Security Incidents mailing list archives
Re: MASSIVE ssh attack attempt
From: jose () BIOCSERVER BIOC CWRU EDU (Jose Nazario)
Date: Thu, 17 Feb 2000 11:49:15 -0500
on that idea, i submitted a bug report to the ssh 1.x team last year noting that they have no limit on the number of processes sshd can start. it's a simple DoS. maybe this is what you're seeing. i posted to BUGTRAQ on this, too, and the thread included a sourece patch to stave this off. On Wed, 16 Feb 2000, Omachonu Ogali wrote:
On Tue, 15 Feb 2000, Mark Shirley wrote:Our network has been recving massive amounts of ssh connection attempts in a short period of time. Feb 15 22:02:13 entropy2 iplog[24745]: TCP: ssh connection attempt from 210.134.59.39:1297 Feb 15 22:02:13 entropy2 iplog[24745]: TCP: ssh connection attempt from 36.56.53.111:1972 Feb 15 22:02:16 entropy2 iplog[24745]: TCP: ssh connection attempt from 124.64.2.61:1575 Feb 15 22:02:17 entropy2 iplog[24745]: TCP: ssh connection attempt from 54.37.196.90:1418 Feb 15 22:02:17 entropy2 iplog[24745]: TCP: ssh connection attempt from 17.39.116.29:1353 Feb 15 22:02:17 entropy2 iplog[24745]: TCP: ssh connection attempt from 180.61.250.13:1848 Feb 15 22:02:17 entropy2 iplog[24745]: TCP: ssh connection attempt from 91.99.173.23:1845 Feb 15 22:02:17 entropy2 iplog[24745]: TCP: ssh connection attempt from 95.121.42.92:1940 Feb 15 22:02:17 entropy2 iplog[24745]: TCP: ssh connection attempt from 124.208.184.123:1878 Feb 15 22:02:17 entropy2 iplog[24745]: TCP: ssh connection attempt from 188.204.99.96:1319 Feb 15 22:02:17 entropy2 iplog[24745]: TCP: ssh connection attempt from 220.160.75.65:1878 this is only a very small peice of the overall attack it is obvious to me that they are spoofed ip addressesMight possibly a SYN flood.
jose nazario jose () biochemistry cwru edu PGP fingerprint: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc
Current thread:
- Re: ports ports and more ports, (continued)
- Re: ports ports and more ports David Getchell (Feb 15)
- Dispostion of UPD/137 packets? Bill Pennington (Feb 15)
- Re: ports ports and more ports Robert Lau (Feb 15)
- succesful crack Bob Lockie (Feb 15)
- Re: succesful crack Gene Harris (Feb 16)
- Re: succesful crack **read nine (Feb 17)
- Re: succesful crack R. Gupta (Feb 17)
- Re: succesful crack Gene Harris (Feb 16)
- Port Scanning (perhaps related to "A very strange port scan") Warren Belfer (Feb 15)
- MASSIVE ssh attack attempt Mark Shirley (Feb 15)
- Re: MASSIVE ssh attack attempt Omachonu Ogali (Feb 16)
- Re: MASSIVE ssh attack attempt Jose Nazario (Feb 17)
- Re: MASSIVE ssh attack attempt Brendan Grieve (Feb 17)
- Re: MASSIVE ssh attack attempt Robert Lau (Feb 16)
- Re: MASSIVE ssh attack attempt David A. Bandel (Feb 17)
- Re: MASSIVE ssh attack attempt Robert Lau (Feb 17)
- Re: MASSIVE ssh attack attempt Filip M. Gieszczykiewicz (Feb 17)
- Re: MASSIVE ssh attack attempt Robert Graham (Feb 18)
- Undernet/telnet attempts? SecOrg (Feb 18)
- Re: Undernet/telnet attempts? Opus (Feb 21)
- Re: Undernet/telnet attempts? Jonathan Levy (Feb 21)
- Re: Undernet/telnet attempts? Tibor, Mike (Feb 22)
- Re: MASSIVE ssh attack attempt Omachonu Ogali (Feb 16)