Re: MASSIVE ssh attack attempt

[oogali () INTRANOVA NET (Omachonu Ogali)]

On Tue, 15 Feb 2000, Mark Shirley wrote:

> Our network has been recving massive amounts of ssh connection attempts in a short period of time.
>
>
> Feb 15 22:02:13 entropy2 iplog[24745]: TCP: ssh connection attempt from
> 210.134.59.39:1297
> Feb 15 22:02:13 entropy2 iplog[24745]: TCP: ssh connection attempt from
> 36.56.53.111:1972
> Feb 15 22:02:16 entropy2 iplog[24745]: TCP: ssh connection attempt from
> 124.64.2.61:1575
> Feb 15 22:02:17 entropy2 iplog[24745]: TCP: ssh connection attempt from
> 54.37.196.90:1418
> Feb 15 22:02:17 entropy2 iplog[24745]: TCP: ssh connection attempt from
> 17.39.116.29:1353
> Feb 15 22:02:17 entropy2 iplog[24745]: TCP: ssh connection attempt from
> 180.61.250.13:1848
> Feb 15 22:02:17 entropy2 iplog[24745]: TCP: ssh connection attempt from
> 91.99.173.23:1845
> Feb 15 22:02:17 entropy2 iplog[24745]: TCP: ssh connection attempt from
> 95.121.42.92:1940
> Feb 15 22:02:17 entropy2 iplog[24745]: TCP: ssh connection attempt from
> 124.208.184.123:1878
> Feb 15 22:02:17 entropy2 iplog[24745]: TCP: ssh connection attempt from
> 188.204.99.96:1319
> Feb 15 22:02:17 entropy2 iplog[24745]: TCP: ssh connection attempt from
> 220.160.75.65:1878
>
> this is only a very small peice of the overall attack
>
> it is obvious to me that they are spoofed ip addresses

Might possibly a SYN flood.

> interesting traceroute of 210.134.59.39
>
>
>
> 17  Sendai1.IIJ.Net (202.232.3.2)  349.523 ms  359.412 ms  340.129 ms
> 18  yamabikogw.iij.net (210.130.153.70)  567.680 ms  559.349 ms  559.639 ms
> 19  sendai1.iij.net (210.130.153.69)  570.052 ms  599.384 ms  610.118 ms
> 20  yamabikogw.iij.net (210.130.153.70)  858.527 ms  789.406 ms  799.505 ms
>
> seems to bounce back and forth
>
> and again for 124.64.2.61
>
>  5  fe-0-0.core3.cvg1.one.net (216.23.31.3)  109.816 ms  109.456 ms  110.571 ms
>  6  cvx1800-1.cvg1.one.net (207.78.244.150)  118.531 ms  119.431 ms  119.569 ms
>  7  fe-0-1.core3.cvg1.one.net (207.78.244.1)  130.067 ms  119.407 ms  109.601 ms
>  8  cvx1800-1.cvg1.one.net (207.78.244.150)  119.541 ms  130.000 ms  128.536 ms
>  9  fe-0-1.core3.cvg1.one.net (207.78.244.1)  129.589 ms  169.247 ms  130.184 ms
>
> (one net is my isp from which i am tracerouting and those are routers)
>
> not sure exactly what to think about this.  it seems that the inital attack brought down out server (or perhaps there 
> was a second syn flood at the same time) but once we brought down the ssh daemon the connections still continued.

That bouncing back and forth is a routing loop, as in router #2 says "This
isn't mine" and sends it back to router #1 which says "It is yours" and it
goes back and forth until the TTL on the packet expires.

--
+-------------------------------------------------------------------------+
| Omachonu Ogali                                     oogali () intranova net |
| Intranova Networking Group                 http://tribune.intranova.net |
| PGP Key ID:                                                  0xBFE60839 |
| PGP Fingerprint:       C8 51 14 FD 2A 87 53 D1  E3 AA 12 12 01 93 BD 34 |
+-------------------------------------------------------------------------+