What is this Very Stupid DOS Attack Script?

[John Davis]

Martin McCormick wrote:
> 	We have been noticing flurries of sshd reject messages in
> which some system out there in the hinterlands hits us with a flood of
> ssh login attempts.  An example:
> 
> 	Other than spewing lots of entries in to syslog, what is the
> purpose of the attack?  Are they just hoping to luck in to an open
> account?  The odds of guessing the right account name and then guessing
> the correct password are astronomical to say the least.
> Direct root logins are not possible so there is another roadblock.
> <snipped for speed>



  This is probably a variant of a worm that infects the server and then 
spends all its time trying to log into other servers by guessing the ssh 
password. Once it succeeds, it attempts a compromise, and if successful, 
tries to break into other machines. I have read some interesting 
analyses on this. Apparently there are multiple variations of the worm, 
but they all do essentially the same thing. About the only real defense 
you have is to enforce a good password policy. I have taken to dropping 
everthing that comes from the pacific rim at the firewall. This has been 
helpful in reducing some attacks, though in my case, it seems like about 
a quarter of them come from inside the USA.

Here's a list of pacific rim IP ranges:
http://www.okean.com/iptables/rc.firewall.sinokorea

Here's an interesting read on one of the worm variants:
http://www.security.org.sg/gtec/honeynet/viewdiary.php?diary=20041102

  Personally, it think people who write malicious software should be 
treated like terrorists because it seems to me, they are. I know it's a 
common defense to claim that publishing exploits is useful to IT 
(perhaps it is in some twisted way), but that's like saying defendants 
in foiled murder plots should be forgiven because they helped to expose 
flaws in one's personal security. It's nonsense.

--
-linux_lad