fingerprint" mechanism that would passively detect the operating system based on some predefined criteria, and the "Linux" matches several old Linux kernel's TCP fingerprint. Note that with some tweaks to Linux's TCP parameters, or newer Linux kernels, this can be bypassed. However, if the administrator choose to do this, it's not quite likely that their boxes would be part of the botnet. > Also, if you have a mix of Linux and FreeBSD boxes, presumably this > would not be a great idea right? It's not just getting people who > are faking it? Yes and no. Attackers would adopt to whatever defenders trying to stop them, however, for this type of attack (note that blocking Linux from being able to SSH on one system does not mean you would be more safe, it just mitigate the excessive login issue), what the attacker wanted is to have more botnet boxes, and he or she wouldn't care about having 1 more FreeBSD system be there or not, at the expense of faking or tweaking the TCP stack. >> From what I've seen on this attack, it looks like the hosts just >> send random logins to random IP addresses constantly, so adding an >> IP address to a blackhole list isn't as effective because you'll be >> getting hits from thousands of IP addresses, but only a single hit. >> In fact it looks like this attack is specifically designed to >> defeat the "I'll add the attacker's IP address to a black hole >> list" strategy, by coming in on a different address every time. Yes that's right. Since the scan is being done over a large scale of IP address space, it's possible to hide yourself by blocking Linux logins, since these boxes are usually managed by neglecting administrators and tends not to apply security updates from time to time. Cheers, - -- Xin LI <delphij@delphij.net> http://www.delphij.net/ FreeBSD - The Power to Serve! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.13 (FreeBSD) iEYEARECAAYFAkrNEHkACgkQi+vbBBjt66BFxACfbfrUJnnVM9YGw6bVSo5hnfnO BwwAoKFf8DnRd3suCIYMGhZN6FqlTPrP =NwHo -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4ACD107A.5080803>