Security Incidents mailing list archives

Re: Weird SSH attack last night and this morning (still ongoing)

From: Valdis.Kletnieks () vt edu
Date: Wed, 07 May 2008 14:17:19 -0400

On Wed, 07 May 2008 10:53:35 PDT, Erin Carroll said:

When I saw this hitting my servers last night I thought it an odd attack
pattern but surmised it was either a targeted slow attack with spoofed IP's


Unless your operating system is *very* broken and doesn't do RFC1948 randomization
of the TCP Initial Sequence Number, using a spoofed ID just gets you a bunch
of sockets stuck in half-open state (SYN received, SYN/ACK send to the spoofed
source, no ACK back).  If it's gotten through the 3-packet handshake, you may
as well assume that it's a real IP address (or the attacker has already pwned
enough infrastructure that they can see the SYN/ACK you send, in which case
they control the horizontal and vertical and you're now in an Outer Limits
episode... ;)

Attachment: _bin
Description:

Current thread:

Weird SSH attack last night and this morning (still ongoing) Gary Baribault (May 07)
- Re: Weird SSH attack last night and this morning (still ongoing) Robert Taylor (May 07)
  - RE: Weird SSH attack last night and this morning (still ongoing) Erin Carroll (May 07)
    - Re: Weird SSH attack last night and this morning (still ongoing) Robert Taylor (May 07)
    - RE: Weird SSH attack last night and this morning (still ongoing) Erin Carroll (May 07)
- Re: Weird SSH attack last night and this morning (still ongoing) Blaine Fleming (May 07)
- Message not available
  - Re: Weird SSH attack last night and this morning (still ongoing) Gary Baribault (May 07)
    - Re: Weird SSH attack last night and this morning (still ongoing) Bartholomew Mallio (May 07)
- RE: Weird SSH attack last night and this morning (still ongoing) Erin Carroll (May 07)
  - Message not available
    - Re: Weird SSH attack last night and this morning (still ongoing) Gary Baribault (May 07)
  - Re: Weird SSH attack last night and this morning (still ongoing) Valdis . Kletnieks (May 07)
- Re: Weird SSH attack last night and this morning (still ongoing) bugtraq (May 07)
- Message not available
  - Re: Weird SSH attack last night and this morning (still ongoing) Gary Baribault (May 07)
- Re: Weird SSH attack last night and this morning (still ongoing) Brent Kearney (May 07)
- Re: Weird SSH attack last night and this morning (still ongoing) Mick Pollard (May 14)
  - Re: Weird SSH attack last night and this morning (still ongoing) Gary Baribault (May 14)
    - Re: Weird SSH attack last night and this morning (still ongoing) Valdis . Kletnieks (May 15)
    - Message not available
    - Re: Weird SSH attack last night and this morning (still ongoing) Valdis . Kletnieks (May 16)
    - Message not available
    - Re: Weird SSH attack last night and this morning (still ongoing) Valdis . Kletnieks (May 16)