Recently a couple of news reports have come in that suggest that someone has changed how they do SSH brute force attacks:
- Spike in failed SSH logins could be beginnings of a coordinated attack, ISC says from the TechTarget blogs on October 22.
- Distributed SSH attacks bypass blacklists posted on Heise Security today
- A low intensity, distributed bruteforce attempt from the blog That grumpy BSD guy covers even more ground and gives log examples.
The change is this: instead of the hosts from the SSH botnet pounding away as fast as possible from the same IP over and over and over again, where you see it failing and failing and failing, these guys have moved to what they should have been doing, coordination. They’re only trying one or two logins from a single IP before moving on; another IP from the botnet tries a new login. The IP may re-appear but only after a while. This defeats some of the simple rate-based triggers for local protection. What’s more is they’re only trying very specific SSH servers. They seem to not be trying everything in the book.
The answer to this is to use a blacklist, working on the theory that someone else has seen this IP scanning and trying logins and failing. Here’s a list of blacklists you can use (import them with caution, use at your own risk, etc).
These lists MAY help you prevent the attempts from the botnet (and many others). I’ve worked with the person (let’s call him C) who both gathered this list and did more analysis of this distributed, patient scanning to look at an overlap between Arbor’s SSH scanner and bruter blacklist and his own blacklist and we came up with about 12% overlap. Not great, and I wonder how much overlap there will be in the future (ie if we go forward one day would the Arbor SSH blacklist have prevented a bruter from trying logins). I would suggest contributing to those blacklists to help everyone, there’s a lot of SSH-bots out there at this point!
Also, here’s a 2d snapshot of ATLAS’ SSH blacklist: http://atlas-public.ec2.arbor.net/public/ssh_attackers …
What we’re lacking so far is a capture of the tools on the box, the bot code. I analyzed a case earlier this week where an SSH server was broken into via SSH scanning and it was just a typical IROFFER network. This looks far more substantial than that.
If you have tracks matching this AND you want to help analyze this, please be in contact.
Many thanks to C for his great analysis of the events so far. He, too, is looking for “what comes next”.