Security Incidents mailing list archives
Re: Weird SSH attack last night and this morning (still ongoing)
From: Valdis.Kletnieks () vt edu
Date: Wed, 07 May 2008 14:17:19 -0400
On Wed, 07 May 2008 10:53:35 PDT, Erin Carroll said:
When I saw this hitting my servers last night I thought it an odd attack pattern but surmised it was either a targeted slow attack with spoofed IP's
Unless your operating system is *very* broken and doesn't do RFC1948 randomization of the TCP Initial Sequence Number, using a spoofed ID just gets you a bunch of sockets stuck in half-open state (SYN received, SYN/ACK send to the spoofed source, no ACK back). If it's gotten through the 3-packet handshake, you may as well assume that it's a real IP address (or the attacker has already pwned enough infrastructure that they can see the SYN/ACK you send, in which case they control the horizontal and vertical and you're now in an Outer Limits episode... ;)
Attachment:
_bin
Description:
Current thread:
- Weird SSH attack last night and this morning (still ongoing) Gary Baribault (May 07)
- Re: Weird SSH attack last night and this morning (still ongoing) Robert Taylor (May 07)
- RE: Weird SSH attack last night and this morning (still ongoing) Erin Carroll (May 07)
- Re: Weird SSH attack last night and this morning (still ongoing) Robert Taylor (May 07)
- RE: Weird SSH attack last night and this morning (still ongoing) Erin Carroll (May 07)
- RE: Weird SSH attack last night and this morning (still ongoing) Erin Carroll (May 07)
- Re: Weird SSH attack last night and this morning (still ongoing) Robert Taylor (May 07)
- Re: Weird SSH attack last night and this morning (still ongoing) Blaine Fleming (May 07)
- Message not available
- Re: Weird SSH attack last night and this morning (still ongoing) Gary Baribault (May 07)
- Re: Weird SSH attack last night and this morning (still ongoing) Bartholomew Mallio (May 07)
- Re: Weird SSH attack last night and this morning (still ongoing) Gary Baribault (May 07)
- RE: Weird SSH attack last night and this morning (still ongoing) Erin Carroll (May 07)
- Message not available
- Re: Weird SSH attack last night and this morning (still ongoing) Gary Baribault (May 07)
- Message not available
- Re: Weird SSH attack last night and this morning (still ongoing) Valdis . Kletnieks (May 07)
- Re: Weird SSH attack last night and this morning (still ongoing) Gary Baribault (May 07)
- Re: Weird SSH attack last night and this morning (still ongoing) Gary Baribault (May 14)
- Re: Weird SSH attack last night and this morning (still ongoing) Valdis . Kletnieks (May 15)
- Message not available
- Re: Weird SSH attack last night and this morning (still ongoing) Valdis . Kletnieks (May 16)
- Message not available
- Re: Weird SSH attack last night and this morning (still ongoing) Valdis . Kletnieks (May 16)