Security Incidents mailing list archives
Re: MASSIVE ssh attack attempt
From: oogali () INTRANOVA NET (Omachonu Ogali)
Date: Wed, 16 Feb 2000 08:18:10 -0500
On Tue, 15 Feb 2000, Mark Shirley wrote:
Our network has been recving massive amounts of ssh connection attempts in a short period of time. Feb 15 22:02:13 entropy2 iplog[24745]: TCP: ssh connection attempt from 210.134.59.39:1297 Feb 15 22:02:13 entropy2 iplog[24745]: TCP: ssh connection attempt from 36.56.53.111:1972 Feb 15 22:02:16 entropy2 iplog[24745]: TCP: ssh connection attempt from 124.64.2.61:1575 Feb 15 22:02:17 entropy2 iplog[24745]: TCP: ssh connection attempt from 54.37.196.90:1418 Feb 15 22:02:17 entropy2 iplog[24745]: TCP: ssh connection attempt from 17.39.116.29:1353 Feb 15 22:02:17 entropy2 iplog[24745]: TCP: ssh connection attempt from 180.61.250.13:1848 Feb 15 22:02:17 entropy2 iplog[24745]: TCP: ssh connection attempt from 91.99.173.23:1845 Feb 15 22:02:17 entropy2 iplog[24745]: TCP: ssh connection attempt from 95.121.42.92:1940 Feb 15 22:02:17 entropy2 iplog[24745]: TCP: ssh connection attempt from 124.208.184.123:1878 Feb 15 22:02:17 entropy2 iplog[24745]: TCP: ssh connection attempt from 188.204.99.96:1319 Feb 15 22:02:17 entropy2 iplog[24745]: TCP: ssh connection attempt from 220.160.75.65:1878 this is only a very small peice of the overall attack it is obvious to me that they are spoofed ip addresses
Might possibly a SYN flood.
interesting traceroute of 210.134.59.39 17 Sendai1.IIJ.Net (202.232.3.2) 349.523 ms 359.412 ms 340.129 ms 18 yamabikogw.iij.net (210.130.153.70) 567.680 ms 559.349 ms 559.639 ms 19 sendai1.iij.net (210.130.153.69) 570.052 ms 599.384 ms 610.118 ms 20 yamabikogw.iij.net (210.130.153.70) 858.527 ms 789.406 ms 799.505 ms seems to bounce back and forth and again for 124.64.2.61 5 fe-0-0.core3.cvg1.one.net (216.23.31.3) 109.816 ms 109.456 ms 110.571 ms 6 cvx1800-1.cvg1.one.net (207.78.244.150) 118.531 ms 119.431 ms 119.569 ms 7 fe-0-1.core3.cvg1.one.net (207.78.244.1) 130.067 ms 119.407 ms 109.601 ms 8 cvx1800-1.cvg1.one.net (207.78.244.150) 119.541 ms 130.000 ms 128.536 ms 9 fe-0-1.core3.cvg1.one.net (207.78.244.1) 129.589 ms 169.247 ms 130.184 ms (one net is my isp from which i am tracerouting and those are routers) not sure exactly what to think about this. it seems that the inital attack brought down out server (or perhaps there was a second syn flood at the same time) but once we brought down the ssh daemon the connections still continued.
That bouncing back and forth is a routing loop, as in router #2 says "This isn't mine" and sends it back to router #1 which says "It is yours" and it goes back and forth until the TTL on the packet expires. -- +-------------------------------------------------------------------------+ | Omachonu Ogali oogali () intranova net | | Intranova Networking Group http://tribune.intranova.net | | PGP Key ID: 0xBFE60839 | | PGP Fingerprint: C8 51 14 FD 2A 87 53 D1 E3 AA 12 12 01 93 BD 34 | +-------------------------------------------------------------------------+
Current thread:
- ports ports and more ports Tyler (Feb 11)
- Re: ports ports and more ports David Getchell (Feb 15)
- Dispostion of UPD/137 packets? Bill Pennington (Feb 15)
- Re: ports ports and more ports Robert Lau (Feb 15)
- succesful crack Bob Lockie (Feb 15)
- Re: succesful crack Gene Harris (Feb 16)
- Re: succesful crack **read nine (Feb 17)
- Re: succesful crack R. Gupta (Feb 17)
- Re: succesful crack Gene Harris (Feb 16)
- Port Scanning (perhaps related to "A very strange port scan") Warren Belfer (Feb 15)
- MASSIVE ssh attack attempt Mark Shirley (Feb 15)
- Re: MASSIVE ssh attack attempt Omachonu Ogali (Feb 16)
- Re: MASSIVE ssh attack attempt Jose Nazario (Feb 17)
- Re: MASSIVE ssh attack attempt Brendan Grieve (Feb 17)
- Re: MASSIVE ssh attack attempt Robert Lau (Feb 16)
- Re: MASSIVE ssh attack attempt David A. Bandel (Feb 17)
- Re: MASSIVE ssh attack attempt Robert Lau (Feb 17)
- Re: MASSIVE ssh attack attempt Filip M. Gieszczykiewicz (Feb 17)
- Re: MASSIVE ssh attack attempt Robert Graham (Feb 18)
- Undernet/telnet attempts? SecOrg (Feb 18)
- Re: Undernet/telnet attempts? Opus (Feb 21)
- Re: Undernet/telnet attempts? Jonathan Levy (Feb 21)
- Re: MASSIVE ssh attack attempt Omachonu Ogali (Feb 16)