What is this Very Stupid DOS Attack Script?

Luiz Eduardo Roncato Cordeiro cordeiro at nic.br
Wed Apr 6 08:56:02 PDT 2005 

Hi,

Probably, what you have seen is a force brute attack against your
sshd. Unfortunately, this kind of attack still works.

Regards,
Cordeiro


On Wednesday April 6 2005 12:49, Martin McCormick <Martin McCormick <martin at dc.cis.okstate.edu>> wrote:
> 	We have been noticing flurries of sshd reject messages in
> which some system out there in the hinterlands hits us with a flood of
> ssh login attempts.  An example:
> 
> Apr  6 05:41:51 dc sshd[88763]: Did not receive identification
> 	string from 67.19.58.170
> Apr  6 05:49:42 dc sshd[12389]: input_userauth_request: illegal
> 	user anonymous
> Apr  6 05:49:42 dc sshd[12389]: Failed password for illegal user
> 	anonymous from 67.19.58.170 port 32942 ssh2
> Apr  6 05:49:42 dc sshd[12389]: Received disconnect from
> 	67.19.58.170: 11: Bye Bye
> Apr  6 05:49:42 dc sshd[12406]: input_userauth_request: illegal
> 	user bruce
> Apr  6 05:49:42 dc sshd[12406]: Failed password for illegal user
> 	bruce from 67.19.58.170 port 32983 ssh2
> Apr  6 05:49:42 dc sshd[12406]: Received disconnect from
> 	67.19.58.170: 11: Bye Bye
> Apr  6 05:49:42 dc sshd[12422]: input_userauth_request: illegal
> 	user chuck
> 
> 	You get the idea.  This goes on for 3 or 4 minutes and then
> just stops for now.  I can almost promise that later, another attack
> will start from some other IP address and blaze away for a few
> minutes.
> 
> 	Other than spewing lots of entries in to syslog, what is the
> purpose of the attack?  Are they just hoping to luck in to an open
> account?  The odds of guessing the right account name and then guessing
> the correct password are astronomical to say the least.
> Direct root logins are not possible so there is another roadblock.
> 
> 	This seems on the surface to be aimed at simply filling up the /var
> file system, but it is so stupid as to make me wonder if there is
> something else more sophisticated that we truly need to be trembling
> in our shoes over.
> 
> 	I notice from the syslog servers, here, that the same system
> is hammering other sshd applications on those devices at the same time
> it is hitting this system so what ever script it is is probably just
> trolling our network, looking for anything that answers.
> 
> 	Thanks for any useful information as to the nature of what
> appears to be more of a nuisance than a diabolical threat to security.
> 
> Martin McCormick WB5AGZ  Stillwater, OK 
> OSU Information Technology Division Network Operations Group
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
> 
>

More information about the freebsd-security mailing list