Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Displaying SSH password attempts

From: ader () ait edu gr
Date: Tue, 11 Jul 2006 02:01:11 +0300 (EEST)
On Fri, 07 Jul 2006 20:29:23 +0300, ader () ait edu gr said:


  I would say that any attacker that tried to breach a system with such
a
poor security policy and failed, is under no circuimstances a threat for
modern Network Security. I mean you left the door unlocked and a note
saying you are not there... If the guy cant open the door he is
incapable of harm and most probably a victim himself.


So tell me.. if you saw a flood of 62,497 totally lame ssh password probe
attempts from the same set of 4 IP addresses, what are the chances that
you'd be more likely to totally *fail* to notice a 4-packet zero-day
from one of those 4 addresses?

It's called "flying under the radar"...


I really dont get the point in your question... In the "flying under the
radar" scenario you just mention... you really are not flying under the
radar are you?????

1) In Corporate Networks --- By making all those thousands attemps to log
into SSH, the attacker accomplishes only one thing... to get his IP
droped. Any address that tries these many failed attempes is definately
hostile and gets blacklisted.
What you mentioned is definately a bad way to fly under the radar...
Sending fake requests, or gibberish packets  may hide the real attack but
still in modern Network Security, any IP addresses that flood a service
(HHTP, SSH, TELNET etc) should be considered hostile and get droped by the
firewall

2) In Honeypots --- Well in the case that the attacker is already aware of
your honeypot, and tries to hide his real attack by Spamming your SSH
Daemon, with  lame attemps. You should read my Last comment about
Honeypots and how dangerous they can be. Any LIVE honeypots must be
properly configured and that is your job to do... Having proper DATA
CAPTURING and DATA ANALYSIS tools helps to identify the attacks.... Thats
why SEBEK is such a nice tool, since it records all the packects
transfered and classifies any known attacks. DATA ANALYSIS is one of the
biggest burdons for Security Engineers since in many cases there are
Millions of false-positive alerts and trying to find real attacks is
almost impossible (A thorough Nessus scan for a single system triggers
thousands of IDS alerts by the way).

I hope it clariffied my positions a bit...
Previous By Date Next
Previous By Thread Next

Current thread: