Re: Automatic abuse reports

[Sam Moats <sam () circlenet us>]

Your right they wouldn't get all of the way through. The three way 
handshake is great against blind spoofing attacks. That said the 
original poster was focused on a DOS event,to do that you really don't 
need the full handshake.

I'm not sure if the end goal of whomever we were dealing with was to 
DOS us or if was some screwed up half open syn scans, or my personnel 
guess it was to generate enough bogus log traffic to hide which 
connections were legitimate threats. Either way enough inbound SYN 
connections on port 22 would tip over the servers, this was LONG ago 
circa 97~99, so the traffic we saw was an effective DOS.

We had inetd calling ssh and also telnet (Change comes slowly and 
cyrpto was painful to implement for us at the time). In our setup inetd 
decided to log the sessions both ssh and telnet as soon as the daemon 
was called. So even if we didn't do the full session setup the machine 
would still log an event for each tcp session.

In hindsight we could have cleaned it up so that it wouldn't log before 
completing the handshake or tweaked the perl script to filter them out 
but I was a newbie at that point and placing ACLs in my border router to 
drop inbound ssh traffic that didn't come from netblocks I expected and 
moving off of the default port were the easiest solutions at the time.

Now it would be trivial to setup syslog and sshd to give only the 
sessions that complete the handshake, however I'm also not sure how 
responsive some of the abuse contacts may be. I'll keep my restrictive 
network settings for the time being.

Sam Moats


On 2013-11-12 20:43, William Herrin wrote:
> On Tue, Nov 12, 2013 at 4:52 PM, Sam Moats <sam () circlenet us> wrote:
> > We used to use a small perl script called tattle that would parse 
> > out the
> > /var/log/secure on our *nix boxes, isolate the inbound ssh exploits, 
> > lookup
> > the proper abuse contacts and report them. I haven't seen anything 
> > similar
> > in years but it would be interesting to do more than null route IPs.
> >
> > The problem we had with the automated reporting was dealing with 
> > spoofed
> > sources, we see lots of traffic that is obviously hostile but unless 
> > it
> > becomes serious enough to impact performance we rarely report it. An
> > automated system didn't seem to fit anymore due to false positives.
>
> Hi Sam,
>
> Out of curiosity -- how does one get a false positive on an ssh
> exploit attempt? Does the origin IP not have to complete a 3-way
> handshake before it can attempt an exploit?
>
> Regards,
> Bill Herrin