Re: targetted SSH bruteforce attacks

[Valdis.Kletnieks () vt edu]

On Thu, 17 Jun 2010 07:48:18 EDT, Gary Baribault said:

>     Both of these systems are within one /21 and get attacked
> regularly. I run Denyhosts on them, and update the central server once
> an hour with attacking IPs, and obviously also download the public
> hosts.deny list.
>
>     These machines get hit regularly, so often that I don't really
> care, it's fun to make the script kiddies waste their time! But in
> this instance, only my home box is being attacked... someone is
> burning a lot of cycles and hosts to do a distributed dictionary
> attack on my one box!

One of two things springs to mind:

1) when they scanned your address space looking for SSH hosts to try to
whack, your one host didn't report as a target for some random reason.

2) they're handling their list of targets in a pseudo-random order.  We've
seen attacking IPs pound on 2 or 3 hosts in our /16 for a few days, then go
away, and 2-3 weeks later return to pound on other targets.

Bottom line: Either they didn't notice your other box, or they'll get around
to poking it in a few weeks...

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/