What is this Very Stupid DOS Attack Script?
Luiz Eduardo Roncato Cordeiro
cordeiro at nic.br
Wed Apr 6 08:56:02 PDT 2005
Hi,
Probably, what you have seen is a force brute attack against your
sshd. Unfortunately, this kind of attack still works.
Regards,
Cordeiro
On Wednesday April 6 2005 12:49, Martin McCormick <Martin McCormick <martin at dc.cis.okstate.edu>> wrote:
> We have been noticing flurries of sshd reject messages in
> which some system out there in the hinterlands hits us with a flood of
> ssh login attempts. An example:
>
> Apr 6 05:41:51 dc sshd[88763]: Did not receive identification
> string from 67.19.58.170
> Apr 6 05:49:42 dc sshd[12389]: input_userauth_request: illegal
> user anonymous
> Apr 6 05:49:42 dc sshd[12389]: Failed password for illegal user
> anonymous from 67.19.58.170 port 32942 ssh2
> Apr 6 05:49:42 dc sshd[12389]: Received disconnect from
> 67.19.58.170: 11: Bye Bye
> Apr 6 05:49:42 dc sshd[12406]: input_userauth_request: illegal
> user bruce
> Apr 6 05:49:42 dc sshd[12406]: Failed password for illegal user
> bruce from 67.19.58.170 port 32983 ssh2
> Apr 6 05:49:42 dc sshd[12406]: Received disconnect from
> 67.19.58.170: 11: Bye Bye
> Apr 6 05:49:42 dc sshd[12422]: input_userauth_request: illegal
> user chuck
>
> You get the idea. This goes on for 3 or 4 minutes and then
> just stops for now. I can almost promise that later, another attack
> will start from some other IP address and blaze away for a few
> minutes.
>
> Other than spewing lots of entries in to syslog, what is the
> purpose of the attack? Are they just hoping to luck in to an open
> account? The odds of guessing the right account name and then guessing
> the correct password are astronomical to say the least.
> Direct root logins are not possible so there is another roadblock.
>
> This seems on the surface to be aimed at simply filling up the /var
> file system, but it is so stupid as to make me wonder if there is
> something else more sophisticated that we truly need to be trembling
> in our shoes over.
>
> I notice from the syslog servers, here, that the same system
> is hammering other sshd applications on those devices at the same time
> it is hitting this system so what ever script it is is probably just
> trolling our network, looking for anything that answers.
>
> Thanks for any useful information as to the nature of what
> appears to be more of a nuisance than a diabolical threat to security.
>
> Martin McCormick WB5AGZ Stillwater, OK
> OSU Information Technology Division Network Operations Group
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
>
>
More information about the freebsd-security
mailing list