What is this Very Stupid DOS Attack Script?
Dan Rue
drue at therub.org
Wed Apr 6 09:28:12 PDT 2005
On Wed, Apr 06, 2005 at 10:49:08AM -0500, Martin McCormick wrote:
> We have been noticing flurries of sshd reject messages in
> which some system out there in the hinterlands hits us with a flood of
> ssh login attempts. An example:
>
> Apr 6 05:49:42 dc sshd[12406]: Failed password for illegal user
> bruce from 67.19.58.170 port 32983 ssh2
In my experience, these are just script kiddies goofing around. The
only useful thing to do is to report them to abuse@ their ISP - this can
actually be effective in some cases.
$ whois 67.19.58.170
OrgName: ThePlanet.com Internet Services, Inc.
OrgID: TPCM
Address: 1333 North Stemmons Freeway
Address: Suite 110
City: Dallas
StateProv: TX
PostalCode: 75207
Country: US
...
OrgAbuseHandle: ABUSE271-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-214-782-7802
OrgAbuseEmail: abuse at theplanet.com
I'm sure his ISP would like to know about his behavior - send them a
report of his attempts. Often in my opinion it's some 13 year old who
doesn't realize he's not anonymous on the internet. It quickly becomes
a tedious and thankless job, but it's the best weapon you have imo.
Also, I find on some systems it's nice to do whitelisting with
hosts.allow to only allow connectinos from certain addresses. Obviously
that is not a solution for every system, but it can work well for some.
Dan
More information about the freebsd-security
mailing list